Thursday, March 28, 2024

Iron Cybercrime Group Distributing New Powerful Backdoor with Strong Evasion Techniques

Newly discovered powerful & previously unknown backdoor using HackingTeam’s leaked Remote Control System (RCS) code to infect the thousands of victim around the world.

This backdoor is created by Iron Cybercrime Group who is behind the recently dicovered Iron ransomware that infected various countries victims in past year.

Also, Iron Cybercrime Group actively developing and infecting victims with various type of cyber threats such as backdoor, crypto-miners, and ransomware for  Windows, Linux and Android platforms.

Further analysis revealed that this backdoor contains a source code of HackingTeam’s Remote Control System hacking tool also they used  IronStealer and Iron ransomware is a function with this backdoor.

Iron Cybercrime Group Backdoor working Function

This powerful backdoor employing the various advance technique to evade the detection and maintain its persistence within the infected system.

Initially, it drops malicious chrome extension in %appdata% folder and extracts the malicious code to schedule the task to execute its malicious VBS  script.

Later it Drops backdoor dll to %localappdata%\Temp\\<random>.dat and check the OS version for further infection.

As we already saw that this backdoor using two other malware functions that developed by the HackingTeam cyber criminals and this backdoor also employing the evasion techniques such as Anti-VM.

Also, it can able to detect the Cuckoo Sandbox, VMWare product & Oracle’s VirtualBox and using its Anti-VM function to evade the detection.

Iron Backdoor using dynamically call external library function by obfuscated the function name that gives more pain for an analyst to perform static analysis.

According to intezer, A patched version of the popular Adblock Plus chrome extension is used to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

also, it checks the anti-virus software  360 SafeGuard or 360 Internet Security by reading the registry key. if it found the AV software then it using hardcoded root CA certificate on the victim’s workstation to install the rogue malware.

This Fake CA certificate signed the binary that makes backdoor look legitimate. researchers suspect that the Team behind this backdoor operates it from China because Searches for wallet file names in Chinese on victims’ workstations and it Won’t install persistence if Qhioo360(popular Chinese AV) is found.

Also Read:

Malicious Chrome and Edge Browser Extension Deliver Powerful Backdoor & RAT to Spy Victims PC

Turla Mosquito Hacking Group Exploiting Backdoor Using Metasploit To Compromise the Target System

Malicious Payload Evasion Techniques to Bypass Antivirus with Advanced Exploitation Frameworks

Hackers Increasing the use of “Command Line Evasion and Obfuscation” to Spread Advance Level Threats

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles