Friday, September 24, 2021

NetWire and Remcos Trojan targeted US taxpayers

Must Read

Crypto Exchange Binance Banned in UK by Financial Regulators

The British Financial Conduct Authority(FCA) has issued a consumer warning against Binance Markets Ltd., banning cryptocurrency exchanges from performing...

A Fifth of Consumers Affected by Identity Fraud in 2020

One in five individuals is influenced by identity fraud this year, having been advised that their private information was...

Chinese Cloud Hopper Attackers Use Zerologon at New Campaign

Chinese state-sponsored attackers are working a significant worldwide campaign against several verticals harnessing the Zerologon vulnerability, based on a...

Investigators have analyzed an effective campaign targeted by US taxpayers to distribute both NetWire and Remcos Trojans.

The tax season is now here and US citizens submitting their forms before the April deadline, this is also a good time for attackers to use campaigns designed to take advantage of the annual requirement.

Criminal Runs campaigns to steal sensitive information, unless they are just attempting to spray and pray, will often encounter a specific theme or situation to try to find an adequate response to deceive the victim by clicking the wrong link or downloading a malware-filled attachment.

Examples include a ‘fraud’ bank warning, student loan repayment claims, fraudulent investigations by the IRS, or notices from legitimate companies such as PayPal warning about unauthorized transactions.

When it comes to the tax season, phishing junk emails often contain tax-related content, and this is a cluster of active campaign managers who have chosen to use it.

According to a study published by Cybereason on Thursday, criminal messages come with attachments using malicious macros to supply NetWire and Remcos Remote Access Trojans (RATs).

Samples of a sensitive identity theft document have shown that once unlocked, the content will be blurred and victims are asked to enable macros and editing to view text. If they agree, the “highly acquired” macro loses its harm. DLL paid – drag for one of the two Trojans – in the / temp index.

.DLL is then installed on the Notepad software and the infection series continues with the removal of data tracking data with the XOR key to release the active code. A command-to-command (C2) server is established and an OpenVPN client is downloaded, as well as a Trojanized -loaded Trojanized. DLL to maintain remote persistence.

This side-loaded DLL is responsible for extracting another. DLL uploaded it to memory and inserted it into Notepad. The other package is extracted from the official Imgur photography service, and this package – hidden inside the image file in a form known as steganography – is one of Trojans.

Remcos and NetWire RAT functionality include taking screenshots, installing key logs, stealing browser logs and attachment data, file harvesting, theft of OS information, and the ability to download and create additional malware.

RATs are commercially available at underground platforms and are offered on a cheap Malware-as-a-Service (MaaS) base, available for $ 10 per subscription – which keeps a potential customer base for large Trojan variants.

“The use of various techniques such as steganography, maintaining cloud-based legal resources, and exploiting the loading of official DLL software makes it extremely difficult to detect these campaigns,” notes Assaf Dahan, head of threat research at Cybereason. “Sensitive data collected from victims can be sold to underground communities and used to commit all forms of data theft and financial fraud.”

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

Apple Releases patches for an actively exploited zero-day flaw in ios, macOS

Apple on Monday Release an urgent security patch for iOS,macOS, iPadOS, to address a zero-day flaw that has been actively exploited.Apple has revealed that...

More Articles Like This