Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Phishing Campaigns. Show all posts

STR RAT: A Persistent Remote Access Trojan

 

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads. 

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.

How Attackers Distribute Malware to Foxit PDF Reader Users

 

Threat actors are exploiting a vulnerability in Foxit PDF Reader’s alert system to deliver malware through booby-trapped PDF documents, according to researchers at Check Point.

The researchers have identified several campaigns targeting Foxit Reader users with malicious PDF files. Attackers are utilizing various .NET and Python exploit builders, notably the “PDF Exploit Builder,” to create PDF documents containing macros that execute commands or scripts. These commands download and run malware such as Agent Tesla, Remcos RAT, Xworm, and NanoCore RAT.

"Regardless of the programming language, all builders exhibit a consistent structure. The PDF template used for the exploit includes placeholder text, which is meant to be replaced with the URL for downloading the malicious file once the user provides input," explained the researchers.

Additionally, threat actors are exploiting the fact that some of the pop-up alerts in Foxit Reader make the harmful option the default choice when opening these compromised files.

The first pop-up alert warns users that certain features are disabled to avoid potential security risks, giving them the option to trust the document one time only or always. The default and safer option is the former. However, once the user clicks OK, another alert appears.

Attackers are banking on users ignoring the alert text and quickly accepting the default options, thereby allowing Foxit Reader to execute the malicious command.

Foxit PDF Reader, used by over 700 million people globally, including in government and tech sectors, has been exploited by various threat actors ranging from e-crime to APT groups. These groups have been leveraging this exploit for years, often evading detection by most antivirus software and sandboxes that primarily focus on Adobe PDF Reader.

"The infection success and low detection rate have enabled PDFs to be distributed through unconventional means, such as Facebook, without being intercepted by detection rules," the researchers noted.

Check Point has reported the exploit to Foxit, and the company has announced plans to address it in version 2024 3.

"The proper approach would be to detect and disable such CMD executions. However, based on Foxit's response, they might simply change the default options to 'Do Not Open'," said Antonis Terefos, a reverse engineer at Check Point Research, to Help Net Security.

Efforts to reach Foxit for further comments have yet to receive a response.

Phishing and Cloud Account Takeover Campaign Targeting Microsoft Azure Users

 


In a security breach, several Azure accounts were compromised, which resulted in the loss of important data from the users. A cyberattack was launched against senior executives in several major corporations and affected a variety of environments at the same time. 

In November 2023, Proofpoint, a cybersecurity company, discovered a harmful attack by combining cloud account takeover (ATO) with phishing techniques that would steal credentials from the victim. This attack used the same harmful campaign that was discovered by Proofpoint in November 2023. 

It is alleged that the hackers have used proxy services to get around geographical limitations and conceal their actual location, which would allow them to access both Office Home and Microsoft 365 applications at the same time. It is thought that the attackers used links in the papers that led to phishing websites to execute the attack. 

The anchor text for some of these links was “View document,” which made no sense to me as it did not imply anything about their real location. There was a well-planned attack that targeted both mid-level employees and senior employees, though a greater number of the former employees' accounts were hacked as a result. 

According to Proofpoint, CEOs, presidents, account managers, finance directors, vice presidents of operations, and sales directors were the most common targets. In this way, the attackers were able to gain access to information from all levels and domains of the organization. 

A cybercriminal will often use their own MFA (multifactor authentication) in these types of attacks to extend access to an account that has been compromised by the attackers. To prevent the user from regaining access, attackers add a second mobile number or set up an authentication app. To conceal their traces, attackers also destroy any evidence that suggests questionable behaviour. 

The most targeted positions were mid to senior-level, including sales directors, account managers, financial directors, operations vice presidents, and CEOs, among others. The attackers were able to gain access to a wide variety of organizational information as a result of this. 

As a result, the attackers have also instituted methods to maintain access, such as setting up a multi-factor authentication system and erasing all evidence of their intrusion. Data theft and financial fraud appear to be the primary goals of these attacks. 

It is not yet confirmed who the perpetrators are, although the evidence suggests that they will be located in Russia or Nigeria, and will use ISPs that are located in these countries.

