Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BitRAT. Show all posts

Fraudulent Browser Updates Are Propagating BitRAT and Lumma Stealer Malware

 

Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware like BitRAT and Lumma Stealer (aka LummaC2). 

"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"cybersecurity company eSentire stated in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.”

The attack chain begins when potential targets visit a fake website with JavaScript code that redirects them to a fraudulent browser update page ("chatgpt-app[.]cloud"). The redirected web page includes a download link to a ZIP archive file ("Update.zip") located on Discord that is automatically downloaded to the victim's device.

It's worth noting that threat actors frequently use Discord as an attack vector, with Bitdefender's recent study revealing more than 50,000 unsecured connections propagating malware, phishing campaigns, and spam during the past six months.

Another JavaScript file ("Update.js") is included in the ZIP archive file, and it executes PowerShell scripts responsible for downloading further payloads, such as BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. 

This method also retrieves PowerShell scripts for persistence and a.NET-based loader, which is generally used to start the final-stage malware. According to eSentire, the loader is most likely represented as a "malware delivery service" because it is used to spread both BitRAT and Lumma Stealer. 

BitRAT is a feature-rich RAT that enables attackers to collect data, mine cryptocurrency, download additional malware, and remotely control infected systems. Lumma Stealer, a commodity stealer malware offered for $250 to $1,000 per month since August 2022, can take data from online browsers, cryptocurrency wallets, and other sensitive information. 

"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the company noted, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact.”

While such attacks typically employ drive-by downloads and malvertising techniques, ReliaQuest reported last week that it identified a new variant of the ClearFake campaign that tricked consumers into copying, pasting, and manually executing malicious PowerShell code under the guise of a browser update. 

Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to resolve the issue by following a series of steps that include copying and pasting obfuscated PowerShell code into a PowerShell terminal. 

"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company added.

Esca RAT Spyware Actively Employed Cybercriminals

Escanor is a new RAT (Remote Administration Tool) that was promoted on the Dark Web and Telegram, as per Resecurity, a cybersecurity firm based in Los Angeles that protects Fortune 500 companies globally. 

The threat actors provide versions of the RAT for Android and PC, as well as an HVNC module and an exploit builder to turn Microsoft Office and Adobe PDF files into weapons for spreading malicious code. 

The tool was first publicly available for purchase on January 26th of this year as a small HVNC implant that allowed for the establishment of a stealthy remote connection to the victim's machine. Later, the kit evolved into a full-scale, commercial RAT with a robust feature set. 

Over 28,000 people have joined Escanor's Telegram channel, which has a solid reputation on the Dark Web. Previous 'cracked' releases by the actor going by the same name included Venom RAT, 888 RAT, and Pandora HVNC, which were probably utilized to enhance Escanor's capability further.

According to reports, cybercriminals actively employ the malware known as Esca RAT, a mobile variant of Escanor, to attack users of online banks by intercepting one-time password (OTP) credentials.

The warning states that the tool "may be used to gather the victim's GPS locations, watch keystrokes, turn on hidden cameras, and browse files on the distant mobile devices to steal data."

Escanor Exploit Builder has been used to deliver the vast majority of samples that have lately been discovered. Decoy documents that look like bills and notices from well-known internet providers are utilized by hackers.

Resecurity also advised that the website address 'escanor[.]live' has earlier been linked to Arid Viper, a group that was active in the Middle East in 2015.

APT C-23 is also known as Arid Viper. Espionage and information theft are this threat actor's primary goals, which have been attributed to malevolent actors with political motivations for the freedom of Palestine. Although Arid Viper is not a particularly technologically advanced actor, it is known to target desktop and mobile platforms, including Apple iOS. 

Their primary malware, Micropsia, is surrounded by Delphi packers and compilers in their toolset. This implant has also been converted to various platforms, including an Android version and versions built on Python.

The majority of Escanor patients have been located in the United States, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with a few infections also occurring in South-East Asia.




Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

BitRAT Malware Spreading Via Unofficial Microsoft Windows Activators

 

A new BitRAT malware distribution campaign is ongoing, targeting people who want to utilise unauthorised Microsoft licence activators to activate unlicensed Windows OS versions for free. 

BitRAT is a strong remote access trojan that can be purchased for as little as $20 (lifetime access) on cybercrime forums and dark web markets. As a result, each buyer has their own malware dissemination strategy, which may include phishing, watering holes, or trojanized software. Threat actors are delivering BitRAT malware as a Windows 10 Pro licence activator on webhards in a new BitRAT malware distribution campaign identified by AhnLab researchers. 

Webhards are popular online storage services in South Korea that receive a steady stream of visitors via direct download links posted on social media platforms or Discord. Threat actors are increasingly exploiting webhards to deliver malware due to their widespread use in the region. Based on some of the Korean characters in the code snippets and how it was distributed, the actor behind the current BitRAT campaign appears to be Korean. To use Windows 10, one must first purchase and activate a Microsoft licence. 

While there are ways to get Windows 10 for free, one must have a valid Windows 7 licence to do so. Those who don't want to deal with licencing concerns or who don't have a licence to upgrade frequently resort to pirating Windows 10 and using unapproved activators, many of which are infected with malware.'W10DigitalActiviation.exe' is the malicious file presented as a Windows 10 activator in this campaign, and it has a simple GUI with a button to "Activate Windows 10." 

Rather than activating the Windows licence on the host system, the "activator" will download malware from a threat actors' hardcoded command and control server. The retrieved payload is BitRAT, which is installed as 'Software Reporter Tool.exe' in the %TEMP% folder and added to the Startup folder. Exclusions for Windows Defender are also included by the downloader to guarantee that BitRAT is not detected. The downloader deletes itself from the system after the malware installation process is completed, leaving just BitRAT behind. 

BitRAT is marketed as a powerful, low-cost, and versatile malware that can steal a variety of sensitive data from the host computer.BitRAT includes features such as keylogging, clipboard monitoring, camera access, audio recording, credential theft through web browsers, and XMRig coin mining. 

 It also includes a remote control for Windows PCs, hidden virtual network computing (hVNC), and SOCKS4 and SOCKS5 reverse proxy (UDP). On that front, ASEC's investigators discovered considerable code similarities between TinyNuke and its derivative, AveMaria,(Warzone). The RATs' hidden desktop capability is so valuable that some hacking groups, such as the Kimsuky, have included them in their arsenal only to use the hVNC tool.