24 April 2024

Ongoing malware campaign targets multiple industries, distributes infostealers


Ongoing malware campaign targets multiple industries, distributes infostealers

Cisco Talos threat intelligence research group has uncovered a sophisticated and ongoing cyber campaign, targeting victims across multiple countries since at least February 2024 with three infostealer malware variants: Cryptbot, LummaC2, and Rhadamanthys.

This malware is designed to harvest sensitive information from victims, including system and browser data, credentials, cryptocurrency wallets, and financial information.

One of the key findings of the campaign suspected to be linked to CoralRaider, a financially motivated threat actor of Vietnamese origin, disclosed by Talos in early April, is the deployment of a new PowerShell command-line argument embedded within LNK files. It is aimed at bypassing antivirus products and facilitating the download of the final payload onto victims' systems. The campaign leverages a Content Delivery Network (CDN) cache domain as a download server, hosting malicious HTA files and payloads.

Talos researchers have identified several tactics, techniques, and procedures (TTPs) employed in this campaign, bearing similarities to CoralRaider's previous Rotbot campaign. These include the use of Windows Shortcut files as the initial attack vector, intermediate PowerShell decryptors and payload download scripts, as well as the FoDHelper technique to bypass User Access Controls (UAC) on victim machines.

Talos has identified multiple command-and-control (C2) domains utilized by the threat actor in this campaign.

The campaign targets various industries and geographies, with victims reported in countries such as the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, the UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Telemetry data indicates that affected users also include employees of Japan's computer service call center organizations and civil defense service organizations in Syria.

According to Talos, the campaign's initial access vector appears to be phishing emails with the links leading to ZIP archives containing Windows shortcut (LNK) files. The shortcut files execute PowerShell scripts to fetch the next-stage HTA payload hosted on the CDN cache. Next, a JavaScript code embedded within the payload launches a concealed PowerShell loader, leading to the deployment of one of the three infostealer malware variants.

Back to the list

Latest Posts

Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024
US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

US authorities charge Chinese hacker for exploiting zero-day bug in Sophos firewalls

The US Department of State offered a reward of up to $10 million for information leading to the hacker's capture.
11 December 2024
Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

Microsoft’s December 2024 Patch Tuesday fixes over 70 flaws, one actively exploited

0Day affects the CLFS Driver and can be abused by a local user for code execution with SYSTEM privileges.
11 December 2024