Sunday, May 12, 2024

Hackers Use Weaponized PDFs and Chat Apps for C2 to Evade Detection

By Eswar

35 Malware Android Apps

A malware campaign targeting the Ministries of Foreign Affairs of NATO-aligned countries was recently discovered, which used PDF files masquerading as a German Embassy email. One of the PDF files consists of Duke malware which was previously linked with a Russian-state-sponsored cyber espionage group, APT29.

APT29 was attributed to Russia’s Foreign Intelligence Service (SVR) and uses Zulip, an open-source chat application for command and control. This evades and hides the malicious network traffic behind legitimate traffic.

PDF with HTML Smuggling

Further investigations revealed that these two PDF files that are received through email consist of an invitation lure that targets diplomatic entities. The themes used for these documents have contents related to “Farewell to Ambassador of Germany” and “Day of German Unity”.

The first PDF document also contains an embedded JavaScript code for delivering the multi-staged payloads in HTML file format. When the victim opens the file after the warning from Adobe Acrobat, the code launches the malicious HTML file called “Invitation_Farewell_DE_EMB”.

Embedded HTML Smuggler (Source: EclecticIQ)

Through HTML Smuggling, a malicious HTML application file (HTA) is received, which is a widely used LOLBIN (Living Off the Land BINary). This HTA file acts as a standalone malware application that gets executed by the Windows HTA engine mshta.exe. This execution delivers the Duke malware variant.

Malware Delivery Stages (Source: EclecticIQ)

The other PDF document does not contain any malicious contents; instead, it sends a notification to the threat actor whether the attachment was opened.

DLL Sideloading Abused to Execute Duke Variant Malware

The HTA file drops three executables on the directory C:\Windows\Tasks for DLL sideloading. The three files include 

  • AppVIsvSubsystems64.dll – This is a library loaded into msoev.exe for performing the execution without any failure.
  • Mso.dll – This is the Duke malware variant that is loaded into the msoev.exe through DLL Sideloading.
  • Msoev.exe – This is a signed Windows binary that automatically loads mso.dll and AppVIsvSubsystems64.dll when executed.

A complete report has been published, which provides detailed information on the malware campaign and the activities carried out.

Indicators of Compromise

PDF Lure:

Fc53c75289309ffb7f65a3513e7519eb
50f57a4a4bf2c4b504954a36d48c99e7

C2 Servers:

toyy[.]zulipchat[.]com
sgrhf[.]org[.]pk
edenparkweddings[.]com

Duke Malware Variant:

0be11b4f34ede748892ea49e473d82db
5e1389b494edc86e17ff1783ed6b9d37
d817f36361f7ac80aba95f98fe5d337d

MITRE ATT&CK Techniques

Spearphishing Attachment - T1566.001
DLL Side-Loading - T1574.002
HTML Smuggling - T1027.006
Embedded Payloads - T1027.009
Dynamic API Resolution - T1027.007
System Binary Proxy Execution: Mshta - T1218.005
Application Layer Protocol: Web Protocols - T1071.001
User Execution: Malicious File - T1204.002
Compromise Infrastructure: Web Services - T1584.006

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Managed WAF Protection

Website

Latest articles

Cyber Security News

PoC Released for Critical PuTTY Private Key Recovery Vulnerability

Security researchers have published a Proof-of-Concept (PoC) exploit for a critical vulnerability in the...
cyber security

HackCar – Attack AND Defense Playground For Automotive System

Modern cars have microcontrollers that use the Controller Area Network (CAN) to perform safety...
Cyber Attack

DDoS Attack Size Increased by 233.33%, UDP-Based are Popular

The latest Nexusguard DDoS Trend Report for 2024 has unveiled a significant escalation in...
Cloud

New LLMjacking Used Stolen Cloud Credentials to Attack Cloud LLM Servers

Researchers have identified a new form of cyberattack termed "LLMjacking," which exploits stolen cloud...
Cyber Attack

HijackLoader Malware Attack Windows Via Weaponized PNG Image

In a recent cybersecurity breakthrough, researchers have unveiled significant updates to the HijackLoader malware,...
cyber security

North Korean Hackers Abusing Facebook & MS Management Console

The North Korean hacking group known as Kimsuky has been reported to employ sophisticated...
cyber security

Dell Hacked – Attackers Stolen 49 Million Customers Personal Information

Dell Technologies recently disclosed a data breach involving a company portal that contained limited...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]