Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows. Show all posts
Windows
Akira CyberCrime Cybersecurity Cyberthreats EDR EDR Protections Ransomware S-RM Technology Webcam Windows

Webcam Exploited by Ransomware Group to Circumvent EDR Protections

 


Researchers at S-RM have discovered an unusual attack method used by the Akira ransomware gang. The Akira ransomware gang utilized an unsecured webcam to conduct encryption attacks against victims' networks via the use of an unsecured webcam. The attackers were able to bypass the Endpoint Detection and Response (EDR) mechanisms, which had been successful in stopping the ransomware encryptor from functioning on Windows computers.

During an investigation conducted by the S-RM team as part of an incident response, the S-RM team uncovered Akira's sophisticated adaptations in response to security defences. As a first step, the threat actors tried to implement encryption tools on Windows endpoints, but these attempts were thwarted by the EDR solution provided by the victim. 

It is important to note that the attackers reacted to this by exploiting the unsecured webcam as an entry point for the malware to infiltrate the network and launch their ransomware attacks. This incident illustrates how ransomware operators are increasingly using unconventional vulnerabilities to circumvent modern cybersecurity defenses, highlighting the evolution of ransomware operations. 

Network vulnerabilities exploited by Akira ransomware operators. 


Researchers in the cybersecurity field recently discovered a sophisticated attack strategy that was employed by the Akira ransomware group. Initially, the threat actors gained access to the network via an externally exposed remote access solution through which unauthorized access was gained. The attackers then installed AnyDesk.exe, a legitimate remote desktop tool, to maintain persistent access within the compromised network, and proceeded to exfiltrate sensitive data using this tool. 

In the months following the initial breach, the attackers used Remote Desktop Protocol (RDP) to move laterally through the network, simulating legitimate system administrator activities to conceal their activity and blend into normal networking operations. They evaded detection by mimicking legitimate system administrator activities. 

Akira Ransomware Group: A Rising Threat in the Cybercrime Landscape 


Emergence and Rapid Expansion 


Originally identified in early 2023, the Akira ransomware group has rapidly gained popularity as one of the most active ransomware operations in the world. As of 2024, the Akira group is responsible for around 15% of all ransomware incidents that were examined by cybersecurity firm S-RM. The company specializes in targeting small to medium sized businesses (SMEs) in North America, Europe, and Australia, especially businesses that have fewer than 1,000 employees as their primary target market. 

Operational Model and Organizational Structure 


Rather than using the typical paid-for model, Akira also uses a ransomware-as-a-service model: within this model, the group's core developers provide a running platform that allows its affiliates to access its binary and leak sites in exchange for a share of the ransom payments received by the group's owners. 

Triple Extortion Strategy and Technical Adaptability 


By employing a triple approach of extortion, or a series of layers of coercion to maximize leverage over their victims, Akira achieves extreme leverage over them: 

Data Encryption – Locking files and systems to disrupt business operations. 

Data Exfiltration – Stealing sensitive information before encryption. 

Public Disclosure Threats – Threatening to release exfiltrated data unless the ransom is paid. 

Akira's technical adaptability is exemplified by its ability to adjust its attack methods based on security threats. A recent webcam attack highlighted the group's innovative tactics. In this case, the group circumvented Endpoint Detection and Response (EDR) protections by using unsecured Internet of Things devices as an alternative entry point to bypass the system's protections. 

As ransomware operations such as Akira become more sophisticated, organizations, particularly small and medium-sized enterprises, must take proactive cybersecurity measures to mitigate the threats posed by these highly adaptive threat actors. To mitigate these risks, organizations must implement robust endpoint security, network segmentation, and IoT security protocols. 

Initially, the threat actors managed to breach the corporate network through an exposed remote access solution, likely using stolen credentials or brute-force techniques to gain access to the network. Once inside, they deployed AnyDesk, an authentic remote access tool, to gain persistent access and gain access to sensitive data. The data was then used as leverage in a double extortion scheme that later resulted in a double extortion attack. 

When the attack was first initiated, the attackers took advantage of the Remote Desktop Protocol (RDP) to enable them to move laterally, systematically spreading their presence across multiple systems before launching the ransomware attack. Their attack was carried out by introducing a password-protected archive file, win.zip, with the ransomware payload, win.exe, as a payload. Although the threat was initially detected and quarantined by the victim's Endpoint Detection and Response (EDR) system, it was ultimately neutralized when the virus was identified and quarantined. 

The attackers modified their strategy after experiencing this setback by finding alternative ways to attack the device. During a thorough network scan, several potential entry points were discovered, including a webcam and a fingerprint scanner. S-RM, a cybersecurity firm, explains that threat actors eventually chose the webcam as their primary pivot point for gaining access to its data, as it is easy for remote shell access and unauthorized video feeds. Moreover, the attackers took advantage of the device's lightweight Linux-based operating system, which was compatible with Akira's Linux encryptor. 

