Search This Blog

Showing posts with label TrickBot. Show all posts

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.

TrickBot Employs Bogus 1Password Installer to Launch Cobalt Strike

 

The Institute AV-TEST records around 450,000 new critical programmings (malware) every day with several potentially unwanted applications (PUA). These are thoroughly examined by their team under characteristic parameters and classified accordingly. 

Malware is a networking-generated file or code that infects, scans, exploits, or practically performs any activity that an attacker desires. 

One such prevalent malware is Trickbot which was first seen in 2016. Trickbot has established itself in cyberspace as a modular and multipurpose malware. The Trickbot operators initially focused on bank credential theft operations and then expanded their skills to attack several industries. With further advancements Trickbot came to light for its participation in ransomware attacks, using Ryuk and Conti malware. 

Recently, it has been found that Trickbot employs a technique for installing a bogus "1Password password manager" to corrupt and collect data on the victim's PC. The first way to accomplish this is with a password-protected Microsoft Word or Excel archive file with macros, that will compromise the targeted device if activated. For criminals to accumulate information about several network computers, a bogus 1Password file installer with the title "Setup1.exe" is also commonly used to launch the Cobalt Strike. 

1Password is an AgileBits Inc. developed password manager. It offers users a place in the digital void that is secured with the master password of the PBKDF2, to hold several passwords, Software licenses, and additional confidential material. 

In the regard, the DFIR Report states, “The Trickbot payload injected itself into the system process wermgr.exe — the Windows process responsible for error reporting. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe, and nltest.exe for performing internal reconnaissance. Within two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in the registry on the infected host. This enforces credential information to be saved in clear text in memory. Shortly after applying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump.” 

This same bogus installer also eliminates a file that enables the execution of the Cobalt Strike (CS) shellcode and hence receives CS beacons. As the program allows unauthorized connection to victim systems, PowerShell commands are being used to gather data about victim PCs, such as their “anti-virus state”. 

Cobalt Strike is a commercial penetration test framework that helps an agent called 'Beacon' to be deployed by an attacker on the victim's network. Beacon has a wide range of functions including command execution, keylogging, data transfer, SOCKS proxy, privilege scale, port scanning, and lateral movement. 

Meanwhile, as the researchers highlighted, the acquired material was not exfiltrated and the group's motifs remain uncertain. If more advancements are noted in the near future, they will continue to update everyone on it, said the researchers. 

Consequently, researchers in cybersecurity must look for approaches to make sure that their customer facilities are secure from these techniques, as the gang can restart an attack on other networks anytime.

Snake Keylogger: Enters Top 10 List for the Most Prominent Malwares

 

Check Point Research reveals that for straight three months the Trickbot is by far the most common malware, whereas, for the very first time, the Snake Keylogger is the second most prevalent malware.
 
The Snake Keylogger, first spotted in November 2020  is a modular.NET keylogger and credential stealer. Snake Keylogger has advanced to the position of second-most frequent malware variant in the world and has become increasingly popular in recent weeks as per the Check Point’s Global Threat Index for July 2021. 

The main function of the malware is to capture keystrokes of users on computers or mobile devices and then to pass over the collected information to the rogue software's cyber thieves and hackers. 

Infections with Snake Keylogger are indeed a huge threat to the data privacy of any user and internet security because spyware can stole nearly everything. It is also usually considered to be an especially deceptive and persistent keylogger. After a spur of effective phishing attacks, Snake Keylogger has become extremely prevalent. The malware is currently purchasable at a variety of underground sites, with purchasers being able to buy the malware for only $25. 

Check Point researchers have shown that Snake Keylogger attacks are typically very efficient because of the human tendency to use the same password and username on many accounts. Thereby, after an infringement of a certain login credential, malicious hackers get access to all accounts using the same password. 

Maya Horowitz, VP of Check Point Research, recommended that users must employ a "unique option" for each of the many profiles to stop such cyberattacks. “When it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services,” she further explained. 

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign-On (SSO) technologies,” Horowitz added. Keeping vigilance whenever visiting the web or checking emails is highly encouraged by Horowitz. 

As 'Keyloggers' are frequently spread through phishing emails, users must be aware of subtle anomalies, such as errors in URLs and email addresses. They must avoid clicking on malicious links or downloading any unusual attachments. 

Check Point research also identified some of the world's leading malware families, as well as provided information on rising mobile malware activity. It affirms that Trickbot is indeed the world's most popular malware that has an impact of 4%, trailed by Snake Keylogger and XMRig, each with worldwide impacts of 3%. Trickbot is an ongoing modular Botnet and Banking Trojan with new functions, features, and vectors for propagation. Meanwhile, XMRig which was first seen in the wild in May 2017  is an open-source CPU mining program that is used for Monero cryptocurrency mining. 

Throughout the month of July, xHelper was recognized as one of the most widespread mobile viruses in the world, followed by AlienBot and Hiddad. Studies indicate that xHelper has been around since March 2019. Whereas, Hiddad is an Android trojan that repackages and delivers legitimate programs to a third-party store. The primary purpose of the malware is to show advertisements. 


TrickBot Makes a Comeback with a VNC Module

 

The ongoing revival of malicious TrickBot malware has been revealed by cybersecurity researchers and shows that the Russia-based transnational cybercriminals group is now working behind scenes to upgrade the attack infrastructure in reaction to the recent countermeasures by police forces. 

The new uncovered capabilities are utilized to monitor and collect intelligence on victims by using a unique communication protocol that hides data exchanges among servers and victims [command and control], making attacks hard to identify. Also, no indication of slowing down is shown by TrickBot. 

Botnets are created by placing hundreds or thousands of hijacked devices on a network managed by criminal operators that are usually used to perform denial-of-network attacks against illicit trafficking companies and key infrastructure. However, malevolent actors may also employ botnets with control over these devices to disseminate malware and spam or to implement ransomware file encryption on compromised computers. 

TrickBot is also the same. The well-known cybercrime gang — known as Wizard Spider — has tracked the way infected machines steal confidential information from their sides and pivots across a network and even loads other malware, like ransomware, with their infection chains constantly improved by adding modules that offer new functionalities, to enhance their efficiency. 

"TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible."

The threat actor has now been identified, as per Bitdefender. The threat actor has actively built an updated version of the "vncDll" module that uses selected profile targets for surveillance and intelligence gathering. "tvncDll" was the name of the new version. 

The botnet has managed to survive two takedown efforts by Microsoft and the United States Cyber Command, which have operators developing firmware intrusion elements that enable hackers to plant backdoors in the Unified Extensible Firmware Interface (UEFI), to avoid anti-virus detection, software update or even complete wipe and reinstallation of the operating system of the computer. 

The new module is meant to interact with a server identified in its configuration file as one of nine Command and Control (C2) servers, using the server, to collect several commands, download further malware payloads, and exfiltrate information from your machine. 

Further, the researchers also indicate that they have uncovered a "viewer tool," that is used by attackers to connect with victims on servers C2.

Diavol Ransomware is Linked to Wizard Spider Cybercrime Group

 

The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company's EDR technology. 

Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.

From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups' samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets' systems. There's also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method. 

The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm. This distinguishes it from other ransomware families, which frequently employ symmetric methods to accelerate the encryption process. Diavol doesn't employ any obfuscation techniques, such as packing or anti-disassembly, but it nonetheless manages to obfuscate its essential routines by putting them in bitmap images.

When the ransomware executes on a compromised PC, it takes the code from the PE resource section of the pictures and inserts it into a buffer with execution permissions. Before the Diavol ransomware is finished, it will change the background of each encrypted Windows device to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt."

"Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to."

DOJ Charges Latvian National for Helping Develop the Trickbot Malware

 

The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

Trickbot- A Banking Trojan Returns With Latest Phishing Campaigns and Attacks

 

Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.

Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.

Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.

Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.

Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.

UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.

US Security Department Issue Potential Trickbot and Malware Attack Warning to Health Department

 

The United States Healthcare providers have been alerted to vary of Trickbot and ransomware attacks by their Homeland Security department.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services of US-issued out a warning of "imminent cybercrime threat to US hospitals and healthcare providers" regarding an infection from Trickbot and ransomware. 

Already heavy with the burden of coronavirus, the US health department now faces another cybersecurity threat from Trickbot, one of the largest botnets worldwide, and Ryuk Ransomware, a lethal and savage malware on its own. Even Microsoft recently took legal action against Trickbots earlier this month.

Earlier, Trickbot was a banking trojan attacking users via Webfakes (where it redirects the user to a fake webpage made by the attackers instead of the original banking webpage; accessing the user's login and other credentials) and through WebInjections (wherewith the website that the user is trying to access, some malware injections will be initiated and downloaded). Now with a million infections, Trickbot has evolved into a full-fledged malware.

 "As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling," CISA said in the alert. 

Using anchor DNS, lets the malware to bypass the legit DNS and with it bypassing network defense security and evade recognition.

Other countries like the UK and Australia also predict a potential attack by Ryuke or Trickbot. Australian Cyber Security Centre (ACSC) warned Australian companies about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote in a warning.

TrickBot accidentally issues infection warning to Victims


Advanced Intel’s Vitali Kremez traced a mistake by TrickBot malware, wherein it mistakingly left warning messages on the victim's machine saying that they have been attacked.


TrickBot is a notorious malware usually distributed via spam mails; after infecting the system it downloads various files and modules to run and seize domain's Active Directory Services database, harvest browser passwords, and cookies, steal OpenSSH keys. It is also known to often give access to ransomware operators like Ryuk and Conti on the infected network.

This mistake by TrickBot occurred during the testing of their password-stealing "grabber.dll", this particular strain steals passwords, browser credentials, cookies from browsers like Google, Internet Explorer and Microsoft Edge. During the testing of this grabber.dll module, this particular warning message was issued on the attacked system revealing that some information has been gathered from the browser defeating the purpose.

Warning
"You see this message because the program named grabber gathered some information from your browser. If you do not know what is happening it is the time to start worrying. Please, ask your system administrator for details."


Kremez believes these modules are from TrickBot as they are coded in their fashion and that they were testing the new model and forgot to remove the warning while releasing. 

This isn't TrickBot's first stunt, rather this malware has made headlines quite a few times in 2020 itself. In mid-June, TrickBot ran a fake Black Lives Matter email campaign that installed the malware. In another case, Conti and Ryuk ransomware were also found to be running TrickBot structure 

 To the victims who received this warning message, Kremez advices them to disconnect their machine from the network immediately and then perform a virus scan. Once the malicious malware is eliminated they should change all the login credentials that were saved on the browser.

BazarBackdoor: A Malware similar to Trickbot, targets Corporates


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization's network. It is a necessary measure to have a back door for hackers to gain entry access and control the company's network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.


According to several reports, the attack was first discovered two weeks ago. The malware is called "BazarBackdoor" or simply "backdoor" by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise's network. Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.

About BazarBackdoor 

The attacks first start in the form of phishing campaigns that try to lure victims through click baits like 'coronavirus relief funds,' 'customer complaints,' 'COVID reports' or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can't be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a 'preview' title. Windows don't have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.

Attack linked to Trickbot 

According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.

Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.