Three linked campaigns delivered a wide range of threats, together with the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims between March and June 2022.
The affiliation between the three apparently unrelated campaigns was made by safety researchers at Cisco Talos, who mentioned the aforementioned risk actors compromised susceptible internet functions to ship threats through pretend Amazon reward playing cards.
“This system was noticed on one of many contaminated programs in our telemetry,” the corporate wrote in a weblog publish.
“We noticed the addition of a pretend Amazon voucher named Amazon.com Reward Card 500 USD.reward.hta to archive recordsdata, corresponding to RAR, 7-Zip and ZIP already current on the contaminated system. Every file’s checksum is completely different, which signifies the usage of delicate obfuscation to evade detection.”
Additional, the actors used PowerShell, .NET assemblies, and HTA and VBS recordsdata to unfold throughout a focused community and finally drop different forms of malware, together with the SystemBC trojan and DCRAT, to carry out varied duties linked to their operations.
“The attackers’ use of a wide range of off-the-shelf instruments makes it tough to attribute this exercise to a particular adversary,” defined Cisco Talos.
Regardless of the uncertainty concerning attribution, nevertheless, the corporate mentioned all three campaigns noticed risk actors ship ModernLoader as the ultimate payload, which in flip acted as a distant entry trojan (RAT) by gathering system info and deploying further modules.
“Within the earlier campaigns from March, we additionally noticed the attackers delivering the cryptocurrency mining malware XMRig,” the corporate mentioned.
“The March campaigns gave the impression to be concentrating on Japanese European customers, because the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.”
In its advisory, Cisco Talos additionally included a hyperlink to an inventory of indicators of compromise related to the risk.
The publish comes days after the corporate held a webinar the place it renewed its cybersecurity assist for Ukraine on the event of the nation’s Independence Day.
