Tuesday, July 23, 2024

Mass Malware Attack – Ransomware, Screenlockers, RATs, Attack & Gain Backdoor Access in Organization Networks

Researchers discovered a mass malware distribution campaign that utilized well-known political figures in the U.S. including President Donald Trump, and former presidential candidate Hillary Clinton with a series of ransomware, screen lockers, RATs, and other malicious applications.

A variety of malicious applications were uncovered with this campaign, and it was developed to infect the victims with ransomware and implant a backdoor in organization networks with political motivation.

Researchers believe that the malware authors are motivated by their political beliefs and turned to malware distribution in different forms.

Malware Infection Process

Initially, attackers deliver the malware via malspam email campaigns with fake body content related to banking fraud alerts, and it comes from the director of Global Risk for credit card company Visa.

The malspam emails come with a malicious attachment that contains RTF files, once it is opened, RTF documents retrieve a malicious PE32 executable from an attacker-controlled server using Dynamic Data Exchange (DDE).

The process of the infection starts when PE32 gets executed, and the malware authors developed a list of various names, terminology, and iconography that has generated headlines across the political spectrum.

There are several malware samples were uncovered, analyzed by researchers, and samples have been obtained from various malware repositories.

Fake Ransomware and Screen lockers

Several samples are used to infect the target that posed as an iconography related to well-known political figures such as Donald Trump with fake ransomware and screen lockers that don’t encrypt any files.

It tricks victims to believes that their system infected with ransomware is tricked into paying a ransom demand in an attempt to regain access to their data.

In another Donald Trump theme locker, it asks victims to take explicit action, and when they click on it, suddenly get a lock screen. if the victims click the button again, then the background will keep on changing.

RAT – Remote Access Trojan

Researchers also uncovered another politically-themed RAT campaign that delivered a Neshta and NJRAT that utilized a theme and unusual decoy images that were named “Papa-Putin[.]exe.” to deliver the payload to the victim’s machine.

According to Talo’s research, Finally, we came across a RAT that was being delivered via a Word document titled “12 things Trump should know about North Korea.doc.” At first, the document appeared to not function properly, as it took several minutes for the document to open on an analysis system.

Researchers found that this campaign also used malicious Excel spreadsheets as lure documents that contain an embedded SWF file that was developed to infect the victims with ROKRAT.


This mass campaign also pushes Crypter with iconography with the name of “Trump Crypter” which helps to evade antivirus detection by encrypting the malicious code associated with malware binaries.

Apart from this malware, researchers also found a large number of “random” politically-related software applications.

The odd piece of software found in this campaign, called “Trump’s Cyber Security Firewall ™,” appeared to be focused on hardening Windows systems in a politically motivated way.

The app has the ability to enable debugging and remote desktop access. “There didn’t appear to be any malicious intent in the design of this app, instead it appears to be an application written to allow system administrators to complete some tasks they typically would encounter on a frequent basis when managing Windows endpoints”

“One of the unexpected aspects of the investigation was the presence of lures that dropped malware associated with multiple nation-state attacks in the past. ” Talos said.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles