Thursday, October 10, 2024
HomeCyber AttackHackers Use Custom Backdoor & Powershell Scripts to Attack Windows Machines

Hackers Use Custom Backdoor & Powershell Scripts to Attack Windows Machines

Published on

The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively utilizing custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.

These backdoors are primarily delivered through spear-phishing campaigns, marking a significant escalation in the capabilities and focus of this Iranian state-sponsored hacking group.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

- Advertisement - EHA
  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Sophisticated Tools for Stealthy Operations

The NiceCurl and TameCat backdoors represent a sophisticated toolkit in Damselfly’s arsenal, enabling threat actors to gain initial access to targeted environments discreetly.

NiceCurl, a VBScript-based malware, is designed to download and execute additional malicious modules, enhancing the attackers’ control over compromised systems.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

On the other hand, the TameCat backdoor facilitates the execution of PowerShell and C# scripts, allowing for further exploitation by downloading additional arbitrary content.

These tools are part of a broader strategy employed by Damselfly to conduct espionage and potentially disrupt operations at targeted facilities.

According to Broadcom report, the group’s activities have been primarily directed at energy companies and other critical infrastructure sectors across the U.S., Europe, and the Middle East.

The sophistication of their methods and the critical nature of their targets underscore the high level of threat they pose.

These include adaptive, behavior, file, and network-based detection mechanisms, ensuring robust defense against Damselfly’s tactics.

The security firm’s efforts are crucial in mitigating the risks posed by such state-sponsored cyber activities, characterized by their complexity and stealth.

The operations of the Damselfly group highlight the ongoing challenges in cybersecurity, where state-sponsored actors employ advanced techniques and malware to achieve their objectives.

Using custom backdoors like NiceCurl and TameCat, coupled with spear-phishing campaigns, enables these actors to maintain persistence in their target networks and carry out their missions with a high degree of secrecy and efficiency.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...