Scams & Phishing News Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Practical Response

Practical Response

Level 8
Thread author
Mar 10, 2024
366
Content source
https://thehackernews.com/2024/04/attackers-using-obfuscation-tools-to.html
Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

The email messages come with Scalable Vector Graphics (SVG) file attachments that, when clicked, activate the infection sequence, Fortinet FortiGuard Labs said in a technical report.

The modus operandi is notable for the use of the BatCloak malware obfuscation engine and ScrubCrypt to deliver the malware in the form of obfuscated batch scripts.
Click to expand...
thehackernews.com

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity experts uncover a sophisticated multi-stage attack! 🛡️ Malware including Venom RAT, Remcos RAT, and more deployed via invoice-themed ph
thehackernews.com thehackernews.com
 
  • Like
  • +Reputation
Reactions: Captain Awesome, [correlate], Andy Ful and 5 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,742
The article seems to be very vague on details and presents the attack as one-click exploit.

However Symantec describes something different.
It seems like users would be presented with a download prompt and instructions how to proceed. They then need to unpack the archive and perform the initial execution.
March 04, 2024
Copy Link
A recent Guloader malspam campaign has been found to be smuggling malicious ZIPs inside of attached SVG files. These SVGs contain JavaScript code that, upon opening the file, generates a malicious ZIP that proceeds automatically display a download prompt. The ZIP file contains a WSF file which downloads the final infection payload.
Example Email Subjects:
  • INVOICE-INVOICE#RVBSA09SGSA
  • Payment Confirmation
  • Solicitud de Cotización #PO-SJ005182824013710
  • Please confirm Payment
Symantec protects you from this threat, identified by the following:
Email-based
  • Coverage is in place for Symantec's email security products and Email Threat Isolation (ETI) technology provides an extra layer of protection for our customers.
File-based
  • ISB.IcedID!gen2
  • Scr.Guloader!gen3
  • Scr.Malcode!gen
  • VBS.Downloader.Trojan
Click to expand...

Guloader caught smuggling malicious ZIPs inside SVG images

Guloader smuggling malicious ZIPs inside of SVG
www.broadcom.com www.broadcom.com

Additional resources:
securityboulevard.com

SVG Files Abused in Emerging Campaigns

By Max Gannon Scalable Vector Graphic files, or SVG files, are image files that have become an advanced tactic for malware delivery that has greatly evolved over time. The use of SVG files to deliver malware was made even easier when the tool AutoSmuggle, a program used to deliver malicious...
securityboulevard.com securityboulevard.com
 
Last edited:
  • Like
  • +Reputation
Reactions: harlan4096, oldschool, [correlate] and 4 others
Practical Response

Practical Response

Level 8
Thread author
Mar 10, 2024
366
oldschool said:
And clickbait!
Click to expand...
This is the best kind of clickbait because it doubles as a "learn from this" platform. It looks scary, designed even to be, but in reality, a simple "awareness" renders this most likely ineffective. If you combine "verifying" to that, most likely becomes almost non existent.
 
  • Hundred Points
Reactions: Trident
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
576
Trident said:
However Symantec describes something different.
It seems like users would be presented with a download prompt and instructions how to proceed. They then need to unpack the archive and perform the initial execution.
Click to expand...

Well this threat must be fooling enough dummies into following all the necessary steps for infection, otherwise it wouldn't be in circulation. And from Symantec's vantage point, they are using this to promote their own product:

Symantec protects you from this threat, identified by the following:
Email-based
  • Coverage is in place for Symantec's email security products and Email Threat Isolation (ETI) technology provides an extra layer of protection for our customers.
File-based
  • ISB.IcedID!gen2
  • Scr.Guloader!gen3
  • Scr.Malcode!gen
  • VBS.Downloader.Trojan
Click to expand...
 
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,742
wat0114 said:
Well this threat must be fooling enough dummies into following all the necessary steps for infection, otherwise it wouldn't be in circulation. And from Symantec's vantage point, they are using this to promote their own product:
Click to expand...
The article is not in their blog but in their coversge bulletin. There they explain briefly how new threats are covered. It’s normal to contain this info.
 

Similar threads

Bot
Malware News Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
Replies
0
Views
469
Security News
Bot
Bot
silversurfer
    • Like
    • +Reputation
    • Wow
Hackers Using New Evasive Technique to Deliver AsyncRAT Malware
Replies
0
Views
821
News Archive
silversurfer
silversurfer
Solarquest
    • Like
    • Applause
    • +Reputation
Europeans Hit with Multi-Stage Malware Loader via Signed Malspam
Replies
0
Views
2,218
News Archive
Solarquest
Solarquest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top