Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label RAT. Show all posts
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
Trojan
Bandook Malware cryptocurrency Cyber Attacks CyberCrime Cybersecurity RAT Trojan

Unveiling 'Bandook': A Threat that Adapts and Persists

 


The Bandook malware family, which was thought to be extinct, is back and may be part of a larger operation intended to sell offensive hacking tools to governments and cybercriminal groups to attack them. Several recent research papers have been released by Check Point Research, which indicate that Bandook is regaining popularity across a wide range of targeted sectors and locations despite being a 13-year-old bank, Trojan. 

It has been observed that dozens of variants of the malware have been used in attacks in the United States, Singapore, Cyprus, Chile, Italy, Turkey, Switzerland, Indonesia and Germany over the past year in attacks against organizations. Government, finance, energy, food, healthcare, education, IT, and legal are some of the sectors targeted by the software. 

In 2007, Bandook malware was discovered as a remote access trojan (RAT) that has been active for several years. It has been reported that Bandook malware has evolved into a new variant that injects its payload into msinfo32.exe to distribute the malware and allow remote attackers to take control of the system if it is infected. As a result, this remote access trojan poses a significant threat to users privacy, as it is capable of performing various tasks allowing cybercriminals to gather various types of personal data. 

Therefore, my recommendation would be to avoid installing it if people are gaming their system and its usage can lead to several problems. Originally developed as a commercial RAT written in both Delphi and C++, Bandook RAT eventually evolved into several variants over the years, and this malware became available for download from the internet. Formerly a commercial RAT, Bandook was originally developed by a Lebanese named Prince Ali as a commercial RAT. 

It is common for remote access trojans to be used to remotely manage infected computers, without the consent of the users. In addition to keylogging, audio capture (microphone) and video capture (webcam), screenshot capture and uploading to a remote server, and running various command shell programs, this malware is capable of performing a variety of malicious activities. 

Cybercriminals could take advantage of this situation to gain access to personal accounts (for example, social networks, emails, banks, etc.). To gain as much revenue as possible, these people will use hijacked accounts for various purposes such as online purchases, money transfers, asking the victim's friends to lend them money, etc. Consequently, they are likely to make misuse of hijacked accounts. 

Moreover, thieves can use hijacked accounts to spread malware, sending malicious files and links to all contacts in the account. They can also utilize Bandook to launch several Windows shell commands, which could result in a significant loss of savings and debt. A Trojan horse is often used to spread infections, such as ransomware and crypto miners since they can modify system settings as well as download (inject) additional malware. 

Trojan horses are also often used to spread viruses and malware. There is a risk that this infection will result in significant financial loss, serious privacy issues (such as identity theft), as well as additional infections of the computer system. The last time Bandook was spotted was in 2015 as part of the "Operation Manul" campaign, while the last time it was spotted was in 2017-2018 as part of the "Dark Caracal" campaign. 

During the last few years, the malware had all but disappeared from the threat landscape, but it appears it has begun to resurface again. An infected computer will receive a malware chain consisting of three stages. The first stage is to download two files into the local user folder using a lure document, which contains malicious VBA macro code encoded with an encryption algorithm. 

First, there is a PowerShell script file that gets dropped into the user's folder, and the second file is a JPG file which contains a base64 encoded PowerShell script that is saved in the JPG file. Its second stage will be the decoding and executing of the base64 encoded PowerShell scripts stored in the JPG file, which will render a zip file containing four files from cloud services, then download the zip file containing the files in the zip file. 

Among the four files, three of them are PNG files with hidden RC4 functions encapsulated in the RGB values of the pixels that belong to the RGB file. As a result of the existence of these files, an executable that acts as a Bandook loader will be constructed. 

After the creation of the Internet Explorer process, the bandook loader will inject the malicious payload into the process and then proceed to the final stage of the process. It is the payload that makes contact with the command and control server, and it waits for the server to give additional commands.
Read more »
Windows
Bugs Credentials cyber threat malware RAT Windows

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.
Read more »
virus
communication Cyber Attacks DNS Informationblox malware RAT Trojan virus

DNS Malware Toolkit Discovered by Infoblox and Urged to be Blocked

 


This week, Infoblox Inc. announced the release of its threat report blog on a remote access Trojan (RAT) toolkit with DNS command and control, which is being used for remote access and data theft. Infoblox provides a cloud-enabled networking and security platform capable of improving performance and protection. 

In the U.S., Europe, South America, and Asia, an anomalous DNS signature had been observed in enterprise networks that were created through the use of the toolkit. Across a wide range of sectors such as technology, healthcare, energy, financial services, and others, these trends were seen. The communications with the Russian controller can be traced to some of these communications. 

A malware program is a software application that infiltrates your computer with the intent of committing malicious acts. Viruses, worms, ransomware, spyware, Trojan horses, Trojan horses, spyware, and keylogging programs, all of which can be classified as malware. There are alarming challenges network and security professionals face daily in the face of malware that is becoming more sophisticated and capable of circumventing traditional defenses. 

By leveraging DNS infrastructure and threat intelligence, Infoblox's Malware Containment and Control solution can help organizations reduce malware risk by employing the most effective mitigation methods. Additionally, it enables leading security technologies to use contextual threat data, indicators of compromise, and other context-sensitive information to automate and accelerate the threat response process. 

Informationblox's Threat Intelligence Group discovered a new toolkit known as "Decoy Dog" that was branded as an attack toolkit. To disrupt this activity, the company collaborates with other security vendors, customers, and government agencies to work together. 

Furthermore, it identifies the attack vector and even secures networks across the globe. A crucial insight is that DNS anomalies that are measured over time proved to be important in detecting and analyzing the RAT, but also enabling the C2 communications to be tracked together despite appearing to be independent on the surface. 

Analyzing threats, identifying them, and mitigating them: 

During the first and second quarters of 2023, Infoblox discovered activity in multiple enterprise networks caused by the remote access Trojan (RAT) Puppy being active in multiple enterprise networks. C2 communication has not been found since April 2022, indicating that this was a one-way communication. 

An indicator of the presence of a RAT can be uncovered by investigating its DNS footprint. It does, however, show some strong outlier behavior when analyzed using a global cloud-based DNS protection system such as Infoblox's BloxOne® Threat Defense, when compared to traditional DNS protection systems. The integration of heterogeneous domains within Infoblox was also made possible by this technology. 

Communication between two C2 systems takes place over DNS and is supported by an open-source RAT known as Puppy. The project is an open-source project but it has always been associated with actors that are acting on behalf of nations despite its open nature. 

The risks associated with a vulnerable DNS can be mitigated by organizations with a protective DNS. There is no need to worry about these suspicious domains because BloxOne Threat Defense protects customers against them. 

In the detection of the RAT, anomalous DNS traffic has been detected on limited networks and devices on the network, like firewalls, but not on devices used by users, like laptops and mobile devices. 

Malware uses DNS to connect to its command and control (C&C) servers to communicate with them. As a result of its ability to contain and control malware, DNS is ideally suited for the task. Infoblox, for example, should focus on DNS as the point of attack from where malware can be injected to contain and control malware. 

It is imperative to highlight that malware prevention solutions are becoming more and more adept at sharing threat data with the broader security ecosystem. This is thanks to APIs, Syslog, and SNMP communication protocols.
Read more »
Trojan
cryptomining malware Linux malware RAT Remote Access Trojan Trend Micro Trojan

This Linux-Targeting Malware is Becoming Even More Potent


A trojan software has been added to the capabilities of a cryptomining malware campaign that targets Linux-based devices and cloud computing instances, potentially making attacks more severe. 

This cryptomining campaign, as described by cybersecurity experts at Trend Micro, uses Linux computers' processing power, in order to sneakily compromise Linux servers and mine for Monero. 

