Thursday, March 28, 2024

Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

Nowadays Email campaign playing major role to spreading Malwares, backdoor and advance exploit to take over the single target and Enterprise networks.

A New Backdoor Contained Malicious Email champaign that carries Malicious scripts which are spreading in Russian Language and it seems that , this malicious email campaign is developed for attacking Russian Enterprises.

This Malicious Backdoor delivering by a combination of exploits and Windows components helps to take over the infected victims Machine.

This Malicious component not only developed to infect the Enterprise network but also capable of attacking the other industries such as financial institutions, including banks, and mining firms.

Also Read   A Complete Fileless Malware “JS_POWMET” with Highly Sophisticated Evasion Technique

Backdoor Infection Chain

A Social Engineering Method Called Spear Phishing Champaign has played major role in this Part to infect the target Via Email.

A Malicious Email that contains legitimate information and it’s completely looks like an actual Sales and Billing information which is given in Russian Language.

“Email also having an Attached Document file as .DOC in Different file names in russian Language.Инструкция для подключения клиентов.doc (Instructions for connecting clients) and Заявление на оплату услуги .doc (Application for payment of the service).”

Backdoor

Malware Attacked Email

Attacked Document has Embedded with Malware Rich Text Format (RTF) file Detected as TROJ_EXPLOYT.JEJORC by Trend Micro.

Further, Analyse  Revealed that, the Malicious file contains embedded .XLS Malicious javascript files from this URL ( hxxps://wecloud[.]biz/m11[.]xls).

All the malicious URL used for this attacks are controlled by the attacker that was Registered on July ,Trend Micro said.

Backdoor

Attack Chain

This Malicious javascript file dropped Two Powershell script . One script used to download and launch the Malformed Document and another script continue the chain of infection.

After Download the another file by second Powershell script , downloaded file will be decrypted using AES-CBC Cipher Algorithm.

Once Decryption has done ,file will be saved as .TXT Extension to the  %Appdata% .The decrypted file is a dynamic-link library (DLL) file detected as TROJ_DROPNAKJS.ZGEG-A.

The JavaScript code in m11.xls will then execute the file using the following command line:

odbcconf.exe /S /A {REGSVR C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt}
Dropped file into %Appdata% has malicious, obfuscated JavaScript file (JS_NAKJS.ZIEG-A).

Finall, DDL will Execute the following Command that uses MS Regsvr32 (Microsoft Server Registry)that has used to register and unregister the OLE controls.

regsvr32.exe /s /n /u /i:”C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt” scroBj.dll
This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts. It also means evading application whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.

Finally after Deobfuscated done ,it will execute another XML file then later the file serves as the main backdoor .

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles