Saturday, November 2, 2024
HomeTorjan Horses/wormsBeware !! Dangerous RAT's Called "Adwind, Remcos, Netwire" Delivering via ...

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire” Delivering via A360 Cloud Drive

Published on

Malware protection

Widely Used A360 Cloud Drive Platform Abuse for Delivering Adwind, Remcos, Netwire  Remote Access Trojans and used as a Malware Distributing Platform by using File sharing site to host Malware.

Nowadays  Many Cloud Platform used as a Malware Delivering Platform that by hosting Malicious Files and also being served as a (C&C) infrastructure.

In this case, Command & Control Server Resolved by Free DNS services and it helps to RATs/backdoors that would phone back to their respective command-and-control servers after the Malicious RAT File were Downloaded and Executed.

“A360 is a cloud-based workspace that centralizes, connects and organizes your team and project information across your desktop, the web, and mobile devices.”A360 Drive provides online storage for collaboration. Anyone can create an account for free and given 5GB of space.
- Advertisement - SIEM as a Service

According to Trend Micro Report, U.S., South Africa, France, Italy, Germany, Hong Kong, and U.K. the most affected By this Distributed Adwind, Remcos, Netwire RAT’s.

Also Read:  Free Remote Access Trojan builder “Cobian RAT” Distributed a Backdoor

How Does These RAT’s Abusing the Cloud Infrastructure

These 3 RAT’s Initially Spreading via the Spam Email Campaign with Different Malware Variant Functions.

Adwind RAT  Intially Discovered from as a JAR file (JAVA_ADWIND.JEJPDY) which connect to the C&C Server when the Script get executed. later it will retrieve and exfiltrate multifarious data including credentials, keystrokes, and multimedia files.

RAT

NETWIRE RAT Identified through Spam Email Campign with attached  (JAVA_KRYPTIK.NPP) file containing a Java ARchive (JAR) along with Exicutable Script and futher analysis confrms that, it has string references NETWIRE remote access tool with keylogging and SOCKS proxy capabilities.

Trend Micro Discovered a Document File that Discovered as “AMMO REQUEST MOD Turkey.doc” (W2KM_DROPPR.XWD) that contains a generic template for macro malware used to abuse the A360 Drive .

Macro File is Encrypted and also Obfusticated Exicutable that will be finally Decrypted.it contains a payloadthat is a malicious PowerShell script that will download a file from A360 Drive and execute it.

The downloaded payload is a Visual Basic obfuscated executable file. Deobfuscating it reveals the Trojanized Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. Trend Micro said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

MnuBot – New Banking Trojan Take Browsers Screenshots, Keylogging to Steal Bank Data

Newly discovered banking Trojan named MnuBot malware spreading to steal the sensitive bank related...

New Banking Trojan IcedID Evade Sandboxes and Performing Web Injection Attacks

A New Banking Trojan dubbed IcedID discovered that capable of performing some dangerous web-based...

Silence Trojan Targeting Financial Institutions Recording day to day activity on Bank Employees’ PCs

Security experts from Kaspersky lab discovered a new trojan dubbed Silence trojan that targeting Financial...