Cryptomining attacks are frequently distributed by utilizing common cybersecurity flaws or by being concealed inside cracked software downloads. 

One compromised system is unlikely to generate much profit from cryptomining malware, but attackers infect a vast network of compromised servers and computers to produce as much cryptocurrency as possible, with the related energy bill being unknowingly carried by the victim. 

Because the affected user is unlikely to notice the decrease in system performance unless the machine is pushed to its limit, the attacks usually go unnoticed. Large networks of infected systems can thus generate a consistent income for threat actors, which is why this method has become a prevalent form of malware. 

Remote Access Trojan (RAT) 

Cryptojacking campaign comprises a remote access trojan (RAT) in its attacks – the reason why it stands out from other cyberthreat campaigns. Chaos RAT, a trojan malware is free and open source, and allows threat actors to take charge of any operating system. 

The RAT is downloaded with XMRig miner, which is utilized by threat actors in order to mine cryptocurrency, comprising of a shell script which is used to eliminate competing miners that could have previously been set up on the system. 

Chaos RAT has a variety of potent functions, like the ability to download, upload and delete files, take screenshots, access file explorer, as well as open URLs. 

In a blog post, written by Trend Micro researchers David Fisher and Oliveira, stated, “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor […] However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security.” 

In order to secure networks and cloud services against cryptomining malware and numerous other cyberattacks, organizations are advised to employ generic best cybersecurity measures, such as timely patching and updating of software and applications, in order to mitigate the risks of vulnerability being exploited in the outdated versions.  

Read more »
Remote Access Trojan
Malicious Software malware Phishing mail RAT Remote Access Trojan

Hackers Using Malicious Versions of Popular Software Brands to Propagate RomCom RAT

 

The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware. 

Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes. 

"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.” 

The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors. 

The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire. 

“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.” 

Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.

However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.
Read more »
Zoho
fake domain Gmail Malicious Emails malware Ransom RAT Scam Zoho

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



Read more »
WordPress
Avast CMS Joomla vulnerability malware Microsoft Phishing Attacks PHP RAT Remote Access Tool Trojan Attacks WordPress

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.
Read more »
SQL
Chinese Hackers Cobalt Strike Google Microsoft Internet Explorer keylogger malware MySQL RAT SQL

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.
Read more »
Stealing of Sensitive data
Android Banking Trojan Google Play Store malware RAT Stealing of Sensitive data

A New Android Banking Trojan Targeting Europeans is Spreading Through Google Play Store

 

A new Android banking malware with over 50,000 installations has been discovered and disseminated via the official Google Play Store, with the purpose of targeting 56 European banks and stealing sensitive information from affected devices. The in-development malware, dubbed Xenomorph by Dutch security firm ThreatFabric, is reported to share similarities with another banking trojan known as Alien while yet being "radically different" in terms of functionality given. 

Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, emerged shortly after the iconic Cerberus malware was decommissioned in August 2020. Other Cerberus forks have been detected in the wild since then, including ERMAC in September 2021. Xenomorph, like Alien and ERMAC, is another Android banking trojan that tries to avoid Google Play Store security by posing as productivity apps like "Fast Cleaner" to deceive unsuspecting victims into installing the malware. 

Fast Cleaner, which has the package name "vizeeva.fast.cleaner" and is still available on the app store, has been most popular in Portugal and Spain, according to Sensor Tower data, with the app making its initial appearance in the Play Store at the end of January 2022. 

This Android Banking malware is still under development and mostly offers the bare minimum of capabilities expected of a modern Android banking trojan. It’s primary attack vector is the use of an overlay attack to steal credentials, along with SMS and Notification interception to log and use potential 2FA tokens. The Accessibility engine that powers this malware, as well as the infrastructure and C2 protocol, have been meticulously developed to be scalable and updatable. 

"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." 

The data recorded by this malware's logging capability is vast, and if sent back to the C2 server, it may be used to execute keylogging as well as collect behavioural data on victims and on installed applications, even if they are not on the list of targets. 