Since the webcam was without a protection agent against EDR attacks, it was an ideal choice for the ransomware attack to take place. The threat actors were able to successfully encrypt files on network shares by leveraging their connectivity to the Internet, circumventing conventional security measures and demonstrating the evolving sophistication of ransomware tactics. Instead of abandoning their original objective, the ransomware operators chose to utilize a previous internal network scan data as the basis for their next strategy. 

An investigation of the Internet of Things (IoT) revealed that several vulnerable devices were not adequately protected, including webcams and fingerprint scanners. As the attackers recognized the potential of unprotected devices as alternative entry points to traditional security systems, they sought to bypass those mechanisms. They discovered several vulnerabilities during their assessment, including an unsecured webcam, which proved to be the most feasible vulnerability. 

Several reasons contributed to this, most notably that it lacked Endpoint Detection and Response (EDR) protection, which made it an ideal target for exploiting. Additionally, the device was capable of being accessed remotely through a remote shell, making it even easier for attackers to gain access.

In addition, the Linux-based operating system presented a lightweight security footprint, which reduced the chances of detection and strengthened the appeal of the operating system as a potential entry point for cybercriminals. Execution of the Attack Through IoT Exploitation This attacker was able to create malicious SMB traffic directed towards a target Windows server by compromising a vulnerable webcam, which was able to be used by the attacker to create malicious SMB traffic. 

Due to the organization's lack of active monitoring of IoT devices, this technique enabled the ransomware payload to bypass traditional detection mechanisms. As a result of the attack, a large number of files were encrypted across the network of the victim. Even though SMB-based attacks have generally been considered to be less efficient than other intrusion techniques, this attack proved extremely effective in this case, mainly because they are frequently incompatible with conventional security monitoring tools, such as this tool. 

It is as a consequence of this incident that organizations must take proactive steps to ensure that all network-connected devices, most notably IoT endpoints, are secured via encryption so that sophisticated ransomware operators are not able to exploit them as attack vectors. 

The fact that the compromised webcam lacked an Endpoint Detection and Response (EDR) protection was a critical factor in the success of this attack, as largely due to its limited storage capacity, it could not cope with advanced security measures needed to defend itself. 

The Akira ransomware group exploited this vulnerability to deploy its Linux-based ransomware quickly from the compromised machine, encrypting files across the victim's network by using the Server Message Block protocol (SMB). As a result of this strategic approach, the attackers were able to operate covertly since malicious SMB traffic originating from the webcam was not detected by security systems, allowing them to evade detection by the organization's cybersecurity team. 

In light of these events, it is due to the growing necessity for comprehensive security protocols, in particular for securing Internet of Things (IoT) devices, that are more and more exploited as attack vectors by cyber criminals. A proactive cybersecurity approach is imperative to mitigate similar threats by ensuring that IoT devices are patched and managed, conducting regular vulnerability assessments within the organization's internal networks, and implementing robust network segmentation so that connected devices are limited in their ability to communicate. 

Further, turning off IoT devices when not in use can serve as a preventive measure against potential exploitation. To effectively defend against emerging threats, it is imperative to continuously monitor your network and implement robust security frameworks. As demonstrated by the Akira ransomware group, you must monitor your network constantly and implement robust security measures. With ransomware-as-a-service (RaaS) operations continuing to evolve at a rapid pace, organizations must remain vigilant, improving their cybersecurity strategies proactively to remain protected from increasingly sophisticated cyberattacks.
Read more »
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Windows
Cyber Security LibreOffice Updates Windows

LibreOffice Fixes Security Flaw That Allowed Malicious File Execution

 



LibreOffice, a popular free office suite, recently fixed a major security flaw that could have let hackers run harmful files on Windows computers. The issue, identified as CVE-2025-0514, was related to how the software handled links inside documents. If exploited, it could allow attackers to trick users into opening dangerous files.  


How the flaw worked  

LibreOffice allows users to click on hyperlinks in documents to open websites or files. Normally, it blocks links that try to open unsafe files, but older versions (before 24.8.5) failed to properly check certain types of links.  

Hackers found a way to trick the software by using specially designed web addresses. When a user clicked one of these deceptive links, LibreOffice could mistakenly treat it as a local file path and execute harmful programs. Unlike other document-based attacks that require macros, this method only needed the user to click a link, making it especially dangerous.  


LibreOffice fixes the issue  

To prevent such attacks, LibreOffice released version 24.8.5 on February 25, 2025. The update improves how the software checks links, ensuring that unsafe web addresses cannot be mistaken for local files.  

Developers Caolán McNamara from Collabora Productivity and Stephen Bergman from allotropia worked on fixing the issue after it was reported by security researcher Amel Bouziane-Leblond. The flaw highlighted how small errors in how software reads links can create serious security risks.  


What users should do  

This vulnerability could be used in phishing scams where hackers send fake documents to trick people into clicking malicious links. To stay safe, users should update their LibreOffice software immediately.  

