Search This Blog

Showing posts with label spam email. Show all posts

RevengeRAT is Targeting the Aerospace and Travel Sectors with Spear-Phishing Emails

 

Microsoft has released a warning about a remote access tool (RAT) called RevengeRAT, which it claims has been used to send spear-phishing emails to the aerospace and travel industries.

RevengeRAT is a remote access trojan (RAT) that is classified as a high-risk computer infection. This malware aims to give cybercriminals remote access to infected computers so they can manipulate them. According to research, cybercriminals spread this infection through spam email campaigns (malicious MS Office attachments). Having a trojan-type infection on your device, such as RevengeRAT, can cause a slew of problems. 

They can use RevengeRAT to monitor system services/processes/files, edit the Windows Registry and hosts file, log keystrokes, steal account passwords, access hardware (such as a webcam), run shell commands, and so on. As a result, these individuals have the potential to cause serious harm. 

RevengeRAT, also known as AsyncRAT, is spread by carefully designed email messages that instruct recipients to open a file that appears to be an Adobe PDF attachment but actually installs a malicious visual basic (VB) file. 

The two RATs were recently identified by security company Morphisec as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families. The phishing emails, according to Microsoft, transmit a loader, which then delivers RevengeRAT or AsyncRAT. Morphisec claims it is also able to supply the RAT Agent Tesla. 

"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said. 

Morphisec called the cryptor service "Snip3" after a username it discovered in earlier malware variants. If Snip3 detects that a RAT is being executed inside the Windows Sandbox – a virtual machine security feature Microsoft launched in 2018 – it will not load it. Advanced users can use the Windows Sandbox to run potentially malicious executables in a secure sandbox that won't harm the host operating system.

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes. "If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."

Panda Stealer Spreads Via Discord to Steal User Crypto-Currency

 

A new type of malware – Panda Stealer – is spreading through a spam campaign globally. Trend Micro researchers reported on Tuesday that they first encountered the latest stealer in April. In Australia, Germany, Japan, and the USA, the latest surge of the spam campaign seems to have the greatest effects. 

The spam emails hide and click booby-trapped Excel files as nothing more than a business quote application to attract victims. Researchers found 264 Panda Stealer-like files with Virus Total, some of which are exchanged by threat actors operating via Discord. 

Given recent developments, this isn’t shocking. The cybersecurity team in Cisco's Talos noticed recently that some threat actors are using workflow and communication resources such as Slack and Discord to sneak past safety and provide robbers, remote access trojans (RATs), and malware. Now again, the threatening actors may use Discord to share the Panda Stealer. 

If Panda becomes confident, it attempts to acquire information like private clues and past crypto-currency wallet activities such as Bytecoin (BCN), Dash (DASH), Ethereum (ETH), and Litecoin (LTC). It may also filter applications such as NordVPN, Telegram, Discord, and Steam in addition to stealing wallets. Panda could also take screenshots and swipe browser info, including cookies and passwords, through infected computers. 

The scientists found out two ways in which spam infects victims: An.XLSM attachment contains macros in one infection chain, which installs a loader that executes the criminal. An .XLS attachment including an Excel formula is also used in another infection chain to enable the instruction PowerShell to access paste.ee, a Pastebin alternative which in turn is secondary encryption for PowerShell command. 

"The CallByName export function in Visual Basic is used to call a load of a .NET assembly within memory from a paste.ee URL," Trend Micro says. "The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL." 

Panda Stealer is a modification to the DC Stealer malware Collector, that has been sold for as little as $12 on a hidden marketplace and via telegraph. It is announced as a "top-end information stealer" and also has a Russian connection. The Collector Stealer was broken by a threat actor, NCP, identified as su1c1de. The cracked stealer as well as the Panda Stealer act likewise but do not share the very same URLs, tags, or execution files. 

“Cybercriminal groups and script kiddies alike can use it to create their customized version of the stealer and C2 panel,” Trend Micro researchers said. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.” 

Trend Micro says that there are parallels to Phobos Ransomware in the attack chain. In particular, in its distribution method, the Phobos "Fair" version, as defined by Morphisec, is identical and is continuously being revised to cut down on its footprint, for example, to reduce encryption criteria, to remain underneath the radar as long as possible.