In the first stage, the malware sends back a list of installed packages on the device, and then it downloads the necessary overlays to inject based on which targeted application is present on the device. Xenomorph supplied a list of overlay targets that included targets from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications such as emailing services and cryptocurrency wallets.
Read more »
Threat Group
China malware PLA RAT Threat Group

ShadowPad Malware Attacks have been Linked to Chinese Ministry and PLA

 

ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat organizations in recent years, has been revealed by cybersecurity researchers, who have also linked it to the country's civilian and military intelligence services. Since at least 2017, the Chinese government-sponsored BRONZE ATLAS threat organization has been using the ShadowPad sophisticated modular remote access trojan (RAT). 

Since 2019, a rising number of other Chinese threat groups have used it in attacks against firms in a variety of industrial verticals throughout the world. Analysis of ShadowPad samples by Secureworks Counter Threat Unit (CTU) found clusters of activity associated with threat groups affiliated with the Chinese Ministry of State Security (MSS), civilian intelligence agency, and the People's Liberation Army (PLA). 

ShadowPad rose to prominence in 2017 because it was used in software supply chain attacks involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments released in 2020 provide more details on ShadowPad's relationship to BRONZE ATLAS. 

According to the Microsoft complaint, BRONZE ATLAS (also known as Barium) used ShadowPad to steal intellectual property and personally identifiable information in 2017. The malware was only utilised by BRONZE ATLAS at the time. According to the DOJ indictments, Chinese nationals working for the Chengdu 404 network security firm used ShadowPad in a global campaign ascribed to BRONZE ATLAS. 

Traditionally, malware payloads are sent to a host either encrypted within a DLL loader or embedded within a separate file alongside a DLL loader, which subsequently decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique tailored to the malware version. These DLL loaders run malware after being sideloaded by a genuine executable vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the mechanism used to look for required DLLs to load into a programme. 

Secureworks discovered that certain infection chains include a third file containing the encrypted ShadowPad payload, which works by executing the genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file. 

The incursions in one ShadowPad incident paved the door for conducting hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts.
Read more »
United States
E Commerce malware Payment Data RAT United States

On E-Commerce Servers, New Malware Masquerades as the Nginx Process

 

Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores. 

NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. 

CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server. 

NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system. 

While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.
Read more »
skimmers
E-Commerce Linux malware RAT Security Researchers skimmers

CronRAT is a Linux Malware that Hides in Cron Jobs with Invalid Dates

 

Researchers have discovered a novel Linux remote access trojan (RAT) that uses a never-before-seen stealth approach that includes scheduling malicious actions for execution on February 31st, a non-existent calendar day. CronRAT, according to Sansec Threat Research, "enables server-side Magecart data theft that avoids browser-based security solutions." The RAT was spotted on multiple online stores, including the country's largest outlet, according to the Dutch cybersecurity firm. 

CronRAT takes advantage of the Linux task scheduling system cron, which allows tasks to be scheduled on days that do not exist on the calendar, such as February 31st. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. CronRAT relies on this to maintain its anonymity. According to research released by Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. 

"The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3," the researchers explained. "These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st." 

The RAT also employs a variety of obfuscation techniques to make analysis more difficult, such as hiding code behind encoding and compression barriers and implementing a custom binary protocol with random checksums to get around firewalls and packet inspectors before establishing communications with a remote control server and waiting for further instructions. The attackers linked to CronRAT can run any code on the infected system with this backdoor access, according to the researchers. 

"Digital skimming is moving from the browser to the server and this is yet another example," Sansec's Director of Threat Research, Willem de Groot, said. "Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface." 

