Sunday, April 20, 2025
HomeComputer SecurityDangerousPassword - Hackers Use New Attack Pattern to Infect Devices With Malware

DangerousPassword – Hackers Use New Attack Pattern to Infect Devices With Malware

Published on

SIEM as a Service

Follow Us on Google News

Recently, it has been observed by JPCERT/CC that threat actors are actively targeting the cryptocurrency exchanges linked to the DangerousPassword attack campaign (aka CryptoMimic or SnatchCrypto), involving the distribution of malware through email shortcuts since June 2019.

Apart from malware distribution through email, various attack patterns are utilized by the attackers to infect targets with malware, with four specific patterns being observed.

Here below we have mentioned those four attack patterns:-

- Advertisement - Google News
  • Attacks by sending malicious CHM files from LinkedIn
  • Attacks using OneNote files
  • Attacks using virtual hard disk files
  • Attacks targeting macOS

Analysis of Attack Patterns

Here below, we have mentioned the complete analysis of the four attack patterns that are observed:-

Attacks by sending malicious CHM files from LinkedIn

Attackers employ alternative methods of reaching targets by utilizing LinkedIn to send malware, where the compressed RAR file received contains a CHM file that, upon execution, downloads and runs an external MSI file.

DangerousPassword

Upon execution, the MSI file deploys a PowerShell script to download and execute another MSI file (Administrator-a214051.msi) which, in turn, collects and transmits information about infected hosts via HTTP POST request in Base64 encoded format.

Researchers have confirmed that compromised LinkedIn accounts, posing as job providers, are used to send malware to targets, although the method of compromising social networking accounts by the attackers remains unknown.

DangerousPassword

Attacks Using OneNote files

The utilization of OneNote file exploitation for malware infection, observed in Emotet and other malware attacks, is increasingly prevalent in email attachment-based infection campaigns.

In line with other malware attacks, DangerousPassword employs a OneNote file containing embedded malware, and opening the file triggers the infection.

DangerousPassword

The OneNote file contains a malicious MSI file that installs a DLL on the host and executes it, while also possessing the ability to identify AV tools.

Upon detecting specific antivirus software, the malware adjusts its actions by terminating the following things:-

  • It hooks the process to NTDLL to evade monitoring
  • Modifying data in curl commands
  • Altering the method of launching downloaded malware

Here below we have mentioned the AV programs:-

  • Avast
  • Avira
  • Bitdefender
  • Kaspersky
  • Sophos
  • Trend Micro
  • Windows Defender

Attacks using virtual hard disk files

According to the report, Attackers can conceal malware by compressing it in ZIP or RAR formats, incorporating it into an ISO file, or embedding it within a VHD file, which can be mounted on Windows OS by double-clicking and is commonly used for Hyper-V virtualization.

The VHD file includes a decoy PDF, the main malware (DLL), and an executable (EXE) to initiate the DLL. The DLL file operates similarly to the OneNote file’s malware.

Attacks targeting macOS

Attackers are now targeting both Windows and macOS by utilizing an AppleScript that downloads and executes an unauthorized application through the main.scpt file using the curl command.

DangerousPassword

The executed application displays a window and utilizes XOR decoding to read file contents, downloads a file from the decoded command and control (C2) server, and subsequently executes it.

The persistent APT group DangerousPassword targets cryptocurrency exchanges in Japan, utilizing LinkedIn as a potential contact method, necessitating caution when engaging with social media platforms. 

Additionally, macOS users should exercise vigilance as the attackers can exploit the operating system’s vulnerabilities.

Building Your Malware Defense Strategy – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best Patch Management Tools 2025

In today's digital landscape, maintaining secure and efficient IT systems is critical for organizations....

10 Best Cloud Security Solutions 2025

In today’s digital era, businesses are increasingly adopting cloud computing to store data, run...

Chinese Hackers Exploit Ivanti Connect Secure Flaw to Gain Unauthorized Access

In a sophisticated cyber-espionage operation, a group known as UNC5221, suspected to have China-nexus,...

New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions

A new malware strain known as SuperCard X has emerged, utilizing an innovative Near-Field...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

10 Best Patch Management Tools 2025

In today's digital landscape, maintaining secure and efficient IT systems is critical for organizations....

10 Best Cloud Security Solutions 2025

In today’s digital era, businesses are increasingly adopting cloud computing to store data, run...

Chinese Hackers Exploit Ivanti Connect Secure Flaw to Gain Unauthorized Access

In a sophisticated cyber-espionage operation, a group known as UNC5221, suspected to have China-nexus,...