Thursday, March 28, 2024

Mass Malware Attack – Ransomware, Screenlockers, RATs, Attack & Gain Backdoor Access in Organization Networks

Researchers discovered a mass malware distribution campaign that utilized well-known political figures in the U.S. including President Donald Trump, and former presidential candidate Hillary Clinton with a series of ransomware, screen lockers, RATs, and other malicious applications.

A variety of malicious applications were uncovered with this campaign, and it was developed to infect the victims with ransomware and implant a backdoor in organization networks with political motivation.

Researchers believe that the malware authors are motivated by their political beliefs and turned to malware distribution in different forms.

Malware Infection Process

Initially, attackers deliver the malware via malspam email campaigns with fake body content related to banking fraud alerts, and it comes from the director of Global Risk for credit card company Visa.

The malspam emails come with a malicious attachment that contains RTF files, once it is opened, RTF documents retrieve a malicious PE32 executable from an attacker-controlled server using Dynamic Data Exchange (DDE).

The process of the infection starts when PE32 gets executed, and the malware authors developed a list of various names, terminology, and iconography that has generated headlines across the political spectrum.

There are several malware samples were uncovered, analyzed by researchers, and samples have been obtained from various malware repositories.

Fake Ransomware and Screen lockers

Several samples are used to infect the target that posed as an iconography related to well-known political figures such as Donald Trump with fake ransomware and screen lockers that don’t encrypt any files.

It tricks victims to believes that their system infected with ransomware is tricked into paying a ransom demand in an attempt to regain access to their data.

In another Donald Trump theme locker, it asks victims to take explicit action, and when they click on it, suddenly get a lock screen. if the victims click the button again, then the background will keep on changing.

RAT – Remote Access Trojan

Researchers also uncovered another politically-themed RAT campaign that delivered a Neshta and NJRAT that utilized a theme and unusual decoy images that were named “Papa-Putin[.]exe.” to deliver the payload to the victim’s machine.

According to Talo’s research, Finally, we came across a RAT that was being delivered via a Word document titled “12 things Trump should know about North Korea.doc.” At first, the document appeared to not function properly, as it took several minutes for the document to open on an analysis system.

Researchers found that this campaign also used malicious Excel spreadsheets as lure documents that contain an embedded SWF file that was developed to infect the victims with ROKRAT.

Crypters/Packers

This mass campaign also pushes Crypter with iconography with the name of “Trump Crypter” which helps to evade antivirus detection by encrypting the malicious code associated with malware binaries.

Apart from this malware, researchers also found a large number of “random” politically-related software applications.

The odd piece of software found in this campaign, called “Trump’s Cyber Security Firewall â„¢,” appeared to be focused on hardening Windows systems in a politically motivated way.

The app has the ability to enable debugging and remote desktop access. “There didn’t appear to be any malicious intent in the design of this app, instead it appears to be an application written to allow system administrators to complete some tasks they typically would encounter on a frequent basis when managing Windows endpoints”

“One of the unexpected aspects of the investigation was the presence of lures that dropped malware associated with multiple nation-state attacks in the past. ” Talos said.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles