During March and June 2022, Cisco Talos researchers discovered three distinct but connected campaigns that were spreading various malware to victims, including the ModernLoader bot, RedLine info-stealer, and cryptocurrency miners.
The hackers spread over a targeted network via PowerShell,.NET assemblies, HTA, and VBS files before releasing further malware, like the SystemBC trojan and DCRat, to enable different stages of its exploits, according to a report by Cisco Talos researcher Vanja Svajcer.
Cisco Talos further said that the infections were caused by a previously unidentified but Russian-speaking spyware, that used commercial software. Users in Bulgaria, Poland, Hungary, and Russia were among the potential targets.
The first stage payload is an HTML Application (HTA) file that executes a PowerShell script stored on the command-and-control (C2) server to start the deployment of interim payloads that eventually use a method known as process hollowing to inject the malware.
ModernLoader (also known as Avatar bot), a straightforward.NET remote access trojan, has the ability to download and run files from the C2 server, run arbitrary instructions, acquire system information, and alter modules in real-time.
Additionally, the actors dispersed across a targeted network using PowerShell,.NET assemblies, HTA, and VBS files before releasing additional malware, such as the SystemBC trojan, and DCRAT
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: