Thursday, December 5, 2024
HomeCyber CrimeHackers Attacking Users Searching For W2 Form

Hackers Attacking Users Searching For W2 Form

Published on

SIEM as a Service

A malicious campaign emerged on June 21, 2024, distributing a JavaScript file hosted on grupotefex.com, which executes an MSI installer, subsequently dropping a Brute Ratel Badger DLL into the user’s AppData. 

The command-and-control framework Brute Ratel then downloads and inserts the stealthy Latrodectus backdoor, which gives threat actors remote control, the ability to steal data, and the ability to send out more payloads. 

Zscaler ThreatLabz independently verified Brute Ratel’s involvement as an initial access broker for the Latrodectus malware family on June 23. 

- Advertisement - SIEM as a Service
Search Result for `w2 form 2024` Using Bing

An attacker leveraged Bing search results to redirect users from a lookalike domain (appointopia.com) to a fake IRS website (hxxps://grupotefex.com/forms-pubs/about-form-w-2/). 

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Clicking on the website triggered a CAPTCHA challenge. Solving the seemingly innocuous CAPTCHA resulted in downloading a malicious JavaScript file (Form_Ver-*.js) hosted on a Google Firebase storage bucket, which likely initiated the next stage of the attack. 

Sample CAPTCHA to Solve on `hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/`

Analysis of the JS file `Form_ver-14-00-21.js` revealed a malicious code obfuscation technique where threat actors concealed malicious code within seemingly innocuous comments. 

The file leveraged a ScriptHandler class to extract hidden code starting with ‘/////’ and execute it using `new Function()`, which effectively hides malicious payloads, inflates file size, and evades antivirus detection. 

Additionally, the file’s inclusion of a valid authentication certificate enhances its legitimacy, emphasizing the threat actor’s intent to deceive. 

File Details for JS File `Form_ver-14-00-21.js`

The `Form_ver-14-00-21.js` script revealed its sole purpose as a downloader and executor of MSI packages from specified URLs by retrieving the MSI named “BST.msi” from the IP address 85.208.108.63 and initiating its installation. 

A similar incident on June 25th involved a different script downloading another MSI, “neuro.msi,” from a closely related IP, 85.208.108.30, indicating a potential campaign targeting systems with identical malicious payloads. 

Cleaned-up Contents of `Form_ver-14-00-21.js`

Rapid7 analyzed an MSI file named neuro.msi and found it contained a cabinet archive (disk1.cab) with a DLL named capisp.dll. 

The MSI installer also included a custom action that dropped capisp.dll into the user’s AppData/Roaming folder and executed it using rundll32.exe with the export named “remi,”  which suggests that the MSI package installs and runs capisp.dll, likely for a purpose related to the “remi” export function. 

Snippet of Code Contained Within `capisp.dll`

capisp.dll revealed a multi-stage malware infection chain, while the DLL associated with VLC contains an encrypted resource decrypted using a hardcoded XOR key. 

The decrypted data is a loader for a packed Brute Ratel Badger (BRC4) payload, which connects to multiple C2 domains and downloads Latrodectus malware, which is injected into Explorer.exe and communicates with several additional C2 URLs.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

New TLDs Such as .shop, .top and .xyz Leveraged by Phishers

Phishing attacks have surged nearly 40% in the year ending August 2024, with a...