Kaspersky's recent crimeware report highlights the emergence of three significant threats: FakeSG, Akira ransomware, and AMOS macOS stealer.
FakeSG
FakeSG is a new distribution campaign for the NetSupport RAT, named for its similarity to the SocGholish campaign. It involves infected legitimate websites displaying notifications for browser updates. Clicking on these notifications results in the download of a malicious file, which is a JavaScript file containing obfuscated code. This code executes another script to set a cookie, prompts for a browser update, and then automatically downloads additional scripts, including a batch script that downloads more batch scripts, a 7z file, and the 7z executable. The second batch script ensures persistence by creating a scheduled task named “VCC_runner2,” and it also extracts and copies the malware. A notable aspect of the 7z file is a malicious configuration file containing the C2 address.
Akira Ransomware
Akira is a relatively new ransomware variant, first detected in April. Written in C++, it targets both Windows and Linux environments. The attackers have already infected over 60 organizations globally, choosing larger organizations across various industries. Akira shares several common characteristics with other ransomware families, such as deleting shadow copies, encrypting logical drives, and skipping certain file types and directories. It also has a communication site on the TOR network. Unique to Akira is its similarity to the Conti ransomware in aspects like the list of folders excluded from the encryption process. Its C2 panel is also notably different, using the JQuery Terminal library to create a minimalistic site protected with security measures to prevent analysis.
AMOS macOS Stealer
Discovered in April 2023, AMOS initially targeted macOS and was leased to cybercriminals via Telegram. The original version, written in Go, had features typical of a stealer, such as stealing passwords, files, and browser data. It also generated fake password prompts to acquire the system password. The latest version of AMOS, now written in C, uses malvertising as its infection vector. It lures users into downloading malware by cloning popular software sites. The malware retrieves the user's name and checks for password requirements. If a password is required, it prompts the user to enter it. AMOS collects various data types, including notes, documents, browser-related data, cryptocurrency wallets, and instant messaging data, which it then zips and sends to the C2 over HTTP.
These developments in the crimeware landscape demonstrate the evolving nature of cyber threats and the continuous efforts of cybercriminals to exploit different platforms and technologies.
IoC
SHA256
- 9bf7692f8da52c3707447deb345b5645050de16acf917ae3ba325ea4e5913b37
- 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
- 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87
- 3d13fae5e5febfa2833ce89ea1446607e8282a2699aafd3c8416ed085266e06f
- 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
SHA1
- e27521c7158c6af3aa58f78fcbed64b17c946f70
- ba9de479beb82fd97bbdfbc04ef22e08224724ba
- 941d001e2974c9762249b93496b96250211f6e0f
MD5
- c60ac6a6e6e582ab0ecb1fdbd607705b
- 2cda932f5a9dafb0a328d0f9788bd89c
- 0885b3153e61caa56117770247be0444
- 00141f86063092192baf046fd998a2d1
REFERENCES
- https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
- https://otx.alienvault.com/pulse/657b34f330a288e473f448c0
TAGS
apple macos, cross-platform malware, ransomware, rat trojan, trojan, amos, akira, redline, fakesg campaign, amos stealer, powershell, raccoon, exodus, netsupportmanagerrat, amos macos, infostealer, industrial
No comments:
Post a Comment