Investigators have analyzed an effective campaign targeted by US taxpayers to distribute both NetWire and Remcos Trojans.
The tax season is now here and US citizens submitting their forms before the April deadline, this is also a good time for attackers to use campaigns designed to take advantage of the annual requirement.
Criminal Runs campaigns to steal sensitive information, unless they are just attempting to spray and pray, will often encounter a specific theme or situation to try to find an adequate response to deceive the victim by clicking the wrong link or downloading a malware-filled attachment.
Examples include a ‘fraud’ bank warning, student loan repayment claims, fraudulent investigations by the IRS, or notices from legitimate companies such as PayPal warning about unauthorized transactions.
When it comes to the tax season, phishing junk emails often contain tax-related content, and this is a cluster of active campaign managers who have chosen to use it.
According to a study published by Cybereason on Thursday, criminal messages come with attachments using malicious macros to supply NetWire and Remcos Remote Access Trojans (RATs).
Samples of a sensitive identity theft document have shown that once unlocked, the content will be blurred and victims are asked to enable macros and editing to view text. If they agree, the “highly acquired” macro loses its harm. DLL paid – drag for one of the two Trojans – in the / temp index.
.DLL is then installed on the Notepad software and the infection series continues with the removal of data tracking data with the XOR key to release the active code. A command-to-command (C2) server is established and an OpenVPN client is downloaded, as well as a Trojanized -loaded Trojanized. DLL to maintain remote persistence.
This side-loaded DLL is responsible for extracting another. DLL uploaded it to memory and inserted it into Notepad. The other package is extracted from the official Imgur photography service, and this package – hidden inside the image file in a form known as steganography – is one of Trojans.
Remcos and NetWire RAT functionality include taking screenshots, installing key logs, stealing browser logs and attachment data, file harvesting, theft of OS information, and the ability to download and create additional malware.
RATs are commercially available at underground platforms and are offered on a cheap Malware-as-a-Service (MaaS) base, available for $ 10 per subscription – which keeps a potential customer base for large Trojan variants.
“The use of various techniques such as steganography, maintaining cloud-based legal resources, and exploiting the loading of official DLL software makes it extremely difficult to detect these campaigns,” notes Assaf Dahan, head of threat research at Cybereason. “Sensitive data collected from victims can be sold to underground communities and used to commit all forms of data theft and financial fraud.”