Apr 05, 2024NewsroomMalware / Endpoint Security

Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan.

The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content.

According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer (“Reader_Install_Setup.exe”) that activates the infection sequence. Details of the campaign were first disclosed by the AhnLab Security Intelligence Center (ASEC) last month.

The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named “BluetoothDiagnosticUtil.dll,” which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.

The binary is equipped to gather and exfiltrate system metadata to a command-and-control (C2) server and drop the main module (“chrome.exe”) from a different server that also acts as its C2 for receiving files and commands.

“Byakugan is a node.js-based malware packed into its executable by pkg,” security researcher Pei Han Liao said. “In addition to the main script, there are several libraries corresponding to features.”

This includes setting up persistence, monitoring the victim’s desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers.

“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” Fortinet said. “This approach increases the amount of noise generated during analysis, making accurate detections more difficult.”

The disclosure comes as ASEC revealed a new campaign that propagates the Rhadamanthys information stealer under the guise of an installer for groupware.

“The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines,” the South Korean cybersecurity firm said. “The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions.”

It also follows a discovery that a manipulated version of Notepad++ is being employed by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).

Mar 15, 2024NewsroomMalvertising / Threat Intelligence

Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon, a Golang-based implementation of Cobalt Strike.

“The malicious site found in the notepad++ search is distributed through an advertisement block,” Kaspersky researcher Sergey Puzan said.

“Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.”

The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).

The Linux and macOS versions, on the other hand, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.

In a similar fashion, the fake look-alike websites for VNote (“vnote[.]info” and “vnotepad[.]com”) lead to the same set of myqcloud[.]com links, in this case, also pointing to a Windows installer hosted on the domain. That said, the links to the potentially malicious versions of VNote are no longer active.

An analysis of the modified Notepad– installers reveals that they are designed to retrieve a next-stage payload from a remote server, a backdoor that exhibits similarities with Geacon.

It’s capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard content, executing files, uploading and downloading files, taking screenshots, and even entering into sleep mode. Command-and-control (C2) is facilitated by means of HTTPS protocol.

The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (aka EugenLoader) malware with the help of MSIX installer files masquerading as Microsoft OneNote, Notion, and Trello.