Cybersecurity researchers have revealed details of a phishing campaign that provides a remote access trojan that has been turned into stealth banking malware called Master Rats.
Phishing attacks incorporate many advanced evasion techniques, extending functionality by providing full control over compromised systems, Siphon-sensitive data and providing secondary plugins, says Fortinet Fortiguard Labs.
“This includes the use of a simple programming language (EPL) to develop step-by-step payloads, hiding malicious operations, disabling security tools to prevent alert triggers, ensuring command-and-control (C2) communication using mutual TLS (MTL), supporting various ways to deploy additional payloads, and installing popular remote tools.
EPL is an ambiguous visual programming language that supports traditional Chinese, simplified Chinese, English and Japanese variants. This is primarily intended for users who are not proficient in English.
Designed primarily to target Japanese users, emails are Microsoft Word files that embed ZIP archives by leveraging lures associated with business inquiries and clicking on malicious links that go to infected sites to deceive recipients.
The executable file that resides in the ZIP file is an executable that triggers the execution of Mosterat and is used to drop several tools such as AnyDesk, Tigervnc, TigeVNC, etc. using modules written in EPL. A notable aspect of malware is its ability to disable Windows security mechanisms and block network traffic related to a hard-coded list of security programs.
“This traffic blocking technique is similar to the known red team tool “Edrsilencer.” This uses Windows Filtering Platform (WFP) filters to prevent filters from using multiple stages of the network communications stack, connecting to the server and sending detection data, alerts, event logs, or other telemetry,” says Wan.
The other is a function that runs as TrustEdInStaller, an internal Windows system account with high privileges, allowing you to interfere with important Windows processes, modify Windows registry entries, and delete system files.
Additionally, one of the modules deployed by Mothererat is equipped to monitor foreground window activity related to Alibaba’s seller tools, log keystrokes, sending heartbeat signals to external servers, and Qianniu related to process commands issued by the server.
The command collects details of the victim’s host, runs a DLL, EPK, or EXE file, reads shellcode, reads/deletes files, inserts EXE into svChost.exe using early bird injection, enumerates users, captures screenshots, promotes RDP logins, and even creates and adds hidden users to the administrators group.
“These tactics significantly increase the difficulty of detection, prevention and analysis,” Fortinet said. “In addition to updating solutions, it remains essential to educate users about the dangers of social engineering.”
Clickfix gets another novel twist
The findings coincide with the emergence of another campaign that employs “Clickfix-Ensque Technique,” and distribute a commodity information steeler known as Metastealer to users searching for tools like AnyDesk.
The attack chain will provide a fake Cloudflare turnstyle page before downloading the expected anydesk installer and ask you to click on the check box to complete the confirmation step. However, this action triggers a pop-up message asking you to open Windows File Explorer.
When Windows File Explorer is opened, the PHP code hidden in the turnstyle verification page is configured to use the “Search MS:” URI protocol handler.
The LNK file activates a series of steps to collect host names and executes an MSI package that is responsible for the removal of Metastealer.
“These types of attacks that require some degree of manual interaction from the victim work to “fix” the broken process itself, which may allow you to bypass the security solution,” Huntress said. “Threat officials continue to move the needle with the infection chain, throwing the wrench into detection and prevention.”
This disclosure is also made as CloudSek has detailed a new adaptation of Clickfix social engineering tactics that weaponize AI systems using CSS-based obfuscation methods and create a summary containing the instructions for clickfixes controlled by attackers.
Proof-of-concept (POC) attacks are achieved using a strategy called prompt overdose. This strategy is extensively embedded in HTML content to dominate the context window of large language models to manipulate the output.
“This approach targets summaries embedded in applications such as email clients, browser extensions, and productivity platforms,” the company said. “By leveraging trust users’ locations in AI-generated summaries, this method secretly provides malicious, step-by-step instructions that can facilitate ransomware deployment.”
“Prompt Overdose is an operational technique that overwhels the context window of an AI model with dense, repetitive content and controls the output. By saturating input with text selected by the attacker, legitimate context is pushed aside, and model attention is pulled back to the injected payload.”
Source link