Sansec describes the new malware as “a serious threat to Linux eCommerce servers,” due to its capabilities such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, launches tandem RAT in separate Linux subsystem, control server disguised as “Dropbear SSH” service and payload hidden in legitimate CRON scheduled task names.
Read more »
TA505 Gang
Cyber Security CyberCrime Ransomware RAT TA505 Gang

TA505 Gang is Back in the Wild

 

According to business security software vendor Proofpoint, TA505, a prominent email phishing threat actor, has risen from the grave. TA505, which had been inactive since 2020, resumed mass emailing efforts in September, equipped with fresh malware loaders and a RAT. 

The TA505 cybercrime organization has restarted its financial rip-off apparatus, bombarding malware at a variety of sectors into what are originally low-volume waves that researchers noticed spike late last month. 

The group, which aggressively targets a variety of businesses such as finance, retail, and hotels, has been functional since at least 2014. It is well-known for rapid virus changes and for influencing worldwide trends in illegal malware dissemination. 

It is responsible for one of the firm's largest spam efforts, the spread of the Dridex banking malware. Proofpoint has also identified the organization that is delivering the Locky and Jaff ransomware, the Trick banking trojan, and other malware "in very high volumes," according to the company. 

According to habit, the gang's most recent ads span a wide spectrum of sectors. They're additionally bringing new tools, such as an improved KiXtart loader, the MirrorBlast loader, which downloads Rebol script stagers, the retooled FlawedGrace RAT, and improved malicious Excel files.

Proofpoint researchers tracked renewed malware campaigns from TA505 that began slowly at the start of September – only with a few thousand emails per wave, disseminating malicious Excel attachments – and afterward ramped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September, according to an analysis published by the company. 

As per the report, several of the efforts, especially the larger ones, "strongly resemble" what the group was up to between 2019 and 2020, involving identical domain naming patterns, email lures, Excel file lures, and the distribution of the FlawedGrace RAT. TA505 utilized more targeted lures in the early September waves of email attacks, which didn't impact as many sectors as the more recent October 2021 operations, according to Proofpoint experts. 

Significant new advancements include an updated FlawedGrace RAT, as well as retooled intermediate loader phases written in Rebol and KiXtart. According to experts, the gang is utilizing a different downloader than the previously successful Get2 downloader. 

“The new downloaders perform similar functionality of reconnaissance and pulling in the next stages,” Proofpoint researchers noted. 

“The emails contained an Excel attachment that, when opened and macros enabled, would lead to the download and running of an MSI file,” Proofpoint said. MSI files are used to install software on a Windows system. “The MSI file, in turn, would execute an embedded Rebol loader, dubbed by Proofpoint as MirrorBlast.” 

Researchers also discovered that TA505 is now employing numerous intermediary loaders before the distribution of the FlawedGrace RAT, and they are written in unusual scripting languages — Rebol and KiXtart. 

The intermediary loaders appear to fulfill the very same purpose as Get2, a downloader used by TA505 since 2019 to distribute a range of secondary payloads, according to researchers. 

“The loaders perform minimal reconnaissance of an infected machine, such as collecting user domain and username information and downloading further payloads,” according to the research. 

“The code responsible for downloading the next stage MSI file was typically lightly obfuscated with filler characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a Cell or other locations,” the researchers noted. 

Considering that TA505 alters TTP and is "considered a trendsetter in the world of cybercrime," Proofpoint does not anticipate them going anywhere any time soon. The malicious actors do not restrict its target set and are, in fact, an equal opportunist in terms of the regions and sectors it chooses to attack, researchers said. This, along with TA505's capacity to be adaptable, focusing on what is most profitable and altering its TTP as needed, makes the actor persistent threat.
Read more »
Spear Phishing attacks
Aggah Cyber Attacks Cyber Criminals Pakistan RAT Spear Phishing attacks

Threat Group Aggah Targets Industries Via Spear-Phishing Campaigns

 

A spear-phishing attack that seems to have commenced in early July 2021, targeting various manufacturing industries in Asia has been identified and reported by Anomali Threat Research. 

During this campaign, the strategies, methods, and procedures detailed in the report correspond to the threat group Aggah. The investigation further unveiled several PowerPoint files with harmful macros that employed MSHTA to launch a PowerShell script to charge hex-encoded payloads. Through the findings as well as the analysis based on the campaign's TTP, researchers evaluated that the threat group behind the security incident probably is Aggah. 

Cybercriminals employed numerous vulnerable WordPress websites to target Asian producers with a new operation for phishing attacks that deliver, the Warzone RAT, a freight for sale on crime forums, researchers stated. 

Warzone is a malware commodity having hacked versions available on GitHub. The RAT utilizes the Ave Maria stealer's code repeatedly. Warzone RAT's features include scale privilege, keylogging; remote shelling, file download and execution of files, file managers, and network endurance, as per the researchers.

Based on the recent research by Anomali threat detection and security agency, the threat organization Aggah, which is believed to be associated with Pakistan and was identified for the first time in March 2019, has delivered the RAT to manufacturing enterprises in Taiwan and South Korea. 

Aggah is an information-based threat group discovered by researchers from Palo Alto Network’s Unit 42, for the very first time. The researchers believed the activity to be a campaign against organizations in the UAE. In-depth research by the very same team revealed that it was a global Revenge Rat Phishing Campaign.

“Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah,” Tara Gould and Rory Gould from Anomali Threat Research wrote in a report on the campaign published Thursday 12th of August 2021. 

Aggah, which normally seeks to steal information from targets, was also previously considered to be affiliated with the Gorgon Group: a Pakistani organization recognized for targeting the Western governments. This relationship has still not been confirmed yet, however, the Anomali researchers believe that the Urdu-speaking group came from Pakistan. The most recent campaign of Aggah included the Taiwan-based manufacturing company, Fon-star International Technology; Fomo Tech, a Taiwanese engineering company, and the Korean power plant, the Hyundai Electric. 

Researchers have indicated that the latest campaign of Aggah for spear phishing began with a bespoke e-mail pretending to be from "FoodHub.co.uk," a UK-based food delivery service. “The email body includes order and shipping information as well as an attached PowerPoint file named 'Purchase order 4500061977, pdf.ppam' that contains obfuscated macros that use mshta.exe to execute JavaScript from a known compromised website, mail.hoteloscar.in/images/5[.]html,” researchers stated. 

“Hoteloscar.in is the legitimate website for a hotel in India that has been compromised to host malicious scripts,” they said. “Throughout this campaign, we observed legitimate websites being used to host the malicious scripts, most of which appeared to be WordPress sites, indicating the group may have exploited a WordPress vulnerability.”
Read more »
United States
APT31 China CrowdStrike Cyber Attacks RAT Russia United States

Widespread Cyber Espionage Attacks Use New Chinese Spyware

 

According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.
Read more »
Ukraine
Cyber Attacks MalwareBytes RAT Russia Threat Intelligence Ukraine

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.
Read more »
RAT
Aerospace malware Phishing emails RAT

Remote Access Trojans Target Aerospace and Travel Industries

 

Earlier this week, Microsoft Security Intelligence tweeted that somehow a remote access Trojan (RAT) campaign was being tracked by them which was aimed at the aerospace and travel sectors by emailing spear-phishes that spreads an actively created loader and then deliver RevengeRAT or AysncRAT. 

In the context of the exchange of tweets, it was pointed out that attackers use the RATs for theft of data, follow-up operation, and additional payloads, such as Agent Tesla. The loader is being developed and named Morphisec's Snip3. 

These campaigns are not surprising particularly when everyone leaves the lockdown and the people travel again making the travel and tourism industry rich, stated Netenrich's chief information security officer Chris Morales. 

“The level of targeting is also a reason why it’s so hard to detect attacks,” Morales added. “They change and are tailored. SecOps has to align to with threats targeting their organizations specifically and not look for generic threats.” 

