Monday, May 27, 2024

A Backdoor Found in U.S. Federal Government Networks

The U.S. federal government commission has recently detected a new backdoor on Thursday; the backdoor implemented total visibility and complete control over the agency network.

The cybersecurity researchers who have detected this backdoor have claimed that it is a “classic APT-type operation.” Threat actors can use this backdoor to have full control over the network.

However, this is very controversial, and that’s why the exact name of the federal government commission has not been disclosed. Apart from this, Avast remarked that they are trying their best to identify the kind of attacks and consequently inform the agency’s findings.

Files Detected

The primary files that the security analysts detect are:-

  • Downloader
  • Decryptor

Downloader

It is the very first file that the experts have detected; this file was disguised as oci.dll (“C:\Windows\System32\oci.dll”) (Oracle Call Interface).

Here, the files contained a compressed library dubbed as NTlib by the analysts. This file is specifically used by the threat actors to check the MD5 of the hostname and later stop if it doesn’t match the one they stored.

Decryptor

It was the second file detected by the experts, and this file was also disguised as oci.dll, and this file replaced the first file that is used in the next stage of the attack.

While here, in these circumstances, the main function of this file is to decrypt and run in memory the file “SecurityHealthServer.dll.”

Evading Firewalls and Network Monitoring

After analyzing the backdoor, the security researchers concluded that it generally works by replacing a normal Windows file called “oci.dll” with two malicious ones.

This file enables the threat actors to download and execute malicious code on the targeted system. However, it is being assumed that the main motive of the attack is to bypass firewalls and network monitoring tools and solutions.

That’s why we conveyed that the earlier file is quite similar to the rcview40u.dll; it is likely that the threat actor had access to the source code of the three-year-old rcview40u.dll.

However, this backdoor attack was carried in two-stage, and its main justification was to deploy two malicious binaries that allowed the unidentified adversary to intercept internet traffic.

Not only that even it is also used to execute code of their choice and later allows the operators to take entire control over the infected systems that they attacked.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Google Patches Chrome Zero-Day: Type Confusion in V8 JavaScript

Google has released a patch for a zero-day exploit in its Chrome browser.The...

Hackers Created Rogue VMs in Recent MITRE’s Cyber Attack

State-sponsored hackers recently exploited vulnerabilities in MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE).They...

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles