Tuesday, May 28, 2024

Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

Nowadays Email campaign playing major role to spreading Malwares, backdoor and advance exploit to take over the single target and Enterprise networks.

A New Backdoor Contained Malicious Email champaign that carries Malicious scripts which are spreading in Russian Language and it seems that , this malicious email campaign is developed for attacking Russian Enterprises.

This Malicious Backdoor delivering by a combination of exploits and Windows components helps to take over the infected victims Machine.

This Malicious component not only developed to infect the Enterprise network but also capable of attacking the other industries such as financial institutions, including banks, and mining firms.

Also Read   A Complete Fileless Malware “JS_POWMET” with Highly Sophisticated Evasion Technique

Backdoor Infection Chain

A Social Engineering Method Called Spear Phishing Champaign has played major role in this Part to infect the target Via Email.

A Malicious Email that contains legitimate information and it’s completely looks like an actual Sales and Billing information which is given in Russian Language.

“Email also having an Attached Document file as .DOC in Different file names in russian Language.Инструкция для подключения клиентов.doc (Instructions for connecting clients) and Заявление на оплату услуги .doc (Application for payment of the service).”


Malware Attacked Email

Attacked Document has Embedded with Malware Rich Text Format (RTF) file Detected as TROJ_EXPLOYT.JEJORC by Trend Micro.

Further, Analyse  Revealed that, the Malicious file contains embedded .XLS Malicious javascript files from this URL ( hxxps://wecloud[.]biz/m11[.]xls).

All the malicious URL used for this attacks are controlled by the attacker that was Registered on July ,Trend Micro said.


Attack Chain

This Malicious javascript file dropped Two Powershell script . One script used to download and launch the Malformed Document and another script continue the chain of infection.

After Download the another file by second Powershell script , downloaded file will be decrypted using AES-CBC Cipher Algorithm.

Once Decryption has done ,file will be saved as .TXT Extension to the  %Appdata% .The decrypted file is a dynamic-link library (DLL) file detected as TROJ_DROPNAKJS.ZGEG-A.

The JavaScript code in m11.xls will then execute the file using the following command line:

odbcconf.exe /S /A {REGSVR C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt}
Dropped file into %Appdata% has malicious, obfuscated JavaScript file (JS_NAKJS.ZIEG-A).

Finall, DDL will Execute the following Command that uses MS Regsvr32 (Microsoft Server Registry)that has used to register and unregister the OLE controls.

regsvr32.exe /s /n /u /i:”C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt” scroBj.dll
This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts. It also means evading application whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.

Finally after Deobfuscated done ,it will execute another XML file then later the file serves as the main backdoor .


Latest articles

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Google Patches Chrome Zero-Day: Type Confusion in V8 JavaScript

Google has released a patch for a zero-day exploit in its Chrome browser.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles