Tuesday, March 19, 2024

Mass Malware Attack – Ransomware, Screenlockers, RATs, Attack & Gain Backdoor Access in Organization Networks

Researchers discovered a mass malware distribution campaign that utilized well-known political figures in the U.S. including President Donald Trump, and former presidential candidate Hillary Clinton with a series of ransomware, screen lockers, RATs, and other malicious applications.

A variety of malicious applications were uncovered with this campaign, and it was developed to infect the victims with ransomware and implant a backdoor in organization networks with political motivation.

Researchers believe that the malware authors are motivated by their political beliefs and turned to malware distribution in different forms.

Malware Infection Process

Initially, attackers deliver the malware via malspam email campaigns with fake body content related to banking fraud alerts, and it comes from the director of Global Risk for credit card company Visa.

The malspam emails come with a malicious attachment that contains RTF files, once it is opened, RTF documents retrieve a malicious PE32 executable from an attacker-controlled server using Dynamic Data Exchange (DDE).

The process of the infection starts when PE32 gets executed, and the malware authors developed a list of various names, terminology, and iconography that has generated headlines across the political spectrum.

There are several malware samples were uncovered, analyzed by researchers, and samples have been obtained from various malware repositories.

Fake Ransomware and Screen lockers

Several samples are used to infect the target that posed as an iconography related to well-known political figures such as Donald Trump with fake ransomware and screen lockers that don’t encrypt any files.

It tricks victims to believes that their system infected with ransomware is tricked into paying a ransom demand in an attempt to regain access to their data.

In another Donald Trump theme locker, it asks victims to take explicit action, and when they click on it, suddenly get a lock screen. if the victims click the button again, then the background will keep on changing.

RAT – Remote Access Trojan

Researchers also uncovered another politically-themed RAT campaign that delivered a Neshta and NJRAT that utilized a theme and unusual decoy images that were named “Papa-Putin[.]exe.” to deliver the payload to the victim’s machine.

According to Talo’s research, Finally, we came across a RAT that was being delivered via a Word document titled “12 things Trump should know about North Korea.doc.” At first, the document appeared to not function properly, as it took several minutes for the document to open on an analysis system.

Researchers found that this campaign also used malicious Excel spreadsheets as lure documents that contain an embedded SWF file that was developed to infect the victims with ROKRAT.

Crypters/Packers

This mass campaign also pushes Crypter with iconography with the name of “Trump Crypter” which helps to evade antivirus detection by encrypting the malicious code associated with malware binaries.

Apart from this malware, researchers also found a large number of “random” politically-related software applications.

The odd piece of software found in this campaign, called “Trump’s Cyber Security Firewall â„¢,” appeared to be focused on hardening Windows systems in a politically motivated way.

The app has the ability to enable debugging and remote desktop access. “There didn’t appear to be any malicious intent in the design of this app, instead it appears to be an application written to allow system administrators to complete some tasks they typically would encounter on a frequent basis when managing Windows endpoints”

“One of the unexpected aspects of the investigation was the presence of lures that dropped malware associated with multiple nation-state attacks in the past. ” Talos said.

Website

Latest articles

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device...

Discontinued WordPress Plugin Flaw Exposes Websites to Cyber Attacks

A critical vulnerability was discovered in two plugins developed by miniOrange.The affected plugins,...

ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.Aiohttp...

Hackers Launching AI-Powered Cyber Attacks to Steal Billions

INTERPOL's latest assessment on global financial fraud uncovers the sophisticated evolution of cybercrime, fueled...

Fujitsu Hacked – Attackers Infected The Company Computers with Malware

Fujitsu Limited announced the discovery of malware on several of its operational computers, raising...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles