Three interconnected campaigns have been identified by security researchers at Cisco Talos, which ran from March to June 2022 and involved delivering a range of threats to victims. These threats included the ModernLoader bot, RedLine information-stealer, and cryptocurrency-mining malware.
The common thread linking these seemingly unrelated campaigns was the compromise of vulnerable web applications by threat actors. These actors used fake Amazon gift cards as a means to deliver their malicious payloads to victims. One such technique involved adding a fake Amazon voucher named “Amazon.com Gift Card 500 USD.gift.hta” to archive files like RAR, 7-Zip, and ZIP, with each file having a different checksum to evade detection.
To spread across targeted networks, the threat actors utilized various tools such as PowerShell, .NET assemblies, HTA, and VBS files. They also deployed malware like the SystemBC trojan and DCRAT to carry out different tasks related to their operations. Despite the use of off-the-shelf tools making attribution challenging, all three campaigns culminated in the delivery of ModernLoader as the final payload, functioning as a remote access trojan (RAT) for collecting system information and deploying additional modules.
In the earlier campaigns from March, the threat actors also distributed the cryptocurrency mining malware XMRig. These campaigns seemed to target Eastern European users, as the constructor utility analyzed had script templates in languages like Bulgarian, Polish, Hungarian, and Russian.
Cisco Talos included a link to a list of indicators of compromise associated with these threats in their advisory. This announcement follows a recent webinar where the company reaffirmed its commitment to supporting Ukraine in cybersecurity efforts on the occasion of the country’s Independence Day.
The integration of this information into a WordPress platform will provide users with valuable insights into the evolving threat landscape and the importance of staying vigilant against cyber threats.