Monday, January 27, 2025
HomeBackdoorNew Hacking Group Using Metasploit To Install Backdoor Malware On Windows By...

New Hacking Group Using Metasploit To Install Backdoor Malware On Windows By Exploiting MS Office

Published on

SIEM as a Service

Follow Us on Google News

Researchers detect a wave of malware campaigns from a new hacking group named TA2101 that targeting various organizations in German and Italy to deploy the backdoor malware in their network.

Threat actors from this new hacking group using legitimate and licensed penetration testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation.

These kinds of tools and frameworks are legitimately used by an organization to find out the vulnerabilities and secure their environment, at the same time cybercriminals group such as Cobalt Group, APT32, and APT19 taking advantage of the features and used it to deploy the malware.

Attackers initiate these campaigns focused on phishing and increasingly sophisticated social engineering, as well as banking Trojans and ransomware. 

Researchers observed that this New Hacking Group also distributing Maze ransomware to attack Italy based company’s infrastructure by employing an advanced social engineering technique and impersonate the Italian revenue agency.

Exploiting Windows via Malicious Word Docs

Proofpoint researchers observed this campaign from October 16 until November 12, 2019, the collected samples provide a clear indication about the targets, and how they are sending malicious email messages to organizations in Germany, Italy, United States to attack business and IT services, manufacturing, and healthcare.

Among the several samples that were delivered via malspam emails, most of the email attachment contains weaponized word documents.

Email body content tempts victims to open the attachment that leads to executing the macro and turn it on to execute the PowerShell script.

The obfuscated Powershell script eventually downloads and installs the Maze ransomware from the command & control server and drops into the victim’s device.

Attackers delivering the ransomware via different email campaigns that pointed to the law enforcement activities, impersonating the German Federal Ministry of Finance, tempt victims to avoid further tax assessment and penalties.

In the very recent campaign, Proofpoint researchers observed thousands of emails attempting to deliver malicious Microsoft Word attachments with English lures, this time impersonating the United States Postal Service (USPS) and distributing the IcedID banking Trojan.

Same Weaponised word document used for this campaign, once executed, it installs the IcedID payload onto the targets mainly Healthcare vertical, using the same infection chain.

“Researchers also Observed a consistent set of TTPs (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.

You can find the complete analysis and indicators of compromise here to secure your environment.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

White House Considers Oracle-Led Takeover of TikTok with U.S. Investors

In a significant development, the Trump administration is reportedly formulating a plan to prevent...

Critical Vulnerability in IBM Security Directory Enables Session Cookie Theft

IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory...

Critical Apache Solr Vulnerability Grants Write Access to Attackers on Windows

A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through...

GitHub Vulnerability Exposes User Credentials via Malicious Repositories

A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices

A recent cybersecurity attack involving a Trojanized version of the XWorm Remote Access Trojan...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...