FortiGuard Labs found a phishing campaign that tricks users into downloading a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans.
The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub to avoid detection. They used email as its command and control throughout the attack campaign. The receiving endpoint uses Proton Mail for privacy protection. Figure 1 shows the attack chain.
Indian Computer Emergency Response Team (CERT-In) issued a high-severity alert for android devices on September 11, 2024 highlighting the vulnerabilities...
By infosecbulletin
/ Wednesday , September 11 2024
In August, Cybersecurity researchers identified 21 new ransomware variants that threaten indivisual and business. Cybercriminals are improving their tactics, making...
By infosecbulletin
/ Wednesday , September 11 2024
Microsoft patched September 2024 Tuesday addressing 79 vulnerabilities, including four actively exploited zero-days which covers critical flaws in Windows Installer,...
The email shown in Figure 2 is part of an attack campaign. It tricks staff members by pretending that a payment is being made and prompts them to click a button to confirm payment details. When the button is clicked, a harmful JAR file hosted on AWS is downloaded to the victim’s computer.
Payment-Advice.jar:
The downloaded files look like typical phishing attachments with fake names meant to trick people into opening them. When checking the file with a JAR decompiler, many strings are hidden, and one of the class names, “DownloadAndExecuteJarFiles.class,” clearly shows the program’s intention. The program is designed to download two JAR files to a path provided by the attacker and run them.
The obfuscator uses a class called “sense loader”, as seen in Figure 4. This class selects the appropriate native loader module from the resources based on the current operating system during execution.
The obfuscator‘s code is very similar to the code generated by a legitimate obfuscation tool called “Sense Shield Virbox Protector” shown in Figure 6.