Search This Blog

Showing posts with label Remote Access Trojan. Show all posts

Hackers Using Malicious Versions of Popular Software Brands to Propagate RomCom RAT


The RomCom RAT (remote access trojan) hacker has launched a new campaign impersonating the official websites of popular software brands SolarWinds, KeePass, and PDF Technologies to propagate malware. 

Researchers from BlackBerry uncovered the malicious campaign while analyzing network artifacts linked with RomComRAT infections resulting from attacks targeting Ukrainian military institutions and some English-speaking nations including the United Kingdom. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play. It's quite likely there’s state-level planning behind the scenes. 

"At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being socially engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.” 

The RomCom hacker installed clone websites on malicious domains similar to the legitimate ones that they registered. Subsequently, the threat actor trojanized a legitimate application and propagated via the decoy website, deploying targeted phishing emails to the victims. In some cases, the attackers used additional infector vectors. 

The malicious campaign seems like a direct copycat of some attacks we examined during the pandemic where we witnessed a number of vendor products and support tools being impersonated or "wrapped" with malware, stated Andrew Barratt, vice president at Coalfire. 

“The wrapping means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt explained. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.” 

Earlier this year in August, Palo Alto Networks’ Unit 42 linked the RomCom RAT with an affiliate of the Cuba Ransomware named 'Tropical Scorpius,' as this was the first actor to employ the malware with features like ICMP-based communications, commands for file manipulation, process hatching and spoofing, data exfiltration, and activating a reverse shell.

However, the BlackBerry researchers said that there was no evidence for that assumption, and its report mentions Cuba Ransomware and Industrial Spy as possibly related to RomCom RAT. Hence, it remains unclear who is behind RomCom RAT or what are the motives behind the attacks.

Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.

INTERPOL Arrests Three Nigerians in Relation with a Global Scam 


Three Nigerian men were arrested and convicted as a result of an Interpol-led operation code-named Killer Bee. They were accused of using a remote access trojan (RAT) to reroute bank transactions and steal business credentials. Two possible accomplices were also apprehended. 

The trio, aged 31 to 38, was apprehended as part of an 11-country sting operation involving law enforcement agencies from Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, the Philippines, Singapore, Thailand, and Vietnam. 

Agent Tesla is a prominent "malware-as-a-service" Remote Access Trojan (RAT) tool used by malicious attackers to collect information like credentials, keystrokes, and clipboard data from the victims. It was initially identified in late 2014. 

Due to Agent Tesla's stability, flexibility, and functionality, which allows for the sampling of sensitive data and exfiltration from the victim, it is used by both cybercriminal groups and actors involved in espionage operations. 

While the authorities did not say how much money the hackers allegedly took, the companies targeted included oil and gas enterprises in Southeast Asia, the Middle East, and North Africa. As per INTERPOL arrested three Nigerians in relation with a global scam The other two men are still facing charges. As per Interpol, one of the scammers, Hendrix Omorume, was prosecuted and convicted of three counts of significant financial fraud and now risks a sentence of 12 months in prison. The other two men are still facing charges.

Interpol and the Nigerian Police Force, with the help of various cybersecurity firms (Group-IB, Palo Alto Networks Unit 42, and Trend Micro), identified a 37-year-old Nigerian man as one of the SilverTerrier cybercrime group's commanders last week.

"Cybercrime is growing at a rapid pace, with new trends continuously appearing," stated Abdulkarim Chukkol, Director of Operations at the EFCC. INTERPOL and the EFCC collaborate on operations like Killer Bee to keep up with emerging technologies, understand the opportunities they provide for criminals, and how they may be used to combat cybercrime.

APT27 Hackers are Backdooring Business Networks in Germany


The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.

To Spread STRRAT Malware, Phishing Campaign Impersonates Shipping Giant Maersk


A new phishing campaign employing bogus shipping delivery lures installs the STRRAT remote access trojan on the computers of unsuspecting victims. Fortinet identified the new campaign after detecting phishing emails mimicking Maersk Shipping, a worldwide shipping behemoth, but utilising seemingly authentic email addresses. 

STRRAT is a multi-functional Remote Access Trojan that dates to at least mid-2020. It is unusually Java-based and is normally sent to victims via phishing email. Previous STRAAT operations, like other phishing attacks, used an intermediary dropper (e.g., a malicious Excel macro) attached to the email that downloaded the ultimate payload when viewed. Instead of using that method, this sample attaches the final payload directly to the phishing email. 

In the case of Maersk Shipping, the message eventually goes through "acalpulps[.]com" before being delivered to the final recipient after leaving the sender's local infrastructure. This domain was only registered in August 2021, which makes it questionable. Furthermore, the domain utilised in the "Reply-To" address, "ftqplc[.]in," was recently registered (October 2021), making it highly suspicious as well. The email body urges the recipient to open attachments regarding a pending shipment. 

