Thai government personnel are the focus of a recent effort that uses a method known as DLL side-loading to introduce Yokai, an unreported backdoor.
“The target of the threat actors were Thailand officials based on the nature of the lures,” Nikhil Hegde, senior engineer for Netskope’s Security Efficacy team, told The Hacker News. “The Yokai backdoor itself is not limited and can be used against any potential target.”
The assault chain begins with a RAR file that contains two Windows shortcut files called “United States Department of Justice.pdf” and “United States government requests international cooperation in criminal matters.docx” that are labeled in Thai.
Although Hegde hypothesized that it would probably be spear-phishing given the lures used and the knowledge that RAR files have been used as malicious attachments in phishing emails, the precise first vector utilized to deliver the payload is presently unknown.
When the shortcut files are launched, a malicious executable is covertly dropped in the background and a fake PDF and Microsoft Word document are opened, respectively. Woravit Mektrakarn, a Thai national, is wanted in the United States in relation to the disappearance of a Mexican immigrant, and both lure files deal with him. Mektrakarn allegedly fled to Thailand after being charged with murder in 2003.
For its part, the executable is made to drop three other files: a malicious DLL (“ProductStatistics3.dll”), a DATA file that contains data supplied by a server under the control of an attacker, and a genuine binary linked to the iTop Data Recovery tool (“IdrInit.exe”). The backdoor is eventually deployed once “IdrInit.exe” is misused to sideload the DLL in the next step.
In order to receive command codes that enable it to launch cmd.exe and run shell commands on the host, Yokai must first establish persistence on the host and establish a connection with the command-and-control (C2) server.
The news follows Zscaler ThreatLabz’s announcement that it had uncovered a malware campaign that used Node.js-compiled executables for Windows to disseminate information thieves and cryptocurrency miners including Lumma, Phemedrone Stealer, and XMRig. NodeLoader is the codename for the malicious apps.
In order to trick viewers into downloading a ZIP file masquerading as video game hacks, the assaults use malicious links that are included in YouTube video descriptions and direct consumers to MediaFire or fake websites. The assaults’ ultimate objective is to extract and execute NodeLoader, which then downloads a PowerShell script that starts the last stage of infection.
“NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and npm, for privilege escalation,” Zscaler said. “The threat actors employ social engineering and anti-evasion techniques to deliver NodeLoader undetected.”
Additionally, it coincides with an increase in phishing assaults that disseminate the commercially available Remcos RAT. Threat actors modify the infection chains by using Office Open XML documents and Visual Basic Script (VBS) scripts as a starting point to initiate the multi-step process.
In one series of assaults, the VBS file is executed, causing a highly obfuscated PowerShell script to download temporary payloads. This, in turn, allows Remcos RAT to be injected into RegAsm.exe, a genuine Microsoft.NET program.
The alternative method involves loading an RTF file vulnerable to CVE-2017-11882, a known remote code execution vulnerability in Microsoft Equation Editor, into an Office Open XML document. This loads a VBS file, which then fetches PowerShell to inject the Remcos payload into RegAsm.exe’s memory.
It’s important to note that both strategies purposefully try to escape detection by security solutions by loading data into legitimate processes rather than leaving them writing to disk.
“As this remote access trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical,” McAfee Labs researchers said.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
