Hackers Use Modern Loader to Infect Systems with Stealers and Cryptominers

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.

Yellow Dots Green Leaf Shape Yellow Leaf

"The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations," Cisco Talos researcher Vanja Svajcer said in a report shared with The Hacker News.

Yellow Leaf Green Leaf Shape Yellow Leaf

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve attempts to compromise vulnerable web applications like WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

The first stage payload is a HTML Application (HTA) file that runs a PowerShell script hosted on the command-and-control (C2) server to initiate the deployment of intertim payloads that ultimately inject the malware using a technique called process hollowing.

Craw Security

[{"selector":"#anim-33740858-82e9-4baa-8f48-8b0bcba3e650","keyframes":{"opacity":[0,1]},"delay":50,"duration":3000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c479527f-96da-4445-9c13-c982a8044190","keyframes":{"opacity":[0,1]},"delay":150,"duration":3000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4a09c818-b9b7-418c-8544-6fad3ab41be9","keyframes":[{"transform":"rotate(-179deg) rotate(-540deg) scale(0.1) rotate(179deg)","opacity":0},{"transform":"none","opacity":1}],"delay":0,"duration":1000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both","iterations":1}] [{"selector":"#anim-91396de1-28f1-4112-8541-95e99d80fdf8","keyframes":{"opacity":[0,1]},"delay":50,"duration":3000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-fb4ca993-890d-41e0-bf52-b74a0ba4ff77","keyframes":{"transform":["translate3d(109.45559%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .8, 1)","fill":"both"}] [{"selector":"#anim-4d1e8a28-612f-4a9d-b203-e890ae4de3f7","keyframes":{"transform":["rotateZ(180deg)","rotateZ(0deg)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .5, 1)","fill":"forwards"}] Wanda Winfrey Learn more

Hackers Use Modern Loader to Infect Systems with Stealers and Cryptominers

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve attempts to compromise vulnerable web applications like WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

The first stage payload is a HTML Application (HTA) file that runs a PowerShell script hosted on the command-and-control (C2) server to initiate the deployment of intertim payloads that ultimately inject the malware using a technique called process hollowing.

Craw Security

Visit our website

Contact Now: 951 380 5401

Latest News

www.craw.in

www.news4hackers.com

Cyber Security Courses after 12th