A PNG image and two Zip archives are directly attached to the sample email. "maersk.png" is simply an image file. However, the two Zip archives “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]zip” and “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF (2)[.]zip” include an embedded copy of STRRAT. When one of these archives is unzipped, the file “SHIPMENT_DOCUMENTS_INV-PLIST01256_BL PDF[.]jar” is displayed. However, when you open the file in Jar Explorer, a few things become clear. 

Firstly, this package contains a significant number of Java class files. Second, the strings in the class "FirstRun" appear to be scrambled or encoded. Lines beginning with "ALLATORIxDEMO" denote the presence of the Allatori Java Obfuscator. 

STRRAT malware first collects basic information about the host system, such as its architecture and any anti-virus software that are operating on it, before checking local storage and network capability. STRRAT can collect user keystrokes, enable remote control operation, steal passwords from web browsers such as Chrome, Firefox, and Microsoft Edge, steal passwords from email clients such as Outlook, Thunderbird, and Foxmail, and launch a pseudo-ransomware module to simulate an infection. 

Trojans like STRRAT are frequently overlooked because they are less sophisticated and more randomly distributed. However, this phishing attempt proves that even little threats can cause significant damage to organizations.

Mekotio Banking Trojan Resurfaces with Tweaked Code


On November 3, Check Point Research (CPR) released research on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru, and it's now back with new techniques for evading detection. 

In October, 16 people were arrested across Spain in connection with Mekotio and the Grandoreiro Trojans. The individuals are suspected of sending hundreds of phishing emails to spread the Trojan, which was then used to steal banking and financial information. As per local media sources, 276,470 euros were stolen, but 3,500,000 euros worth of transfer attempts were made, which were luckily blocked. 

According to CPR researchers Arie Olshtein and Abedalla Hadra, the arrests simply delayed the transmission of the malware across Spain, and the malware is still spreading since the group probably partnered with other criminal organisations. Mekotio's developers, suspected of being based in Brazil, quickly rehashed their malware with new characteristics aimed to prevent detection after the arrests were revealed by the Spanish Civil Guard. 

The infection vector of Mekotio has remained the same, including phishing emails containing either links to or malicious code. The payload is contained in a ZIP archive attached. However, an examination of more than 100 recent attacks indicated the use of a simple obfuscation approach and a substitution cypher to avoid detection by antivirus software. 

In addition, the developers have included a redesigned batch file with numerous levels of obfuscation, a new PowerShell script that runs in memory to conduct malicious actions, and the use of Themida to safeguard the final Trojan payload — a legitimate application that prevents cracking or reverse engineering. 

Mekotio attempts to exfiltrate login credentials for banks and financial services once it has been installed on a vulnerable machine and will send them to a command-and-control (C2) server controlled by its operators. 

The researchers stated, "One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection. CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher."

Caliente Bandits Target Spanish Speaking Individuals to Spread Bandook Malware


A new hacking gang TA2721 also commonly known as Caliente Bandits has been tracked by Proofpoint researchers since January 2021. As per the researchers, the group is actively targeting many industries, primarily focusing on entertainment and finance. 

The organization is distributing a known but rarely employed, RAT trojan known as Bandook; they are using the Spanish language lures to do so. Researchers have labeled the group 'Caliente Bandits' as they use the hot-mail accounts. The Spanish term "Caliente" refers to "hot." 

Researchers with evidence had started tracking this group in January 2021 and it was observed around April that TA2721 distributes Bándok's weekly email threats. Although the group is attacking several organizations across the world, those with Spanish surnames remain the primary target. It is worth noting that the ESET cybersecurity company initially disclosed malware data used by the group. 

The campaign uses the very same budget or transaction theme to encourage users to download a PDF repetitively. A URL and password are included in the attached PDF which leads to the installation of a Bandook password-protected package. 

According to Proofpoint, TA2721 sent emails in 2021, to fewer than 100 organizations. This list covered institutions in the United States, Europe, and South America. These attacks concentrated mostly on organizations with Spanish surnames like Pérez, Castillo, Ortiz, etc. 

Reportedly, two variants of Bandook, commodities malware, were spread by the threat actor. Meanwhile, scientists observed the wrongdoer adopting detection evasion measures such as infected archives' password encryption. 

The threat actor would often send links from Hotmail or Gmail addresses to the Bandook download. Terms such as "PRESUPUEST" and "COTIZACION" are generally found in subject lines and email names. However, the actor shared URLs directly in one effort in June. Researchers have found that URLs used abbreviated URLs from and, which they have observed from January to June 2021. These links redirected to Spideroak[.]com, a real hosting file, for a counterfeit RAR file to be downloaded. 

The Bandook - Remote Access Technology (RAT), which has been accessible commercially in the wild since 2007, was written in Delphi. It could be used for audio and video capturing and recording, keylogging, and data theft. 

The evidence suggests that TA2721 will continue to use a small number of malware variants from Bandook, a comparable chain of infections, and pick few C2 domains. The precise targeting shows that the threat actor recognizes target entities prior to email threats are sent.

Toxic Eye Malware is Utilizing Telegram


As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.

Attention! Malvertising Campaigns Using Exploit Kits On The Rise

Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.