Sekoia Reports: Latest in the Financial Sector Cyber Threat Landscape


France-based cybersecurity company Sekoia published a new report regarding the evolution in the financial sector threat landscape. 

Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.

Also, the report noted that the finance sector is subject to attacks on the software supply chain. 

Phishing as a Service Massively Hits the Sector

Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.

One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.

In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”

QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.

The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”

According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.

Multiple Supply Chain Risks

Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.

One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage. 

There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.

"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.

Financially Oriented Malware 

Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like: 

Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.

Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.

Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.

According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.

Reduce Cyber Threat Risks

The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.

However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.  

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.

How Threat Actors are Using IPFS for Email Phishing


InterPlanetary File System (IPFS) is a peer-to-peer distributed file system, that allows users around the world to exchange files. Instead of using file paths for addressing like centralized systems do, IPFS uses unique content identifiers (CID). The file itself stays on the user’s computer which had “uploaded” it to IPFS and downloaded directly from the computer. By default, a special software is needed to upload or download a file to IPFS (IPFS client). The so-called gateways are offered so users can browse the files stored in IPFS freely without installing any software. 

In 2022, threat actors conducted malicious activity by using IPFS for email phishing campaigns. They upload HTML files containing phishing forms to IPFS and use gateways as proxies so that users can access the files whether or not an IPFS client is installed on their devices. In addition, the scammers included file access links through a gateway into phishing messages forwarded to targeted victims. 

A distributed file system is used by attackers to reduce the cost of hosting phishing pages. Moreover, IPFS makes it impossible to erase files that have been uploaded by third parties. One can request that a file's owner delete it if they want it to totally disappear from the system, but cybercriminals will almost certainly never comply. 

IPFS gateway providers manage to tackle IPFS phishing attacks by consistently deleting links to fraudulent or suspicious files. 

Still, the detection or deletion of links at the gateway level do not always happen as quickly as blocking phishing emails, cloud files, or document. The URL addresses initially came to light in October 2022. As of right now, the campaign is still ongoing. 

The objective of phishing letters with IPFS links is often to gain the victim's account username and password, the reason why they barely contain very creative content. What is interesting about this tactic is where the HTML page links go. 

The recipient's email address is contained in the URL parameter. The email address given in the login box and the corporate logo at the top of the phishing form will both change, once modified. This way, one link can be utilized in a number of phishing campaigns targeting a variety of users. 

In late 2022, Kaspersky discovered two – 15,000 IPFS phishing letters a day for most of the time. This year, IPFS campaigns have begun to escalate, reaching more than 24,000 letters a day in January and February. February became the busiest month in terms of IPFS phishing activities, where researchers discovered a whooping 400,000 letters, a 100,000 increase from November and December 2022. 

In regards to this, Roman Dedenok, a security expert at Kaspersky commented “Attackers have and will continue to use cutting-edge technologies to reap profits. As of late, we have observes an increase in the number of IPFS phishing attacks — both mass and targeted. The distributed file system allows scammers to save money on domain purchase. Plus, it is not easy to completely delete a file, although, there are attempts to combat fraud at the IPFS gateway level. The good news is that anti-spam solutions detect and block links to phishing files in IPFS, just like any other phishing links. In particular, Kaspersky products employ a number of heuristics to detect IPFS phishing.”  

Psychological Tactics Used by Cybercriminals to Conduct Malicious Activities


Recently, the emergence of finance and accounting related cyberattacks via phishing campaigns and Business Email Compromise (BEC) attack has been a hot topic for South African companies having gaps in their payment systems. 

BEC attack is a type of cybercrime wherein the threat actor poses as a trusted figure in order to dupe the victims to give off money or entice them into exposing confidential company information. 

However, according to Ryan Mer, CEO of eftsure Africa, a KYP platform provider, “robust financial controls together with strong server, IT, and email monitoring processes aren’t enough if staff aren’t savvy to the psychological tricks scammers use to manipulate people, making them more vulnerable to tricker and deception.” 

Mer rejects the idea that hackers target solely credulous, unskilled professionals. “The misconception that only foolish individuals fall victim to cybercrime and payment fraud is dangerous because it leads to complacency in the highly educated who occupy senior positions within organizations. Criminals engaging in payment are often well-skilled, well-resourced and armed with enough industry knowledge to appear legitimate.” 

