Saturday, June 12, 2021

NetWire and Remcos Trojan targeted US taxpayers

Must Read

Kawasaki Heavy Industries reports data breach

Kawasaki Heavy Industries, Ltd. announced that it was subject to unauthorized access from outside the company. As a result...

Internet control laws in Indonesia pose a serious threat to the right to free speech: EFF

The Electronic Frontier Foundation (EFF) has called on the Indonesian government to amend its rules governing the internet, saying...

Emotet Returns as Top Malware Threat in December

The notorious Emotet Trojan is back on peak of the malware graphs, having had a makeover designed to make...

Investigators have analyzed an effective campaign targeted by US taxpayers to distribute both NetWire and Remcos Trojans.

The tax season is now here and US citizens submitting their forms before the April deadline, this is also a good time for attackers to use campaigns designed to take advantage of the annual requirement.

Criminal Runs campaigns to steal sensitive information, unless they are just attempting to spray and pray, will often encounter a specific theme or situation to try to find an adequate response to deceive the victim by clicking the wrong link or downloading a malware-filled attachment.

Examples include a ‘fraud’ bank warning, student loan repayment claims, fraudulent investigations by the IRS, or notices from legitimate companies such as PayPal warning about unauthorized transactions.

When it comes to the tax season, phishing junk emails often contain tax-related content, and this is a cluster of active campaign managers who have chosen to use it.

According to a study published by Cybereason on Thursday, criminal messages come with attachments using malicious macros to supply NetWire and Remcos Remote Access Trojans (RATs).

Samples of a sensitive identity theft document have shown that once unlocked, the content will be blurred and victims are asked to enable macros and editing to view text. If they agree, the “highly acquired” macro loses its harm. DLL paid – drag for one of the two Trojans – in the / temp index.

.DLL is then installed on the Notepad software and the infection series continues with the removal of data tracking data with the XOR key to release the active code. A command-to-command (C2) server is established and an OpenVPN client is downloaded, as well as a Trojanized -loaded Trojanized. DLL to maintain remote persistence.

This side-loaded DLL is responsible for extracting another. DLL uploaded it to memory and inserted it into Notepad. The other package is extracted from the official Imgur photography service, and this package – hidden inside the image file in a form known as steganography – is one of Trojans.

Remcos and NetWire RAT functionality include taking screenshots, installing key logs, stealing browser logs and attachment data, file harvesting, theft of OS information, and the ability to download and create additional malware.

RATs are commercially available at underground platforms and are offered on a cheap Malware-as-a-Service (MaaS) base, available for $ 10 per subscription – which keeps a potential customer base for large Trojan variants.

“The use of various techniques such as steganography, maintaining cloud-based legal resources, and exploiting the loading of official DLL software makes it extremely difficult to detect these campaigns,” notes Assaf Dahan, head of threat research at Cybereason. “Sensitive data collected from victims can be sold to underground communities and used to commit all forms of data theft and financial fraud.”

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video...

What is a Cyber Attack or Virtual Attack

Firstly We Wil Discuss About Cyberattack or we will also say virtual attack. A Cyberattack is a type of attack that will be done...

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on FTP links from within Firefox...

Google Project Zero giving The 30-day grace period for user patch adoption

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to...

Parking app ParkMobile experiences data breach of 21M Users

The popular mobile app that drivers use to pay and find available public parking in Pittsburgh and in other cities experienced a data breach...

More Articles Like This