The researchers said, “This threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders.”

Phishing emails are thought to have been the first source of access for drive-by downloads, as they were used to spread booby-trapped URLs that led to ZIP archives that contained Windows shortcut files (LNK files). After the shortcut file executes a PowerShell script to retrieve an HTML application (HTA) payload stored on the CDN cache, JavaScript code is executed by the embedded PowerShell loader to initiate a covert operation that eventually downloads and executes one of the three stealer malware programs.

The modular PowerShell loader script is made to get around the User Access Controls (UAC) on the victim's computer by utilizing a method known as FoDHelper. Vietnamese threat actors have also used this technique to get in touch with another stealer known as NodeStealer, which can steal data from Facebook accounts.

No matter what is used, the stealer virus takes use of victims' data, including bank information, credentials, system and browser data, and cryptocurrency wallets. The campaign stands out because it makes use of an upgraded version of CryptBot, which includes additional anti-analysis methods and also gathers data from authenticator apps and password manager databases.

Impact

• Sensitive Information Theft
• Credential Theft
• Financial Loss

Indicators of Compromise

SHA1

• 43cbac46a7dd816ef5c7c851557290f7d5fc18c4
• f57d8b201e50a75b3d8af35fed2eeb385507ce6a
• 9989a8eadc8604c843137b2014e5518ffa744f18
• 260a18065704384b0e9c8897b01323eb1242a0d2
• acbed6e427b51d2171794633efd068925e7741fe
• d6bc2da997a8985cf2e80011bf36b6be28ad9338
• feeee8320e5218e99f02f4a5ed0e6f4061cd70b3

URL

• http://kzeight8ht.top/upload.php
• http://peasanthovecapspll.shop/api
• http://culturesketchfinanciall.shop/api
• http://liabilityarrangemenyit.shop/api
• http://secretionsuitcasenioise.shop/api
• http://triangleseasonbenchwj.shop/api

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.