Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .
There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.
First one is MIMIKATZ , a powerful post-exploitation hacking tool which is used with other hacking tools to collect user accounts and system credentials.
At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.
RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.
In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.
Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine.
This malware variant mainly drops when user visiting the compromising websites or it some time drop into victims system by other malware. later its create a file from its resource and name it as names it as C:\windows\temp\ttt.exe and finally execute it.
After the complete infection process, it connects to the command & control server IP address and send the information and download the coinminer into the infected system and later it will decrypt and execute the Monero miner.
According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as psexec, enabling the attacker to remotely execute commands. It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. “
Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.
“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Also Read:
Wannamine Malware Still Penetrate the Unpatched SMB Computers using NSA’s EternalBlue Exploit
New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities
A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals
As California grapples with devastating wildfires, communities are rallying to protect lives and property. Unfortunately,…
AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August 2024…
Botnets are the networks of compromised devices that have evolved significantly since the internet's inception.…
The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop…
A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web applications.…
A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress,…