Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows malware. Show all posts
Windows malware
fake error messages malware PowerShell malware ransomware distribution social engineering attacks Windows malware

Crafty Criminals Use Fake Error Messages to Deploy Malware via PowerShell

 

Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader
ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration
cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions
In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature. 
Read more »
Windows malware
malware QNAP worm Raspberry Robin Researchers Windows Windows malware

This New Raspberry Robin Worm Utilizes Windows Installer to Drop Malware

 

A new Windows malware with worm capabilities has been identified by Red Canary intelligence investigators, and it spreads via external USB sticks. This malware is associated with the Raspberry Robin malware cluster, which was initially discovered in September 2021. (cybersecurity firm Sekoia tracks this malware as "QNAP worm"). 

The worm was discovered in many customers' networks by Red Canary's Detection Engineering team, including companies in the technology and manufacturing sectors. When a USB drive carrying a malicious.LNK file is attached, Raspberry Robin spreads to new Windows systems.

The worm launches a new process using cmd.exe to launch a malicious file stored on the infected drive after it has been attached. It reaches out to its command-and-control (C2) servers via Microsoft Standard Installer (msiexec.exe), which are most likely hosted on infected QNAP devices and utilise TOR exit nodes as additional C2 infrastructure. 

The researchers said, "While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes." 

They believe the malware downloads a malicious DLL file [1, 2] on affected workstations to resist eradication between restarts, albeit they haven't determined how it achieves persistence. This DLL is started by Raspberry Robin using two other trusted Windows utilities: fodhelper (a trusted binary for controlling features in Windows settings) and odbcconf (a tool for configuring ODBC drivers). 

The first permits it to get through User Account Control (UAC), while the second assists in the execution and configuration of the DLL. While Red Canary analysts have been able to extensively examine what the newly found malware performs on affected systems, some questions remain unanswered. 

The researchers stated, "First and foremost, we don't know how or where Raspberry Robin infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why Raspberry Robin installs a malicious DLL. One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis." 

Red Canary's report contains more technical details on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware.
Read more »
Subscribe to: Posts (Atom)