Monday , April 29 2024
Coding

Alert
VCURMS and STRRAT Trojans deployed via AWS and GitHub

infosecbulletin Wednesday , March 13 2024 Alert, International

FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.

The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.

Phoenix Summit 2024: Elevating Cyber security, Impact and Vision

By infosecbulletin / Sunday , April 28 2024
This May, Dhaka, Bangladesh, will host Phoenix Summit 2024, a landmark event in the global cyber security arena. Set from...
Read More
Phoenix Summit 2024: Elevating Cyber security, Impact and Vision

ALERT: SEKOIA REPORT
PlugX Malware Plagues Over 90k IP Addresses over 170 countries

By infosecbulletin / Saturday , April 27 2024
The worm was first discovered in a 2023 post by security firm Sophos. It became active in 2019 when a...
Read More
ALERT: SEKOIA REPORT PlugX Malware Plagues Over 90k IP Addresses over 170 countries

Palo Alto network shared latest remediation of CVE-2024-3400

By infosecbulletin / Friday , April 26 2024
Palo Alto Networks has given urgent advice to the remediation of a critical vulnerability, known as CVE-2024-3400, which attackers have...
Read More
Palo Alto network shared latest remediation of CVE-2024-3400

CISA Launches Ransomware Vulnerability Warning Pilot for Critical Infrastructure

By infosecbulletin / Friday , April 26 2024
Organizations across all sectors and of all sizes are too frequently impacted by damaging ransomware incidents. Many of these incidents...
Read More
CISA Launches Ransomware Vulnerability Warning Pilot for Critical Infrastructure

WhatsApp warns India to exit, If…

By infosecbulletin / Friday , April 26 2024
According to the report by several Indian media, social media platform Meta will withdraw its entire service from India if...
Read More
WhatsApp warns India to exit, If…

Fake e-mail of Rajshahi Univ VC’ name-picture, sending messages

By infosecbulletin / Friday , April 26 2024
Someone is pretending to be Rajshahi University Vice-Chancellor, Professor Dr. Golam Sabbir Sattar, by creating a fake email account and...
Read More
Fake e-mail of Rajshahi Univ VC’ name-picture, sending messages

Bad actor threat to expose BSNL 2.9 million data

By infosecbulletin / Friday , April 26 2024
Platform BreachForum, bad actor perell, same person who claimed to expose the data of "Bharat Sanchar Nigam Limited" BSNL for...
Read More
Bad actor threat to expose BSNL 2.9 million data

India’s ICICI Bank exposed thousands of credit cards to ‘wrong’ users

By infosecbulletin / Thursday , April 25 2024
“Our customers are our utmost priority and we are wholeheartedly dedicated to safe guarding their interests. It has come to...
Read More
India’s ICICI Bank exposed thousands of credit cards to ‘wrong’ users

CISA Releases Eight Industrial Control Systems Advisories

By infosecbulletin / Thursday , April 25 2024
CISA issued eight advisories about Industrial Control Systems (ICS) on April 25, 2024. The advisories share important information about security...
Read More
CISA Releases Eight Industrial Control Systems Advisories

Google fixed critical Chrome vulnerability CVE-2024-4058

By infosecbulletin / Thursday , April 25 2024
Google fixed a serious Chrome bug known as CVE-2024-4058 in the ANGLE graphics layer engine along with four vulnerabilities in...
Read More
Google fixed critical Chrome vulnerability CVE-2024-4058
                                                                                   Figure 1: Attack flow

Initial Access:

The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.

                                                                                     Figure 2: The phishing e-mail

Payment-Advice.jar:

The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.

                                                                              Figure 3: Code to download and execute Jar Files

The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.

                                                                   Figure 4: A class employed by the obfuscator

The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.

                                                                                        Figure 6: Virbox Protector GUI

To read out the full report click here.

 

 

 

Check Also

india

WhatsApp warns India to exit, If…

According to the report by several Indian media, social media platform Meta will withdraw its …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin