The FBI warned about attacks on government and non-profit organizations in April, which involved deploying multiple malware strains on victim devices.
Besides this, the attackers aim to achieve the following things:-
-
Mine resources
-
Steal data
-
Establish backdoor access to systems
Cybersecurity researchers at Securelist recently identified numerous malicious money-making scripts that hackers actively use to deliver multiple malware.
Since late 2022, under this campaign, security analysts detected the following things:-
-
Numerous scripts
-
Executables
-
Associated links
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Technical analysis
Following the April report on indicators of compromise, experts uncovered new malicious scripts in their August telemetry.
The following scripts appear to exploit vulnerabilities on servers and workstations to tamper with Windows Defender:-
-
runxm1.cmd
-
start.cmd
The start.cmd script aims to disable protection via the registry while runxm1.cmd script adds files to exceptions, obtains administrator rights, and renames security solution folders.
Here below, we have mentioned all the executable and configuration files that the scripts attempt to download from this domain:-
-
intelsvc.exe (A7CDE18F991E97037A7899B7669E2548)
-
View.exe (830debd1f6d39c726c2d3208e3314f44)
-
rtkaudio.exe/rtkaudio.txt (a6d4706baeb9ab97490d745f7a2bb11e)
-
config.txt (99634dcaca690066187e30c36182bf19)
Downloading files (Source – Securelist)
start.cmd initiates RtkAudio.exe using config.txt for Monero mining. Additional downloaded files include View.exe, executed to save various files in the C:\Users\Public directory.
Files saved by View.exe (Source – Securelist)
Analysis of the files reveals keylogger functionality in Systemfont.exe, while IntelSvc.exe acts as a typical backdoor, connecting to a C2 server for instructions.
Attack Geography
Researchers have noted over 10,000 attacks targeting 200+ users globally since May 2023, primarily affecting B2B sectors such as-
-
Government agencies
-
Agriculture
-
Retail
However, besides this, all these threats were primarily encountered in the following countries:-
-
Russian Federation
-
Saudi Arabia
-
Vietnam
-
Brazil
-
Romania
Threat actors are increasingly targeting the B2B sector, using initial crypto-miner infections as a gateway for more harmful attacks like backdoors and keyloggers.
To defend against these evolving threats, businesses must continuously enhance their security measures.
Indicators of Compromise
MD5
0BEFB96279DA248F6D49169E047EE7AB769BC25454799805E83612F0F896E03FB747AEDF0F3E4457C6D02BC5AF7C09800A50081A6CD37AEA0945C91DE91C5D971DA8E7C92C86FC8DBAB5287BDCA91CA13C47D45F09948B8E6FDB5F96523BC60B5D3E2B2EE668B2BC071B8D4027C6B8F1227FA5D690A943114FF3CCFE7977192AA531FE822618B6A917D50BEE001C95A1DDAB66730A84583B98D3415F9181D092830debd1f6d39c726c2d3208e3314f443b2a270b90b3e24a25cc991df40da3caDDD12566B99343B96609AFA2524ECEC3a6d4706baeb9ab97490d745f7a2bb11eA7CDE18F991E97037A7899B7669E2548AC27DE51896A5BA2FD0DDA9B7955A2012ac1d8e16e47e97db3c60d728270ad5a5919e4e3e06b617d967dc6e8fecb701b8dcd1e4e37838b49214f10c50ef5a5f051ad216fcb4afe42b9ef01ab472a2914df6f39d30dc5e9f4155514cdefb54620b2e250b9e3b9d5e6b2080cb782f9698eaf9327d353b97fd50a777145bc0e8e1e22f9682e543b94532d46541c63512f2d1225f4f50154dd49d4853e4efc3ddf777d0f67343f128d29a50ccd3639b72884752940da17469330c38ab98d04f3d6b811ca68ea3500cb03db1f4008d18cb6b2b558fa064d0d3f94f5e4c975375cbad14cdbcfa0d6fd2e7de6ec0030cfb2322d7e09279dcd3655ab1b2e2684746e4bc2a38dece5bcb9f6d1c027d86e0318a60e474f517eb23bdfa4c320c091c3eb2dbaf0881b3c3d1535685d6190df4083f51561d5944634d735c3e6efc3b1349de74099634dcaca690066187e30c36182bf19