New Net Technologies, vice president for security studies, Dirk Schrader, stated that he intends to see sectoral spear-phishing campaigns as everyone emerges from the pandemic. “Using familiar language and terminology can help in the effectiveness of a targeted campaign,” Schrader said. “It’s not shocking that attackers are targeting the transport sector as the sector is about to come back to life. Therefore, a well-crafted campaign addressing this situation is even better.” 

Roger Grimes, KnowBe4 Data-Driven Defense evangelist, adds that when attackers enter one industry company, they could read their emails and use this freshly infiltrated spot known as "cyber haven" to target their partners. 

The mails come from individuals who use the email topic threads in which they are involved and email addresses the new victims' trust. There would be a much higher risk of the new victims falling into fraud when the request to click on the connection or to open a document arrives suddenly. This is the reason why the staff has to understand that phishing emails will come through people they know and trust and also that depending on an email address is not sufficient whether or not the employees recognize it.

Grimes said security awareness training should educate users on the following features to beware of e-mails, which invites users to do something completely foreign. Also, emails that arrive unexpectedly and the behavior can be detrimental to their own best interest or their organization. 

“If any two of those traits are present, the recipient should slow down, stop, think and verify the request another way, like calling the person on a predefined phone number,” Grimes added.
Read more »
United States
Backdoor Cyber Crime RAT Russian Hackers Security Researchers United States

FIN7 is Spreading a Backdoor Called Lizar

 

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. 

Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. It has been dubbed one of the world's most prolific criminal hacking organizations. FIN7 is also known as the Carbanak Group, but these two groups appear to be using the same Carbanak malware and are therefore monitored separately. 

FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.ZONE Cyber Threats Research Team. According to the researchers, they go to great lengths to ensure authenticity: “These groups recruit workers who are unaware that they are dealing with actual malware or that their employer is a real criminal group.” 

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. 

Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan (RAT), which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit. Carbanak is commonly used for network reconnaissance and gaining a foothold. 

However, BI.ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. According to an article published on Thursday, the new edition has been in use since February and provides a strong range of data extraction and lateral movement capabilities. 

 “Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.” 

Attacks on a gambling establishment, several educational institutions, and pharmaceutical firms in the United States, as well as an IT corporation headquartered in Germany and a financial institution in Panama, have been recorded so far.
Read more »
spam email
Adobe Cyber Security Microsoft phishing RAT spam email

RevengeRAT is Targeting the Aerospace and Travel Sectors with Spear-Phishing Emails

 

Microsoft has released a warning about a remote access tool (RAT) called RevengeRAT, which it claims has been used to send spear-phishing emails to the aerospace and travel industries.

RevengeRAT is a remote access trojan (RAT) that is classified as a high-risk computer infection. This malware aims to give cybercriminals remote access to infected computers so they can manipulate them. According to research, cybercriminals spread this infection through spam email campaigns (malicious MS Office attachments). Having a trojan-type infection on your device, such as RevengeRAT, can cause a slew of problems. 

They can use RevengeRAT to monitor system services/processes/files, edit the Windows Registry and hosts file, log keystrokes, steal account passwords, access hardware (such as a webcam), run shell commands, and so on. As a result, these individuals have the potential to cause serious harm. 

RevengeRAT, also known as AsyncRAT, is spread by carefully designed email messages that instruct recipients to open a file that appears to be an Adobe PDF attachment but actually installs a malicious visual basic (VB) file. 

The two RATs were recently identified by security company Morphisec as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. The phishing emails, according to Microsoft, transmit a loader, which then delivers RevengeRAT or AsyncRAT. Morphisec claims it is also able to supply the RAT Agent Tesla. 

"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said. 

Morphisec called the cryptor service "Snip3" after a username it discovered in earlier malware variants. If Snip3 detects that a RAT is being executed inside the Windows Sandbox – a virtual machine security feature Microsoft launched in 2018 – it will not load it. Advanced users can use the Windows Sandbox to run potentially malicious executables in a secure sandbox that won't harm the host operating system.

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes. "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."
Read more »
Subscribe to: Posts (Atom)