Wednesday , May 15 2024
Coding

Alert
VCURMS and STRRAT Trojans deployed via AWS and GitHub

infosecbulletin Wednesday , March 13 2024 Alert, International

FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.

The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.

Newly circulated reserve theft is false: Bangladesh Bank

By infosecbulletin / Tuesday , May 14 2024
On Tuesday (14.05.2024) Bangladesh Bank spokesperson Majbaul Haque said to media that the information published in the report is completely...
Read More
Newly circulated reserve theft is false: Bangladesh Bank

Bangladesh bank published CBS guideline Version 2.0

By infosecbulletin / Monday , May 13 2024
The banking industry in Bangladesh is the core driver in economic development of the country. The focus on inclusion and...
Read More
Bangladesh bank published CBS guideline Version 2.0

Fortinet report
Attackers exploiting vulnerabilities 50% faster, just 4.76 days

By infosecbulletin / Monday , May 13 2024
Fortinet reported that in the second half of 2023, the average time form the disclosure of a vulnerability to its...
Read More
Fortinet report Attackers exploiting vulnerabilities 50% faster, just 4.76 days

TechCrunch report
Indian gov.t sites compromised to plant online betting ads

By infosecbulletin / Sunday , May 12 2024
Indian government websites have been used by scammers to place ads that send visitors to online betting sites. TechCrunch found...
Read More
TechCrunch report Indian gov.t sites compromised to plant online betting ads

Damage Costs Predicted To Exceed $265 Billion By 2031
Ransomware expected to attack every 2 seconds by 2031

By infosecbulletin / Sunday , May 12 2024
Ransomware damage costs are predicted to exceed $265 billion by 2031, and it is expected to be the fastest growing...
Read More
Damage Costs Predicted To Exceed $265 Billion By 2031 Ransomware expected to attack every 2 seconds by 2031

ALERT CISA WARNS
Black Basta ransomware breached over 500 orgs worldwide

By infosecbulletin / Saturday , May 11 2024
CISA, FBI, HHS, and MS-ISAC released a joint Cybersecurity Advisory called #StopRansomware: Black Basta. It provides tactics, techniques, procedures, and...
Read More
ALERT CISA WARNS Black Basta ransomware breached over 500 orgs worldwide

Cyber Attack On Data Center Cooling Systems results disruption

By infosecbulletin / Saturday , May 11 2024
According to cybersecurity analysts at Dragos, while cloud adoption offers many benefits for industrial companies , it also poses certain...
Read More
Cyber Attack On Data Center Cooling Systems results disruption

Chrome Zero-Day Alert — Update Your Browser to Patch

By infosecbulletin / Friday , May 10 2024
Google released an urgent security update for Chrome browser. The update fixes a critical vulnerability that is already being exploited...
Read More
Chrome Zero-Day Alert — Update Your Browser to Patch

Dell Discloses Data Breach: 49 million customers allegedly affected

By infosecbulletin / Friday , May 10 2024
A security breach has been reported, with a threat actor claiming to be selling a database with 49 million customer...
Read More
Dell Discloses Data Breach: 49 million customers allegedly affected

BIG VULNERABILITIES IN NEXT-GEN BIG-IP

By infosecbulletin / Thursday , May 9 2024
Eclypsium recently found flaws in F5’s BIG-IP Next Central Manager, which could let attackers take control of the network. BIG-IP...
Read More
BIG VULNERABILITIES IN NEXT-GEN BIG-IP
                                                                                   Figure 1: Attack flow

Initial Access:

The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.

                                                                                     Figure 2: The phishing e-mail

Payment-Advice.jar:

The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.

                                                                              Figure 3: Code to download and execute Jar Files

The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.

                                                                   Figure 4: A class employed by the obfuscator

The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.

                                                                                        Figure 6: Virbox Protector GUI

To read out the full report click here.

 

 

 

Check Also

Dmitry Khoroshev

LockBit Ransomware Leader Unmasked and Sanctioned

The UK, US, and Australia have imposed sanctions on the leader of the ransomware group …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin