Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label LNKs. Show all posts

Vietnamese Hackers Target Digital Marketers in Malware Attack

 



Cyble Research and Intelligence Lab recently unearthed an elaborate, multi-stage malware attack targeting not only job seekers but also digital marketing professionals. The hackers are a Vietnamese threat actor who was utilising different sophisticated attacks on systems by making use of a Quasar RAT tool that gives a hacker complete control of an infected computer. 


Phishing emails and LNK files as entry points

The attack initiates with phishing emails claiming an attached archive file. Inside the archive is a malicious LNK, disguised as a PDF. Once the LNK is launched, it executes PowerShell commands, which download additional malicious scripts from a third-party source, thus avoiding most detection solutions. The method proves very potent in non-virtualized environments in which malware remains undiscovered inside the system.


Quasar RAT Deployment

Then, the attackers decrypt the malware payload with hardcoded keys. Quasar RAT - a kind of RAT allowing hackers to obtain total access over the compromised system - is started up. Data can be stolen, other malware can be planted, and even the infected device can be used remotely by the attackers.

The campaign targets digital marketers primarily in the United States, using Meta (Facebook, Instagram) advertisements. The malware files utilised in the attack were designed for this type of user, which has amplified its chances.


Spread using Ducktail Malware

In July 2022, the same Vietnamese threat actors expanded their activities through the launch of Ducktail malware that specifically targeted digital marketing professionals. The group included information stealers and other RATs in its attacks. The group has used MaaS platforms to scale up and make their campaign versatile over time.


Evasion of Detection in Virtual Environments

Its superiority in evading virtual environment detection makes this malware attack all the more sophisticated. Here, attackers use the presence of the "output.bat" file to determine whether it's running in a virtual environment or not by scanning for several hard drive manufacturers and virtual machine signatures like "QEMU," "VirtualBox," etc. In case malware detects it's been run from a virtual machine, it lets execution stop analysis right away.

It proceeds with the attack if no virtual environment is detected. Here, it decodes more scripts, to which include a fake PDF and a batch file. These are stored in the victim's Downloads folder using seemingly innocent names such as "PositionApplied_VoyMedia.pdf."


Decryption and Execution Methods

Once the PowerShell script is fully executed, then decrypted strings from the "output.bat" file using hardcoded keys and decompressed through GZip streams. Then, it will produce a .NET executable running in the memory which will be providing further evasion for the malware against detection by antivirus software.

But the malware itself, also performs a whole cycle of checks to determine whether it is running in a sandbox or emulated environment. It can look for some known file names and DLL modules common in virtualized settings as well as measure discrepancies in time to detect emulation. If these checks return a result that suggests a virtual environment, then the malware will throw an exception, bringing all subsequent activity to a halt.

Once the malware has managed to infect a system, it immediately looks for administrative privileges. If they are not found, then it uses PowerShell commands for privilege escalation. Once it gains administrative control, it ensures persistence in the sense that it copies itself to a hidden folder inside the Windows directory. It also modifies the Windows registry so that it can execute automatically at startup.


Defence Evasion and Further Damage 

For the same purpose, the malware employs supplementary defence evasion techniques to go unnoticed. It disables Windows event tracing functions which makes it more difficult to track its activities by security software. In addition to this, it encrypts and compresses key components in a way that their actions are even more unidentifiable.

This last stage of the attack uses Quasar RAT. Both data stealing and long-term access to the infected system are done through the use of a remote access tool. This adapted version of Quasar RAT is less detectable, so the attackers will not easily have it identified or removed by security software.

This is a multi-stage malware attack against digital marketing professionals, especially those working in Meta advertising. It's a very sophisticated and dangerous operation with phishing emails, PowerShell commands combined with advanced evasion techniques to make it even harder to detect and stop. Security experts advise on extreme caution while handling attachment files from emails, specifically in a non-virtualized environment; all the software and systems must be up to date to prevent this kind of threat, they conclude.


Abuse of Cloudflare Tunnel Service for Malware Campaigns Delivering RATs

 

Researchers have raised alarms over cybercriminals increasingly exploiting the Cloudflare Tunnel service in malware campaigns that predominantly distribute remote access trojans (RATs). This malicious activity, first detected in February, utilizes the TryCloudflare free service to disseminate multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm. Cloudflare Tunnel service allows users to proxy traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. 

This service is designed to offer added security and convenience by eliminating the need to open public inbound ports or set up VPN connections. With TryCloudflare, users can create temporary tunnels to local servers and test the service without requiring a Cloudflare account. However, threat actors have abused this feature to gain remote access to compromised systems while evading detection. A recent report from cybersecurity company Proofpoint observed that malware campaigns are targeting organizations in the law, finance, manufacturing, and technology sectors with malicious .LNK files hosted on the legitimate TryCloudflare domain. The attackers lure targets with tax-themed emails containing URLs or attachments leading to the LNK payload. 

Once launched, the payload runs BAT or CMD scripts that deploy PowerShell, culminating in the download of Python installers for the final payload. Proofpoint reported that an email distribution wave starting on July 11 sent out over 1,500 malicious messages, a significant increase from an earlier wave on May 28, which contained fewer than 50 messages. Hosting LNK files on Cloudflare offers several advantages to cybercriminals, including making the traffic appear legitimate due to Cloudflare’s reputation. 

Additionally, the TryCloudflare Tunnel feature provides anonymity, and the temporary nature of the subdomains makes it challenging for defenders to block them effectively. The use of Cloudflare’s service is not only free and reliable but also allows cybercriminals to avoid the costs associated with setting up their own infrastructure. 

