Thursday, July 25, 2024
EHA

New Hacking Tools launching Crypto-Malware by Exploit a Windows SMB Server Vulnerability

Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .

There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.

First one is MIMIKATZ , a powerful post-exploitation hacking tool which is used with other hacking tools to collect user accounts and system credentials.

At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.

RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.

In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.

Malware Infection Process

Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine. 

This malware variant mainly drops when user visiting the compromising websites or it some time drop into victims system by other malware. later its create a file from its resource and name it as names it as  C:\windows\temp\ttt.exe and finally execute it.

After the complete infection process, it connects to the command & control server IP address and send the information and download the coinminer into the infected system and later it will decrypt and execute the Monero miner.

According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as psexec, enabling the attacker to remotely execute commands. It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. “

Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.

“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit

New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals

Website

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles