Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims.
ModernLoader is a .NET remote access trojan that supports multiple features, including the capability of gathering system information, executing arbitrary commands, or downloading and running a file from the C2 server.
Threat actors use PowerShell, .NET assemblies, and HTA and VBS files to perform lateral movements across a targeted network and eventually drop other pieces of malware, such as the SystemBC trojan and DCRAT. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.
The attack chain starts with an HTML Application (HTA) file that runs a PowerShell script hosted on the C2 server which executes the next stage of the loading process.
“The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.” reads the analysis published by Cisco Talos. “There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.”
The final payload appears to be a ModernLoader remote access trojan (RAT) and the XMRig miner. Talos reported that the March campaigns targeted users in Eastern Europe, including Bulgaria, Poland, Hungary, and Russia.
The threat actors behind the campaigns are likely Russian-speaking actors, that are experimenting with different technologies. Experts speculate that the usage of ready-made tools demonstrates that despite the actors understanding the TTPs required for a successful malware campaign, they haven’t the technical skills to develop their own arsenal.
Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.
The attackers also compromised vulnerable web applications to change their configuration to use malicious PHP scripts to deliver malware to their users.
The attackers attempted to compromise WordPress and CPanel installs to distribute the malware using files masquerades as fake Amazon gift cards.
“The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” concludes the report. “Despite all the techniques and tactics used we estimate that the success of these campaigns is limited.”
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, malware)