Manipulating Trust and Competence 

Human tendencies to be cooperative, avoid conflict, and find quick and efficient solutions to problems are used as a bait by threat actor to obtain information or persuade their victims to take certain actions. 

A popular tactic is to pretend to be someone they know or trust in order to gain the trust of a potential victim. Examples include a worker receiving a letter from the financial director of a company telling them to make a quick payment to a vendor or an HR manager receiving a polite email from a worker asking that their bank information be altered for payroll purposes. 

Banking on Urgency 

While scammers are becoming more creative, a tried-and-true strategy that hackers frequently use is making their victims feel as though they need to act quickly. According to Mer, phishing emails and business email compromise scams are made to increase employees' likelihood of complying with potential threats they are supposed to notify. 

“Scammers lure victims into acting quickly before they have time to think rationally about the activities they’re undertaking. Implementing processes that require staff to slow down and double-check any actions that involve payments is vital,” he says. 

A new point of contact, a change in email address, or a change in banking information are examples of abrupt changes in customer or supplier business procedures that, he continues, should be viewed with care and thoroughly investigated before agreeing with an urgent request. 

Additional Automated Protection 

The continuous evolution in Cybercrime is making it a moving target. South Africa ranked third globally in terms of the number of cybercrime victims, according to Interpol's most recent African Cyberthreat Assessment Report, which was published in 2021. This crime costs the nation a staggering 2.2 billion yearly. 

“Ongoing education on the latest scams and the tactics used to execute them is crucial for South African companies. In addition, independent third-party verification systems like eftsure can offer a much-need extra layer of protection by automating payment checking and supplier verification, saving time on manual processes and reducing human error,” notes Mer.  

NewsPenguin Initiates Phishing Camapaign for Maritime & Military Secrets


Using a sophisticated malware tool, a new threat actor known as "NewsPenguin" has been conducting espionage operations against Pakistan's military-industrial complex for months. 

Researchers from Blackberry detailed how this group meticulously prepared a phishing campaign targeting attendees of the upcoming Pakistan International Maritime Expo & Conference (PIMEC) in a blog post on February 9. 

PIMEC is set to be held over the course of the following weekend. It is a Pakistan navy initiative that will provide opportunities to the maritime industry both in the public and private sectors to display products and develop business relationships. 

"The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level," reads the government press release. "Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations." 

How NewsPenguin Operates the Phishing Campaign? 

NewsPenguin lures its victims via spear-phishing emails that are apparently attached to a Word document, in a pretense of being an “Exhibitor Manual” for the PIMEC. 

Although this file’s name should have been a warning sign, i.e. “Important Document. doc” its contents— which included official seals and the same aesthetic as other materials released by the event's organizers — appear to have been lifted verbatim from the materials themselves. 

Initially, the document opens in a protected view. To read the page, the victim must then click "enable content," which starts a remote template injection attack. For a fact, Remote template injection attacks ingeniously avoid easy detection by infecting an associate template rather than a document. It is "a special technique that allows the attacks to fly under the radar[…] especially for the [email gateways] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective," says Dmitry Bestuzhev, a threat researcher at BlackBerry. 

Evasion Techniques used by NewsPenguin 

The blog post refers to the executable with the generic name "updates.exe" as the payload at the end of the attack flow. The most noteworthy feature of this never-before-seen espionage weapon is how far it goes to avoid notice and scrutiny. 

For instance, in order to evade making any loud noises in the targeted network area, the malware tends to operate at the slowest pace, taking around five minutes before each command. 

Additionally, the NewsPenguin malware initiates a chain of actions to monitor whether it is operating a virtual machine or sandbox. Cybersecurity experts like trapping and analyzing malware in these network environments, isolating any unwanted effects from the rest of a computer or network. 

What does NewsPenguin Want? 

No known threat actors could be linked by the researchers to NewsPenguin. Having said that, the team has been operating for some time. 

Despite PIMEC only taking place this weekend, the domains linked to the campaign were already registered in June and October of last year. 

"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization[…] This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while," the authors of the report said. 

The authors add that NewsPenguin has been "continuously improving its tools to infiltrate victim systems." 

The broader image begins to emerge due to the attack's premeditation and the victims' profiles. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."