Search This Blog

Showing posts with label Microsoft Excel. Show all posts

Three Malware Fileless Phishing Campaigns: AveMariaRAT / BitRAT /PandoraHVNC

 

A phishing effort that was distributing three fileless malware onto a victim's device was detailed by cybersecurity experts at Fortinet's FortiGuard Labs. AveMariaRAT, BitRAT, and PandoraHVNC trojan viruses are spread by users who mistakenly run malicious attachments delivered in phishing emails. The viruses are dangerously capable of acquiring critical data from the device.
 
Cybercriminals can exploit the campaign to steal usernames, passwords, and other sensitive information, such as bank account numbers. BitRAT is particularly dangerous to victims because it can take complete control of infected Windows systems, including viewing webcam activity, listening to audio through the microphone, secretly mining for cryptocurrency that is sent to the attackers' wallet, and downloading additional malicious files.

The first phishing mail appears to be a payment report from a reputable source, with a brief request to view a linked Microsoft Excel document. This file contains dangerous macros, and when you open it, Microsoft Excel warns you about using macros. If the user disregards the warning and accepts the file, malware is downloaded. The malware is retrieved and installed onto the victim's computer using Visual Basic Application (VBA) scripts and PowerShell. For the three various types of malware that can be installed, the PowerShell code is divided into three pieces. This code is divided into three sections and employs the same logic for each virus: 
  • A dynamic mechanism for conducting GZip decompression is included in the first "$hexString." 
  • The second "$hexString" contains dynamic PowerShell code for decompressing the malware payload and an inner.Net module file for deploying it. 
  • The GZip-compressed malware payload is contained in the "$nona" byte array. The following PowerShell scripts are retrieved from the second $hexString and are used to decompress the malware payload in $nona and to deploy the malware payload into two local variables using the inner.Net module. 
The study doesn't explain as to why the phishing email contains three malware payloads, but it's conceivable that with three different types of malware to deploy, the cybercriminals will have a better chance of gaining access to whatever critical information they're after. 

Phishing is still one of the most prevalent ways for cyber thieves to deliver malware because it works – but there are steps you can take to avoid being a victim. Mysterious emails claiming to offer crucial information buried in attachments should be avoided, especially if the file requires users to allow macros first. Using suitable anti-spam and anti-virus software and training workers on how to recognize and report phishing emails, businesses may help workers avoid falling victim to phishing emails.

NRA Reacts to Allegations of a Ransomware Campaign

 

Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National Grants.zip,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.

Hackers are Now Utilizing Office Documents to Launch the Regsvr32 Utility

 

Regsvr32, a Windows living-off-the-land binary (LOLBin) used to propagate trojans like Lokibot and Qbot, is seeing a surge in abuse recently, according to researchers. 

LOLBins are genuine, native utilities which are used on a regular basis in a variety of computing settings, yet are utilized by cybercriminals to avoid detection by merging in with typical traffic patterns. Regsvr32 is a Windows command-line program signed by Microsoft which lets users register and unregister DLLs (Dynamic Link Library). Information about a DLL file is uploaded to the centralized registry so the Windows may use it. 

This makes things simpler for other programs to take advantage of the DLLs' features. This broad reach is appealing to cybercriminals, who may exploit the utility through Squiblydoo, which has been a utilized malware by known APT groups, such as in spear-fishing efforts against Russian firms, and more recently in certain crypto mining events. 

Unlawful utilization of Regsvr32 has been on the rise recently in the Uptycs data, with cybercrooks attempting to register specifically. As a group, we. ActiveX controls are code blocks designed by Microsoft that allow applications to perform specified functions, such as showing a calendar, using OCX files. 

Uptycs EDR employs a multi-layered detection strategy that not only analyzes threats using the Squiblydoo technique but also prioritizes them according to a specific composite score and severity. This helps analysts focus on key situations first, reducing alert fatigue. 

The majority of such Microsoft Excel files found in the attacks have the.XLSM or.XLSB prefixes, which indicate files contain embedded macros. Using the formulas in the macros, hackers normally download or operate a malicious payload from the URL during the campaign. 

Conventional security systems and security personnel tracking this operation for malicious actions face a problem because regsvr32 is frequently utilized for regular daily tasks. The following aspects can be monitored by security teams: 

  • The parent/child program relations where regsvr32 is run alongside a Microsoft Word or Excel parent process. 
  • Locating  regsvr32.exe operations that load the scrobj.dll, which performs the COM scriptlet, to identify it.

Cyber Attackers Exploiting Microsoft Excel add-in Files

 


Recently a unit of researchers delivered a detailed study on a new phishing campaign at HP Wolf Security. As per the report, threat actors are exploiting Microsoft Excel add-in files in order to send various forms of malware into the systems that could leave businesses vulnerable to data theft, ransomware, and other cybercrime. 

Researchers said that threat actors are excessively using malicious Microsoft Excel add-in (XLL) files to damage the systems and it has been observed that there was an almost six-fold (588%) increment in attacks using this technique during the final quarter of 2021 compared to the previous three months.

XLL add-in files are very famous among people because they provide users to execute a wide range of extra tools and functions in Microsoft Excel. But like macros, they're a tool that can be exploited by threat actors. 

According to the report, threat actors distributed malicious links via phishing emails related to payment references, quotes, invoices, shipping documents, and orders that come with malicious Excel documents with XLL add-in files. The recipient is then tricked into clicking a malicious link, which can lead to the installation and activate the add-in of malware, freezing of the system as part of a ransomware attack, or the revelation of sensitive information. 

Malware families that have been used in attacks leveraging XLL files include Dridex, BazaLoader, IcedID, Agent Tesla, Stealer, Raccoon Formbook, and Bitrat. Some of these forms of malware also create backdoors onto infected Windows systems, which gives attackers remote access to the system. 

Additionally, Some XLL Excel Dropper services are advertised as costing over $2,000, which is expensive for community malware but criminal forum users seem willing to pay the price. 

Alex Holland, senior malware analyst at HP Wolf Security said, "Abusing legitimate features in the software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly…” 

"…Attackers are continually innovating to find new techniques to evade detection, so it's vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe," he added.