Virus Removal Guide

Avast analysts talked about a malicious spam campaign spreading BluStealer malware that steals cryptocurrency.

This info-stealer is designed to “pull” Bitcoin, Ethereum, Monero and Litecoin) from popular wallets – ArmoryDB, Bytecoin, Jaxx Liberty, Exodus, Electrum, Atomic, Guarda and Coinomi.

In total, experts tracked more than 12,000 phishing emails around the world.

In mid-September, the Avast Threat Intelligence team recorded a surge in malicious activity – phishing emails using the names of the shipping company DHL and the Mexican metallurgical company General de Perfiles, and distributing the BluStealer malware.

An example of a phishing email

As a rule, in such messages it is said that a certain parcel was delivered to the head office of the company due to the absence of the recipient on the spot. Next, the recipient is asked to fill out the attached document in order to transfer the delivery. When the user tries to open it, the BluStealer installation starts.

In phishing campaigns associated with General de Perfiles, recipients receive emails stating that they have overpaid their bills and that some credit has been saved for them, which will be included in the invoice of the next purchase. As in the campaign imitating DHL, the General de Perfiles message contains BluStealer as an attachment.

The countries most affected by BluStealer are Russia, Turkey, USA, Argentina, UK, Italy, Greece, Spain, France, Japan, India, Czech Republic, Brazil and Romania. So, Russian users received 139 such letters.

A large number of malware samples studied by Avast belonged to one specific campaign, which was identified by the unique .NET downloader. For example, spam messages contained .iso attachments and download URLs. These attachments contain executable malware files packaged using the mentioned .NET loader.

Let me remind you that I also told that BulletProofLink Cybercrime Offers Phishing as a Service.

Security researchers talked about a new version of the Jupyter malware, an info-stealer written in the .NET programming language that is known for attacking only medical and educational organizations.

The new chain of infection, discovered by the specialists of the information security company Morphisec on September 8, 2021, not only confirms the ongoing activity of the malware, but also demonstrates “how cybercriminals continue to develop their attacks to make them more effective and elusive.”

First documented in November 2020, the Jupyter (also known as Solarmarker) malware was allegedly created by Russian developers and is designed to steal data from Firefox, Chrome and Chromium-based browsers.

In addition, the malware is a full-fledged backdoor and is capable of stealing data and uploading it to a remote server, uploading and executing payload. According to Morphisec, new versions of Jupyter have started to appear since May 2020.

In August 2021, Cisco Talos experts attributed the attacks to “a truly highly skilled attacker, primarily aimed at stealing credentials and other data.”

In February of this year, cybersecurity company CrowdStrike described the malware as packaged in a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a backdoor on .NET.

Although previous attacks used legitimate files of well-known software such as Docx2Rtf and Expert PDF, the recently discovered chain of infections began to use the Nitro Pro PDF application.

The attack begins by deploying an MSI installer that is over 100 MB in size, allowing attackers to bypass anti-virus solutions. The installer is obfuscated using the third-party Advanced Installer application packer.

Let me remind you that I also talked about the fact that Swarez Trojan and Dropper Distributed under the Disguise of 15 Popular Games.

Microsoft experts argue that BulletProofLink (aka BulletProftLink or Anthrax), a phishing-as-a-Service (PHaaS) cybercriminal service, is responsible for many phishing campaigns targeting companies and organizations in the recent years.

It should be noted that BulletProofLink was first discovered back in October 2020 by OSINT Fans researchers, who published a series of articles (1, 2, 3) describing some of the mechanisms of the PHaaS platform.

Researchers now report that BulletProofLink’s attackers provide cybercriminals with a variety of subscription services, from selling phishing kits (collections of phishing pages and templates that mimic the login forms of well-known companies) and email templates, to hosting and automated services.

Basically, customers simply sign up to BulletProofLink for a $ 800 fee and BulletProofLink operators do the rest for them. The services of the cybercriminals include: setting up a web page to host a phishing site, installing the phishing template itself, configuring a domain (URL) for phishing sites, sending phishing emails to victims, collecting credentials obtained during these attacks, and then delivering the stolen logins and passwords for “solvent clients” at the end of the week.

If a customer wants to change their phishing templates, BulletProofLink operators have a separate store where attackers can buy new attack templates for between $ 80 and $ 100 each. There are currently about 120 different templates available on the BulletProofLink Store, and there are tutorials on the site to help customers use the service.

Microsoft researchers also report that BulletProofLink operators are not clean on hand and steal from their customers: the service saves copies of all collected credentials, which are then sold on the darknet, bringing them additional profit.

Microsoft describes BulletProofLink as a technically complex operation, and notes that service operators often use hacked sites to host their phishing pages. Also, in some cases BulletProofLink compromises the DNS records of hacked sites in order to create subdomains for hosting phishing pages.

Let me remind you that we talked about how The Capoae malware installs a backdoor plugin on WordPress sites.

An unknown cybercriminal group in a matter of minutes remotely hacked into a server with an outdated version of Adobe ColdFusion 9 and seized control over it, and 79 hours later deployed the ransomware Cring on the server.

A server owned by an unnamed service provider was used to collect timesheets and accounting data for payroll, as well as to host a number of virtual machines.

According to the experts of the information security company Sophos, the attacks were carried out from an Internet address belonging to the Ukrainian Internet provider Green Floid.

Sophos senior researcher Andrew Brandt says devices with outdated, vulnerable software are a tidbit for hackers.

However, the big surprise is the fact that the server with 11-year-old software attacked by ransomware was actively and daily used. As a rule, the most vulnerable are unused devices or forgotten “ghost machines”.

After gaining initial access to the server, the attackers used various sophisticated methods of hiding malicious files, injecting code into memory, and concealing an attack by overwriting files with corrupted data. In addition, hackers have deactivated security solutions by taking advantage of the fact that anti-tampering features were disabled.

In particular, attackers exploited directory traversal vulnerabilities (CVE-2010-2861) in the Adobe ColdFusion 9.0.1 and earlier administration console. The vulnerabilities allowed remote reading of arbitrary files, including files containing administrator password hashes (password.properties).

In the next stage of the attack, the hackers exploited an even earlier vulnerability in ColdFusion (CVE-2009-3960) to upload a malicious Cascading Stylesheet (CSS) file to the attacked server, which in turn downloaded the Cobalt Strike Beacon executable file.

Let me remind you that we talked about the fact that Strange malware prevents victims from visiting pirate sites.

Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

Expert Larry Cashdollar warns that the main tactic of such malware is spreading through vulnerable systems, as well as cracking unreliable administrator credentials. The studied sample of the malware Keshdollar named Capoae.

This malware is delivered to hosts running WordPress via the download-monitor plugin with a backdoor, which cybercriminals install on sites after successfully brute-forcing credentials.

The attack also involves deploying a binary to Golang, whereby the obfuscated payload is retrieved via a GET request, which the malicious plugin makes to the attacker’s domain.

The malware can also decrypt and execute other payloads: basically, the Golang binary exploits various RCE vulnerabilities in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062) and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) in order to brute force and not only work its way into the system and ultimately launch the XMRig miner.

Attackers do not forget that they need to act unnoticed. To do this, they use the most suspicious-looking paths on the disk and directories where real system files can be found, and also create a file with a random six-digit name, which is then copied to another location (before deleting the malware after execution).

Let me remind you that I also wrote that Researchers warned of new DarkRadiation ransomware.