In this version of the Hacker's Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including a newly created scenario that leverages AI Generated malware.
McAfee Labs researchers recently came across an email campaign being used to deliver the GUloader malware via a malicious Scalable Vector Graphics file.
According to the researchers, the infection would begin when the malicious SVG file was opened from an email attachment.
Upon execution of this WSF file, a PowerShell command would be executed to establish a connection with a malicious domain.
A shellcode would then be injected into the MSBuild application, facilitating further malicious actions.
The final stage used the injected shellcode to download and execute the final malicious executable.
The phishing email contains a PDF file and asks the receiver to open the attachment to confirm receipt of a payment.
Upon opening and extracting the attachment, a malicious command file gets executed that includes information-stealing malware - Kutaki.
Victims were lured via PDF files that led them to malicious websites hosting the Microsoft Windows SmartScreen bypass vulnerability CVE-2024-21412, eventually leading them to malicious Microsoft installers.
These fake and malicious MSI installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload. DarkGate typically operates on a malware-as-a-service model and is one of the most prolific, sophisticated, and active strains of malware.
Net domain inside a PDF file served via the phishing campaign.
Victims must click the button inside the PDF file to begin the CVE-2024-21412 exploit by redirecting victims with the Google DoubleClick open redirect to a compromised web server containing a.URL Internet shortcut file.
These malicious URLs then lead to a compromised SharePoint or a fake OneDrive site used by attackers to evade detection.
Bother versions are generated using the Windows Installer XML Toolset version - 3.11.0.1528; once executed they drop two files into a random directory in ProgramData.
One of them is the legitimate software language interpreter executable and the other is the malicious script.
Once executed, the malicious script sends the victim's machine information to the C2 server.
A new malicious backdoor has been discovered in a compression utility known as xz Utils.
According to Andres Freund, the developer who discovered this backdoor, the malicious code added to versions 5.6.0 and 5.6.1 of xz Utils modifies the way the compression tool functions.
The backdoor manipulates sshd- the executable file used to make remote SSH connections.
Empower your team to understand more about ransomware attacks, methodologies, and behaviors-all through the lens of the attacker.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 30 May 2024 20:13:11 +0000