HomeUpdateThis threat actor has been dropping malware by pretending to be someone...

This threat actor has been dropping malware by pretending to be someone else

-

Last Updated on 03/02/2022 by Nidhi Khandelwal

To ensure persistence, the PowerShell installer modifies the Windows Registry and drops a.LNK file into Windows’ starting directory. This unlawful alteration causes the malware to be loaded from an encrypted payload concealed behind a “smokescreen” of 100 to 300 garbage files built particularly for this purpose, according to the researchers.

This threat actor has been dropping malware by pretending to be someone else 1

Furthermore, the linked junk file’s unique and random file extension is used to build a custom file type key, which is then used to run a PowerShell command from the Registry to execute the malware during system startup.

The backdoor, on the other hand, is constantly growing, with a variety of features that allow it to steal data from web browsers, facilitate bitcoin theft, and run arbitrary instructions and scripts.

The threat actor, who has been active since at least 2017, has been behind a number of attacks in recent years, including ones in which the adversary pretended to be journalists or academics in order to trick targets into installing malware and collecting confidential material.

Check Point Research revealed details of an espionage operation earlier this month, in which a hacking squad used the Log4J Shell vulnerabilities to build a modular backdoor known as CharmPower for follow-on attacks.

This threat actor has been dropping malware by pretending to be someone else 2

According to Cybereason, the latest additions to its arsenal form a completely new toolset that includes the PowerLess Backdoor, which is capable of downloading and running other modules like a browser info-stealer and a keylogger.

A number of other malicious artifacts, including an audio recorder, an earlier edition of the information stealer, and what the researchers assume is an unfinished ransomware variant programmed in.NET, are also potentially tied to the same backdoor coder.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

This is how Russia is being punished for the war

0
The developer of the popular "node-ipc" NPM package published a new modified version to denounce Russia's invasion of Ukraine, sparking concerns about open-source and...