Hackers Attacking Users Searching For W2 Form

A malicious campaign emerged on June 21, 2024, distributing a JavaScript file hosted on grupotefex.com, which executes an MSI installer, subsequently dropping a Brute Ratel Badger DLL into the user’s AppData. 

The command-and-control framework Brute Ratel then downloads and inserts the stealthy Latrodectus backdoor, which gives threat actors remote control, the ability to steal data, and the ability to send out more payloads. 

Zscaler ThreatLabz independently verified Brute Ratel’s involvement as an initial access broker for the Latrodectus malware family on June 23. 

Search Result for `w2 form 2024` Using Bing

An attacker leveraged Bing search results to redirect users from a lookalike domain (appointopia.com) to a fake IRS website (hxxps://grupotefex.com/forms-pubs/about-form-w-2/). 

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Clicking on the website triggered a CAPTCHA challenge. Solving the seemingly innocuous CAPTCHA resulted in downloading a malicious JavaScript file (Form_Ver-*.js) hosted on a Google Firebase storage bucket, which likely initiated the next stage of the attack. 

Sample CAPTCHA to Solve on `hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/`

Analysis of the JS file `Form_ver-14-00-21.js` revealed a malicious code obfuscation technique where threat actors concealed malicious code within seemingly innocuous comments. 

The file leveraged a ScriptHandler class to extract hidden code starting with ‘/////’ and execute it using `new Function()`, which effectively hides malicious payloads, inflates file size, and evades antivirus detection. 

Additionally, the file’s inclusion of a valid authentication certificate enhances its legitimacy, emphasizing the threat actor’s intent to deceive. 

File Details for JS File `Form_ver-14-00-21.js`

The `Form_ver-14-00-21.js` script revealed its sole purpose as a downloader and executor of MSI packages from specified URLs by retrieving the MSI named “BST.msi” from the IP address 85.208.108.63 and initiating its installation. 

A similar incident on June 25th involved a different script downloading another MSI, “neuro.msi,” from a closely related IP, 85.208.108.30, indicating a potential campaign targeting systems with identical malicious payloads. 

Cleaned-up Contents of `Form_ver-14-00-21.js`

Rapid7 analyzed an MSI file named neuro.msi and found it contained a cabinet archive (disk1.cab) with a DLL named capisp.dll. 

The MSI installer also included a custom action that dropped capisp.dll into the user’s AppData/Roaming folder and executed it using rundll32.exe with the export named “remi,”  which suggests that the MSI package installs and runs capisp.dll, likely for a purpose related to the “remi” export function. 

Snippet of Code Contained Within `capisp.dll`

capisp.dll revealed a multi-stage malware infection chain, while the DLL associated with VLC contains an encrypted resource decrypted using a hardcoded XOR key. 

The decrypted data is a loader for a packed Brute Ratel Badger (BRC4) payload, which connects to multiple C2 domains and downloads Latrodectus malware, which is injected into Explorer.exe and communicates with several additional C2 URLs.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Aman Mishra

Recent Posts

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

9 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

9 hours ago

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence Information…

9 hours ago

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the start…

9 hours ago

Hackers Deploy Weaponized LNK Files for Malicious Payload Delivery

Researchers reported a phishing attack on December 4th, 2024, where malicious emails purportedly from the…

9 hours ago

APT-C-60 Hackers Penetrate Org’s Network Using a Weapanized Google Drive link

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed an advanced cyber attack…

11 hours ago