Tag Archive for: Delivering

US organizations targeted with emails delivering NetSupport RAT


Employees at US-based organizations are being targeted with emails delivering NetSupport RAT malware via “nuanced” exploitation and by using an advanced detection evasion method.

The malware campaign

The campaign, dubbed PhantomBlu, takes the form of email messages purportedly coming from a legitimate accounting service.

The attackers are leveraging a legitimate email delivery platform, “SendInBlue” or Brevo service, to evade detection.

The phishing emails prompts recipients to download an attached Office Word file (.docx) to view their “monthly salary report”.

emails delivering NetSupport RAT

The PhantomBlu phishing email. (Source: Perception Point)

After downloading the file, victims are instructed to enter the provided password, click “enable editing”, and then double-click a printer image to view the “salary graph.”

But the clickable printer image is actually an Object Linking and Embedding (OLE) package, which is a Microsoft Windows feature that allows data and object sharing between applications.

Clicking on the printer icon triggers OLE template manipulation and opens an archived .zip file containing a single LNK file: a PowerShell dropper that retrieves and executes a script, which contains – among other things – an executable for the NetSupport RAT and a registry key designed to assure its persistence.

“This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction,” Perception Point researchers noted.

The NetSupport RAT

The NetSupport RAT is based on the legitimate remote desktop tool NetSupport Manager. It’s commonly used by attackers to infiltrate systems to set the stage for future attacks.

“Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network – all under the guise of a benign remote support software,” the researchers said.

(Other?) attackers have previously been spotted exploiting a vulnerability (CVE-2023-36025) in the Windows SmartScreen anti-phishing and anti-malware component to deliver the NetSupport RAT.

Source…

Russian Group Delivering Malware Via Using PDFS: Google


SAN FRANCISCO, CA (IANS) – Google researchers have observed that the notorious Russian threat group — COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering “malware via campaigns using PDFs as lure documents”.

Also known as ‘UNC4057’, ‘Star Blizzard’ and ‘Callisto’ has focused on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs.

To gain the trust of targets, the group often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.

According to new research by Google’s Threat Analysis Group (TAG), Coldriver has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” Google said in a blogpost on January 18.

The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.

If the target responds that they cannot read the encrypted document, the Coldriver impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.

“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving Coldriver access to the victim’s machine,” the researchers said.

In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.

SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by Coldriver

The researchers have observed SPICA being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022.

Source…

Mozilla Warns of Fake Thunderbird Downloads Delivering Ransomware 


Mozilla issued a warning this week over malicious websites offering Thunderbird downloads after a ransomware group was caught using this technique to deliver malware.

Cybersecurity journalist Brian Krebs reported last week that a website where the Snatch ransomware group names victims had been leaking data, including visitor IPs and information on internal operations.

According to Krebs, the leaked data suggests that the Snatch cybercrime group has been using paid Google ads to deliver its malware disguised as popular applications such as Adobe Reader, Discord, Microsoft Teams, and Mozilla Thunderbird. 

Following Krebs’ findings, Mozilla issued a ‘ransomware alert’ this week, advising users to only download Thunderbird from trusted websites.

Mozilla noted that it’s actively trying to take down malicious websites offering Thunderbird, but they are hosted in Russia, which makes takedowns “difficult and often not effective”.

Thunderbird has a market share of less than one percent in the email client category. However, that still translates to a significant number of individuals and organizations, which could be targeted by the Snatch ransomware.

The US government issued an alert recently, warning critical infrastructure organizations of ongoing Snatch ransomware attacks.

Advertisement. Scroll to continue reading.

Related: FBI Warns Organizations of Dual Ransomware, Wiper Attacks

Related: After Apple and Google, Mozilla Also Patches Zero-Day Exploited for Spyware Delivery

Related: Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird

Source…

Telegram and Discord Bots Delivering Infostealing Malware


A new report from security vendor Intel471 reveals how cybercriminals are using bots already deployed in messaging apps Discord and Telegram to deliver malware and steal user credentials.

In addition, these actors are targeting Roblox and Minecraft gaming platforms in similar attacks. Researchers pointed out that Discord’s content delivery network (CDN) is actively used for hosting malware because the platform doesn’t impose restrictions on file hosting.

The report revealed that these file hosting links are accessible to anyone without requiring authentication. This allows cybercriminals a credible “web domain to host malicious payloads.”

For your information, bots are used on Discord and Telegram so that users can play games, share data, and moderate channels to eliminate unwanted content. However, Intel471’s researchers identified that these can be used for delivering malware.

Some malware strains researchers found deployed in Discord’s CDN include Pay-Per-Install malware (PPI) Discoloader, PrivateLoader, Smokeloader, Agent Tesla, Autohotkey, Raccoon stealer, njRAT and many more.

Bots Stealing User Info from Systems

Researchers explained that threat actors use trojan malware to steal information from devices/systems attached to legit bots in the apps. The malware can steal a wide range of information. This includes the following:

  • Passwords
  • Bookmarks
  • Autofill data
  • Payment card data
  • Cryptocurrency wallets
  • Browser/session cookies
  • Microsoft Windows product keys
  • VPN (virtual private network) client logins

It is worth noting that using bots to spread malware on such platforms is nothing new. A report published last year explained how Telegram bots are stealing OTP (One-Time Password).

When it comes to Discord, there are a plethora of reports from cybersecurity companies explaining how one of the most frequently used messenger services in the world is used in spreading malware.

Messaging Apps Have Become Attackers’ C&C Mechanisms

According to Intel471’s report, cybercrooks use messaging apps like Telegram as their Command and…

Source…