Home>Blog>The Hacker News Headlines>Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers
The Hacker News Headlines

Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers

Stealers, Cryptominers and RATs

As many as three disparate but related campaigns between March
and Jun 2022 have been found to deliver a variety of malware,
including ModernLoader, RedLine Stealer, and cryptocurrency miners
onto compromised systems.

“The actors use PowerShell, .NET assemblies, and HTA and VBS
files to spread across a targeted network, eventually dropping
other pieces of malware, such as the SystemBC[1]
trojan and DCRat[2], to enable various
stages of their operations,” Cisco Talos researcher Vanja Svajcer
said in a report[3]
shared with The Hacker News.

CyberSecurity

The malicious implant in question, ModernLoader, is
designed to provide attackers with remote control over the victim’s
machine, which enables the adversaries to deploy additional
malware, steal sensitive information, or even ensnare the computer
in a botnet.

Cisco Talos attributed the infections to a previously
undocumented but Russian-speaking threat actor, citing the use of
off-the-shelf tools. Potential targets included Eastern European
users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve
attempts to compromise vulnerable web applications like WordPress
and CPanel to distribute the malware by means of files that
masquerade as fake Amazon gift cards.

Stealers, Cryptominers and RATs

The first stage payload is a HTML Application (HTA) file that
runs a PowerShell script hosted on the command-and-control (C2)
server to initiate the deployment of intertim payloads that
ultimately inject the malware using a technique called process hollowing[4].

Described as a simple .NET remote access trojan, ModernLoader
(aka Avatar bot) is equipped with features to gather system
information, execute arbitrary commands, or download and run a file
from the C2 server, allowing the adversary to alter the modules in
real-time.

CyberSecurity

Cisco’s investigation also unearthed two earlier campaigns in
March 2022 with similar modus operandi that leverage ModerLoader as
the primary malware C2 communications and serve additional malware,
including XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord
token stealer, among others.

“These campaigns portray an actor experimenting with different
technology,” Svajcer said. “The usage of ready-made tools shows
that the actor understands the TTPs required for a successful
malware campaign but their technical skills are not developed
enough to fully develop their own tools.”

References

  1. ^
    SystemBC
    (thehackernews.com)
  2. ^
    DCRat
    (thehackernews.com)
  3. ^
    report
    (blog.talosintelligence.com)
  4. ^
    process
    hollowing     (attack.mitre.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.