Thursday, April 18, 2024

New Hacking Tools launching Crypto-Malware by Exploit a Windows SMB Server Vulnerability

Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .

There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.

First one is MIMIKATZ , a powerful post-exploitation hacking tool which is used with other hacking tools to collect user accounts and system credentials.

At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.

RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.

In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.

Malware Infection Process

Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine. 

This malware variant mainly drops when user visiting the compromising websites or it some time drop into victims system by other malware. later its create a file from its resource and name it as names it as  C:\windows\temp\ttt.exe and finally execute it.

After the complete infection process, it connects to the command & control server IP address and send the information and download the coinminer into the infected system and later it will decrypt and execute the Monero miner.

According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as psexec, enabling the attacker to remotely execute commands. It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. “

Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.

“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals

Website

Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles