Search This Blog

Showing posts with label ISO files. Show all posts

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

ChromeLoader Malware Hijacks Chrome Browser via Malicious Extension


The browser-hijacking malware called ChromeLoader is witnessing a new surge in activity since its discovery earlier this year, researchers at Red Canary, wrote in a blog post this week. 

ChromeLoader uses PowerShell, an automation and configuration management framework, to add a malicious extension to a victim's Chrome browser for nefarious purposes. The malicious extension drastically modifies the victim's web browser settings to show search results that promote unwanted software, fake giveaways, surveys, and adult games and dating sites. 

The malware's creators receive financial benefits due to the marketing affiliation from these ad-supported pages and redirect traffic to these commercial sites. There are multiple hijackers of this kind, but ChromeLoader is unique due to its persistence, volume, and infection route, which involves the aggressive use of PowerShell. 

Exploiting PowerShell 

According to Red Canary researchers, who have been tracking the strain since early February, the creators of the hijacker use a malicious ISO archive file to target their victims. ChromeLoader gets initial access into a system by being distributed as an ISO file that looks like a torrent or a cracked video game. The researchers have also noticed Twitter posts promoting cracked Android games and offering QR codes that lead to malware-hosting sites. 

When a victim double-clicks on the ISO file in Windows 10 or later, the ISO file will be mounted as a drive on the victim's machine. This ISO file contains an executable that pretends to be a game crack or keygen, using names like "CS_Installer.exe." 

Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension. Once the scheduled task executes PowerShell and loads the extension, it is silently removed with the PowerShell module invoke schtasks.exe and is often less frequently monitored as an anti-forensic methodology. 

 "This is a novel method for loading a malicious extension into Chrome that I have not seen before, nor has it been observed by Red Canary's intelligence team in other malware," researchers said. While other bad actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the load-extension PowerShell technique." 

Additionally, the creators of ChromeLoader target macOS systems by using DMG (Apple Disk Image) files, which is a more common format on macOS. 

"To maintain persistence, the macOS variation of ChromeLoader will append a preference (`plist`) file to the `/Library/LaunchAgents` directory," explains Red Canary's report. This ensures that every time a user logs into a graphical session, ChromeLoader's Bash script can continually run."