Search This Blog

Powered by Blogger.

Blog Archive

Labels

Cybercriminals Employ Obfuscation in Invoice Phishing Malware Campaigns

Cybercriminals leverage invoice-themed phishing to deliver complex malware, emphasizing the need for heightened vigilance.

 


An array of cunning cyberattack campaigns utilizing seemingly innocuous invoices to deliver malware attacks have been uncovered by cybersecurity researchers. In this deceptive campaign, malicious Scalable Vector Graphics (SVG) file attachments are embedded in phishing emails that have been crafted to pose as malicious content. 

There is a risk that an intricate infection sequence will unfold once the victim opens the attachment, potentially releasing the victim's computer with various types of malware strains. Using this invoice-themed phishing scheme, FortiGuard Labs at Fortinet, a leading cybersecurity research team, identified a variety of malware. 

The malicious payloads included RATs such as Venom RAT, Remcos RAT, NanoCore RAT, and XWorm, as well as other Remote Access Trojans (RATs) that are known to have been exploited by hackers. Furthermore, the attack arsenal has incorporated a cryptocurrency wallet stealer that allows attackers to steal digital currencies from users without their knowledge of it. 

In a technical report published by Fortinet FortiGuard Labs, a technical report said that the emails include Scalable Vector Graphics files (SVG) that activate infection sequences when clicked. It is of particular note that the modus operandi uses BatCloak's malware obfuscation engine and ScrubCrypt to deliver malware as obfuscated batch scripts via the BatCloak malware obfuscation engine. 

A tool known as BatCloak, which was offered for sale to other threat actors in late 2022, has its roots in Jlaive, a tool that was developed by the organization. Essentially, it serves to load a next-stage payload by circumventing traditional detection mechanisms by loading it in a layered manner. The complexity of the attack lies in its multilayered approach. 

It is the SVG attachments that serve as triggers, initiating the infection process once the target opens them up. The BatCloak malware obfuscation engine is also extensively used to perform obfuscation techniques. In late 2022, cybercriminals were able to purchase a tool called Jlaive, a descendant of another obfuscation tool known as Jlaive, which has been available since then. 

In addition to masking the subsequent stages of malware, BatCloak's main function is to make it difficult for security software to detect the subsequent stages of malware. This variant of the Quasar RAT gives attackers the ability to seize control of compromised systems, collect sensitive data, and execute commands from command and control (C2) servers once they have taken control of a compromised system. 

In addition, it allows a multitude of plugins to be deployed for different kinds of malicious activities, including Remcos RAT, which is distributed via obfuscated VBS scripts, ScrubCrypt, and Guloader PowerShell scripts. The plugin system also allows a stealer module to be deployed to collect information from crypto wallets and applications like Atomic Wallet, Electrum, Ethereum, and others and send that stolen information to a remote server via the plugin system. 

In addition to obfuscating the malware, ScrubCrypt is one more layer that adds to this elaborate attack. It encrypts the malicious code, making it even more difficult to detect and prevent infection from security systems. A malware payload typically arrives in the form of encoded batch scripts as soon as the layers are peeled back. Once the scripts have been downloaded and executed onto the compromised system, the malware payload will be able to be detected. 

According to the cybersecurity firm that analyzed the latest campaign, the SVG file served as a conduit for dropping a ZIP archive which contained a batch script that probably was created using BatCloak. After the ScrubCrypt batch file has been unpacked, the Venom RAT is eventually executed, but not before establishing persistence on the host, bypassing ETW and AMSI protections, and setting up persistence on the host. 

The evolution of the tactics employed by cybercriminals has demonstrated the importance of the evolving threat landscape. A very important aspect of the sophistication of these online threats is the fact that attackers are strategically using readily available obfuscation tools, alongside malware that targets cryptocurrency. 

Researchers have stressed to users the importance of remaining vigilant, especially when it comes to unsolicited email attachments, even when they seem to be invoices or other documents that seem to come from a legitimate source. Several security measures should also be implemented by businesses, including comprehensive email filtering systems in addition to employee training programs targeted at recognizing warning signs of phishing attempts, which are recommended as part of these measures.
Share it:

Cyber Campaigns

Cyber Fraud

Cyberattacks

CyberCrime

Cybersecurity

CyberThreat

Email Attacks

Malware Campaigns

Phising

SVG