Russia-linked cybercrime syndicate TA505 has been observed using new hVNC (Hidden Virtual Network Computing) malware to compromise Windows machines, according to a new report from threat intelligence company Elastic Security Labs.
TA505 (aka Evil Corp, FIN11, and Indrik Spider) is a well-known cybercrime group associated with Dridex, Locky, and Necurs campaigns.
Dubbed “Lobshot,” the tool is a financial trojan and information stealer capable of bypassing fraud detection engines and providing its operators with stealthy, direct access to the infected systems.
The malware is being distributed via malvertising campaigns involving Google Ads and a network of fake websites designed to trick users into downloading legitimate-looking installers with embedded backdoors.
The researchers said they observed more than 500 unique Lobshot samples since July 2022 compiled as 32-bit DLLs or 32-bit executables typically ranging around 93 KB to 124 KB. The malware employs dynamic import resolution to evade security products and thwart analysis.
“Lobshot implements the hVNC feature by generating a hidden desktop using the CreateDesktopW Windows API and then assigning the desktop to the malware using the SetThreadDesktop API. A new Windows explorer.exe process is then created under the context of the new hidden desktop,” the researchers explained.
The trojan performs a Windows Defender anti-emulation check and exits its process if the anti-malware solution is detected. This kind of verification has been incorporated in many other stealers including Arkei, Vidar, and Oski, Elastic notes.
Once executed, the malware moves a copy of itself to the C:\ProgramData folder, spawning a new process using explorer.exe, terminating the original process, and finally deleting the original file.
Lobshot makes Windows Registry changes to establish the persistence mechanism and then proceeds to steal information. It is able to steal data from over 50 cryptocurrency wallet extensions present in web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox.
“Threat groups are continuing to leverage malvertising techniques to masquerade legitimate software with backdoors like Lobshot. These kinds of malware seem small, but end up packing significant functionality which helps threat actors move quickly during the initial access stages with fully interactive remote control capabilities,” the report concludes.