Here are some steps to stay protected:  

1. Install the latest LibreOffice update (24.8.5 or later) to fix the issue  

2. Be cautious with documents from unknown sources, especially if they contain links  

3. Avoid clicking hyperlinks in documents unless you trust the sender  

4. Businesses should ensure all their computers are updated to reduce security risks  


The importance of updates 

While this flaw mainly affected Windows users, it highlights the need for strong security measures in office software. Cybercriminals constantly find new ways to exploit common tools, making software updates and user awareness essential.  

So far, there are no known real-world attacks using this vulnerability, but security experts consider it critical. Users can download the latest LibreOffice version from the official website or update it through Linux package managers.

Read more »
Windows
data security LightSpy Linux Mac malware Windows

LightSpy Malware Attacks Users, Launches Over 100 Commands to Steal Data


Cybersecurity researchers at Hunt.io have found an updated version of LightSpy implant, a modular surveillance framework for data collection and extraction. Famous for attacking mobile devices initially, further enquiry revealed it can attack macOS, Windows, Linux, and routers. 

LightSpy has been executed in targeted attacks, it uses watering hole techniques and exploit-based delivery, coupled with an infrastructure that swiftly escapes detection. LightSpy was first reported in 2020, targeting users in Hong Kong.

History of LightSpy

LightSpy has been historically famous for attacking messaging apps like WeChat, Telegram, QQ, Line, and WhatsApp throughout different OS. According to ThreatFabric report, the framework can extract payment data from WeChat, remove contacts, wipe out messaging history, and alot of other things.

The compromised things include WiFi network details, iCloud Keychain, screenshots, location, browser history, photos, call history, and SMS texts.

Regarding server analysis, the LightSpy researcher said they "share similarities with prior malicious infrastructure but introduce notable differences in the command list."

Further, "the servers analyzed in this research As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis."

LightSpy Capabilities

In 2024, ThreatFabric reported about an updated malware version that has destructive capability to stop compromised device from booting up, in addition to the number of supported plugins from 12 to 28.

Earlier research has disclosed potential overlaps between an Android malware called "DragonEgg" and LightSpy, showing the threat's cross-platform nature.

Hunt.io's recent analysis study of the malicious command-and-control (C2) infrastructure linked with the spyware has found support for more than 100 commands spread across iOS, macOS, Linux, routers, and Windows.

Expert insights

Commenting on the overall impact of the malware, Hunt.io experts believe “LightSpy's infrastructure reveals previously unreported components and administrative functionality.” However, the experts remain unsure if it symbolizes new growths or earlier versions not publicly reported. “Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms,” concludes 

To stay safe, experts suggest users to:

Limit app permissions to avoid unwanted access to important data. “On Android, use Privacy Dashboard to review and revoke permissions; on iOS, enable App Privacy Reports to monitor background data access.”

Turn on advanced device security features that restrict the exploitability of devices. iOS users can enable Lockdown Mode and Android users can turn on Enhanced Google Play Protect and use protection features to identify and block suspicious activities. 

Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Windows
ADFS Microsoft Password Phishing Attacks Technology Windows

Hackers Steal Login Details via Fake Microsoft ADFS login pages

Microsoft ADFS login pages

A help desk phishing campaign attacked a company's Microsoft Active Directory Federation Services (ADFS) via fake login pages and stole credentials by escaping multi-factor authentication (MFA) safety.

The campaign attacked healthcare, government, and education organizations, targeting around 150 victims, according to Abnormal Security. The attacks aim to get access to corporate mail accounts for sending emails to more victims inside a company or launch money motivated campaigns such as business e-mail compromise (BEC), where the money is directly sent to the attackers’ accounts. 

Fake Microsoft ADFS login pages 

ADFS from Microsoft is a verification mechanism that enables users to log in once and access multiple apps/services, saving the troubles of entering credentials repeatedly. 

ADFS is generally used by large businesses, as it offers single sign-on (SSO) for internal and cloud-based apps. 

The threat actors send emails to victims spoofing their company's IT team, asking them to sign in to update their security configurations or accept latest policies. 

How victims are trapped

When victims click on the embedded button, it takes them to a phishing site that looks same as their company's authentic ADFS sign-in page. After this, the fake page asks the victim to put their username, password, and other MFA code and baits then into allowing the push notifications.

The phishing page asks the victim to enter their username, password, and the MFA code or tricks them into approving the push notification.

What do the experts say

The security report by Abnormal suggests, "The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organization's configured MFA settings.” Additionally, "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification."

After the victim gives all the info, they are sent to the real sign-in page to avoid suspicious and make it look like an authentic process. 

However, the threat actors immediately jump to loot the stolen info to sign into the victim's account, steal important data, make new email filter rules, and try lateral phishing. 

According to Abnormal, the threat actors used Private Internet Access VPN to hide their location and allocate an IP address with greater proximity to the organization.  

Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
Subscribe to: Posts (Atom)