A newly discovered malware campaign that focuses on both Windows and Linux systems has unveiled advanced avoidance and theft techniques of theft, according to the Syig Threat Research Team (TRT).
The operation started with a malignant Python script that was uploaded through a incorrectly configured system, making the download of crypto-miners and the implementation of stealthy tools for evasion and data output possible.
This multi-platform attack used various paths for Linux and Windows, which adjusted its strategy based on the goal operating system.
On Windows, attackers used a Python function to install the Java Development Kit (JDK), which facilitated the implementation of a Java Archive (JAR) file collected from a rather active command-and-control (C2) server. The JAR file application Ref.jar functioned as a charger and started a chain of malignant components.
Two files from the sources of the Jar, renamed Int_D.D. dat and int_j.dat, were implemented in the victim’s machine. The malware then used a processbuilder command with suspicious flags such as -Noverify and -xx:+DisablEtach mechanism, often seen in malignant Java processes to prevent detection and eliminating debugging.
Read more about Malware Disput techniques: Coffeeloader Malware loader coupled to Smokeloader -Raartwerken
One of the most worries about payloads were several infonters embedded in the last pot.
These components were performed:
-
Theft of the reference of Chrome Extensions
-
Harvesting token of Discord via http -header inspection
-
Hardware and System Exploration using Powershell and Webscockets
De aanval leverde ook een native DLL -bestand op, app_bound_decryptor.dll, dat XOR -codering/decodering uitvoerde, gemanipuleerde Windows met de naam Pipes en omvatte sandbox -ontduikingscontroles zoals IsDebuggerPresent () en IsProcessorFeaturePresent.
Detection -Provision and misfiguration risks
This campaign emphasizes two important issues: the ongoing risk with incorrectly configured systems and the need for effective detection strategies.
In this case, an exposed web interface was able to upload and perform malicious scripts to upload and perform malignant scripts, so that the door was opened for a broader compromise. Such supervision remains a common and to be prevented vector in many intrusions.
To detect these types of threats, organizations must rely on a combination of behavior-based monitoring, anomalo detection and layered runtime security controls.
Techniques such as Yara scanning, process behavior analysis and DNS monitoring can help suspect activity early.