Three Cybersecurity Campaigns Unveiled
Between March and June 2022, three interconnected campaigns surfaced, unveiling a myriad of threats including the ModernLoader bot, RedLine information-stealer, and cryptocurrency-mining malware. These campaigns were brought to light by security researchers at Cisco Talos, who uncovered the link between the seemingly unrelated threats. The threat actors behind these campaigns exploited vulnerable web applications to disseminate threats through fake Amazon gift cards.
Uncovering the Technique
During their investigation, Cisco Talos researchers identified a specific technique employed by the threat actors. On one of the infected systems in their telemetry data, they observed the addition of a fake Amazon voucher named “Amazon.com Gift Card 500 USD.gift.hta” to archive files such as RAR, 7-Zip, and ZIP formats. Each file had a different checksum, suggesting mild obfuscation tactics to evade detection.
Diverse Arsenal of Tools
The threat actors utilized a range of tools including PowerShell, .NET assemblies, and HTA and VBS files to propagate within targeted networks. Subsequently, they deployed various types of malware such as the SystemBC trojan and DCRAT to carry out their malicious operations. Despite the use of off-the-shelf tools, attributing this activity to a specific adversary proved challenging.
Common Denominator: ModernLoader
Despite the attribution challenges, all three campaigns culminated in the delivery of ModernLoader as the final payload. Serving as a remote access trojan (RAT), ModernLoader collected system information and deployed additional modules. In earlier campaigns from March, threat actors also distributed the cryptocurrency mining malware XMRig, with a focus on Eastern European users.
Indicators of Compromise
Cisco Talos provided an advisory containing a list of indicators of compromise linked to these threats, aiding organizations in identifying and mitigating potential risks.
Support for Ukraine
Recently, Cisco Talos reaffirmed its commitment to cybersecurity support for Ukraine in light of the country’s Independence Day. This dedication underscores the importance of collaborative efforts in combating cyber threats on a global scale.