New malicious campaign targets indian industries

Seqrite researchers noted that malware actors are leveraging multiple sophisticated techniques in a campaign to bypass traditional defence mechanisms.

Researchers claimed it is successfully detecting and blocking any such attempts using its patented Signatureless and Signature-based detection technology.Some of the common Remote Access Tools used by attackers are Agent Tesla, Remcos RAT, and NanoCore RAT.

The attackers generally use publicly available systems such as Pastebin and Bitly to host their payloads, as it helps them hide behind legitimate services that remain undetected, Seqrite noted.

How does the attack begin?

The attack begins in the form of a phishing email sent to a genuine user. This contains MS Office PowerPoint files with a malicious Visual Basic for Applications (VBA) macro.

Cyber attackers use VBA programming in Microsoft Office macros as a medium to spread viruses, worms, and other forms of malware on a computer system.

Post execution, the malware takes advantage of pre-existing legitimate software to download malicious payload from Pastebin and continues to spread the infection.

Techniques used in the attack campaign
LoLBins or living-off-the-land binaries: Attackers abuse these built-in legitimate tools for malicious objectives as security products usually whitelist them.

Hosting payloads on legitimate file hosting service Pastebin: By hosting malicious payload on Pastebin, which is a web-based platform widely used for source code sharing, attackers can bypass network security controls and enter the computer system to steal critical data.

Bypass Anti-Malware Scan Interface (AMSI): Cyber attackers use a variety of techniques to bypass AMSI and potential detection by security products.

In memory payload execution (file-less technique) – In this method, a file-less infection directly loads malicious code into the memory of the system and evades anti-virus protection, as there is no file to be scanned and analysed.

The timely detection and blocking of such attack campaigns are essential for maintaining the integrity and trust in the businesses.

Seqrite suggested users exercise ample caution and avoid opening attachments and clicking on web links in unsolicited emails.

Businesses should consider disabling macros, keeping their Operating Systems (OS) updated, and have a full-fledged security solution installed on all the devices.

Microsoft issues huge warning on phishing

Microsoft has issued an alert to users concerning a new widespread COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool to completely take over a user’s system and execute commands on it remotely.

Microsoft Security Intelligence team provided further details on the ongoing campaign, saying that cybercriminals were using malicious Excel attachments to infect user’s devices with a remote access trojan (RAT).

The attack begins with potential victims receiving an email that impersonates the John Hopkins Center.

“This increases the chances of attacks without the proper security checks in place, but coupled with authentic-looking emails with a genuine reason to use remote software, it becomes a plausible con. Moreover, it would seem many people have relaxed their barrier to phishing scams amid the desperation to find the latest COVID-19 news, so when scammers use names like John Hopkins University, this seems to be working better than the classic Netflix or HMRC scams,” he explains.

Microsoft says, “We’re tracking a massive campaign that delivers the legitimate remote access tool NetSupport Manager using emails with attachments containing malicious Excel 4.0 macros. The COVID-19 themed campaign started on May 12 and has so far used several hundreds of unique attachments.

“The emails purport to come from Johns Hopkins Center bearing “WHO COVID-19 SITUATION REPORT”. The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,”.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines. The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”