By
Asheer Malhotra and
Vitor Ventura, with contributions from
Vanja Svajcer.
-
Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
-
The campaign targets travel and hospitality organizations in Latin America.
-
Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
-
We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
-
We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.
What's new?
Cisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a multitude of infection components to deliver two widely popular commodity malware and remote access trojans (RATs): njRAT and AsyncRAT.
We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.
We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "
Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.
How did it work?
The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as
AMSI and eventually delivering the RAT payloads.
We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.
The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.
So what?
It is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it
difficult to do so since completely disjointed actors can now generate identical infection chains for unrelated campaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the 3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.
All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and
APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:
-
Performing preliminary reconnaissance to scope out victim networks and infrastructure.
-
Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
-
Executing arbitrary commands.
-
Exfiltrating confidential and proprietary information from enterprises.
-
Stealing credentials, opening up more systems and services to unauthorized access.
Posts
Subscribe via Email