By employing automation to evade blocks from Cloudflare, these criminals can use the tunnels for large-scale operations. A Cloudflare representative stated that the company immediately disables and takes down malicious tunnels as they are discovered or reported by third parties. Cloudflare has also implemented machine learning detections to better contain malicious activity and encourages security vendors to submit suspicious URLs for prompt action. 

In light of this increasing threat, it is crucial for organizations to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated malware campaigns.

Hidden Cyber Threat Exposed After Six Years

 


A newly identified cyber threat group, known as "Unfading Sea Haze," has been secretly infiltrating military and government networks in the South China Sea region since 2018, according to a recent report by Bitdefender researchers. The group's activities align with Chinese geopolitical interests, focusing on gathering intelligence and conducting espionage. Unfading Sea Haze shares many tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored hacking groups, particularly APT41.

The group's attacks typically begin with spear-phishing emails containing malicious ZIP files disguised as legitimate documents. These ZIP files, often named to appear as Windows Defender installers, contain LNK files with obfuscated PowerShell commands. If an ESET security executable is detected on the target system, the attack is halted. Otherwise, the PowerShell script uses Microsoft's msbuild.exe to launch fileless malware directly into memory, leaving no traces on the victim's machine.

The code executed by MSBuild installs a backdoor called 'SerialPktdoor,' which gives the attackers remote control over the compromised system. Additionally, the hackers use scheduled tasks and manipulate local administrator accounts to maintain their presence on the network. By resetting and enabling the typically disabled local admin account, they create a hidden profile for continuous access.

Unfading Sea Haze employs a variety of custom tools and malware. Among these are 'xkeylog,' a keylogger for capturing keystrokes, info-stealers targeting browser data, and PowerShell scripts for extracting information. Since 2023, the group has adopted stealthier methods, such as abusing msbuild.exe to load C# payloads from remote SMB shares and deploying different variants of the Gh0stRAT malware.


Bitdefender has identified several Gh0stRAT variants used by the hackers:

1. SilentGh0st: A variant with extensive functionality through numerous commands and modules.

2. InsidiousGh0st: A Go-based evolution with enhanced capabilities, including TCP proxy, SOCKS5, and improved PowerShell integration.

3. TranslucentGh0st, EtherealGh0st, and FluffyGh0st: Newer variants designed for evasive operations with dynamic plugin loading and a lighter footprint.

Earlier attacks utilised tools like Ps2dllLoader for loading .NET or PowerShell code into memory and SharpJSHandler, a web shell for executing encoded JavaScript via HTTP requests. The group also created a tool to monitor newly connected USB and Windows Portable Devices every ten seconds, reporting device details and specific files to the attackers.

For data exfiltration, Unfading Sea Haze initially used a custom tool named 'DustyExfilTool,' which securely extracted data via TLS over TCP. In more recent attacks, the group has shifted to using a curl utility and the FTP protocol, with dynamically generated credentials that are frequently changed to enhance security.

The sophisticated techniques employed by Unfading Sea Haze highlight the need for robust cybersecurity defences. Organisations should implement a comprehensive security strategy that includes regular patch management, multi-factor authentication (MFA), network segmentation, traffic monitoring, and advanced detection and response tools.

By adopting these measures, organisations can better defend against the persistent and evolving threats posed by groups like Unfading Sea Haze. The group's ability to remain undetected for six years sets a strong precedent for the critical importance of vigilance and continuous improvement in cybersecurity practices.



APT Groups Tomiris and Turla Target Governments

 


As a result of an investigation under the Advanced Persistence Threat (APT) name Tomiris, the group has been discovered using tools such as KopiLuwak and TunnusSched that were previously linked to another APT group known as Turla. 

Positive results are the result of an investigation conducted into the Tomiris APT group. This investigation focused on an intelligence-gathering campaign in Central Asia. As a possible method to obstruct attribution, the Russian-speaking actor used a wide array of malware implants that were created rapidly and in all programming languages known to man to develop the malware implants. A recently published study aims to understand how the group uses malware previously associated with Turla, one of the most notorious APT groups. 

Cyberspace is a challenging environment for attribution. There are several ways highly skilled actors throw researchers off track with their techniques. These include masking their origins, rendering themselves anonymous, or even misrepresenting themselves as part of other threat groups using false flags. Adam Flatley, formerly Director of Operations at the National Security Agency and Vice President for Intelligence at [Redacted], explains this in excellent depth. Adam and his team can determine their real identities only by taking advantage of threat actor operational security mistakes. 

Based on Kaspersky's observations, the observed attacks were backed by several low-sophisticated "burner" implant attacks using different programming languages, regularly deployed against the same targets by using basic but efficient packaging and distribution techniques as well as deployed against the same targets consistently. Tomiris also uses open-source or commercial risk assessment tools. 

In addition to spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), Tomiris uses a wide range of other attack vectors. Tomiris' creative methods include DNS hijacking, exploiting vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, etc. 

To steal documents inside the CIS, the threat actor targets governments and diplomatic entities within that region. There have been instances where victims have turned up in other regions (overseas as the Middle East and Southeast Asia) only to be foreigners representing the countries of the Commonwealth of Independent States, a clear indication of Tomiris's narrow focus on the region. 

An important clue to figuring out what's happening is the targeting. As Delcher explained, Tomiris focuses on government organizations in CIS, including the Russian Federation. However, in the cybersecurity industry, some vendors refer to Turla as a Russian-backed entity. A Russian-sponsored actor would not target the Russian Federation, which does not make sense. 

According to Delcher, it is not simply an educational exercise to differentiate between threat actors and legitimate actors. A stronger defense can be achieved through the use of such software. There may be some campaigns and tools that need to be re-evaluated in light of the date Tomiris started utilizing KopiLuwak. In addition, there are several tools associated with Turla.