Tuesday, March 19, 2024

Mass Malware Attack – Ransomware, Screenlockers, RATs, Attack & Gain Backdoor Access in Organization Networks

Researchers discovered a mass malware distribution campaign that utilized well-known political figures in the U.S. including President Donald Trump, and former presidential candidate Hillary Clinton with a series of ransomware, screen lockers, RATs, and other malicious applications.

A variety of malicious applications were uncovered with this campaign, and it was developed to infect the victims with ransomware and implant a backdoor in organization networks with political motivation.

Researchers believe that the malware authors are motivated by their political beliefs and turned to malware distribution in different forms.

Malware Infection Process

Initially, attackers deliver the malware via malspam email campaigns with fake body content related to banking fraud alerts, and it comes from the director of Global Risk for credit card company Visa.

The malspam emails come with a malicious attachment that contains RTF files, once it is opened, RTF documents retrieve a malicious PE32 executable from an attacker-controlled server using Dynamic Data Exchange (DDE).

The process of the infection starts when PE32 gets executed, and the malware authors developed a list of various names, terminology, and iconography that has generated headlines across the political spectrum.

There are several malware samples were uncovered, analyzed by researchers, and samples have been obtained from various malware repositories.

Fake Ransomware and Screen lockers

Several samples are used to infect the target that posed as an iconography related to well-known political figures such as Donald Trump with fake ransomware and screen lockers that don’t encrypt any files.

It tricks victims to believes that their system infected with ransomware is tricked into paying a ransom demand in an attempt to regain access to their data.

In another Donald Trump theme locker, it asks victims to take explicit action, and when they click on it, suddenly get a lock screen. if the victims click the button again, then the background will keep on changing.

RAT – Remote Access Trojan

Researchers also uncovered another politically-themed RAT campaign that delivered a Neshta and NJRAT that utilized a theme and unusual decoy images that were named “Papa-Putin[.]exe.” to deliver the payload to the victim’s machine.

According to Talo’s research, Finally, we came across a RAT that was being delivered via a Word document titled “12 things Trump should know about North Korea.doc.” At first, the document appeared to not function properly, as it took several minutes for the document to open on an analysis system.

Researchers found that this campaign also used malicious Excel spreadsheets as lure documents that contain an embedded SWF file that was developed to infect the victims with ROKRAT.

Crypters/Packers

This mass campaign also pushes Crypter with iconography with the name of “Trump Crypter” which helps to evade antivirus detection by encrypting the malicious code associated with malware binaries.

Apart from this malware, researchers also found a large number of “random” politically-related software applications.

The odd piece of software found in this campaign, called “Trump’s Cyber Security Firewall â„¢,” appeared to be focused on hardening Windows systems in a politically motivated way.

The app has the ability to enable debugging and remote desktop access. “There didn’t appear to be any malicious intent in the design of this app, instead it appears to be an application written to allow system administrators to complete some tasks they typically would encounter on a frequent basis when managing Windows endpoints”

“One of the unexpected aspects of the investigation was the presence of lures that dropped malware associated with multiple nation-state attacks in the past. ” Talos said.

Website

Latest articles

Mintlify Data Breach Exposes Customer GitHub Tokens

A renowned software documentation platform has confirmed a security breach that led to the...

900+ websites Exposing 10M+ Passwords: Most in Plaintext

Over 900 websites inadvertently expose over 10 million passwords, many of which are in...

Hackers Exploiting Microsoft Office Templates to Execute Malicious Code

In a cyberattack campaign dubbed "PhantomBlu," hundreds of employees across various US-based organizations were...

How ANY.RUN Malware Sandbox Process IOCs for Threat Intelligence Lookup?

The database includes indicators of compromise (IOCs) and relationships between different artifacts observed within...

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles