While the world is engrossed in coronavirus-themed attacks, Seqrite, a specialist provider of endpoint security, network security, enterprise mobility management, and data protection solutions, has detected a new MalSpam (malicious spam) campaign, targeting manufacturing and export sectors in India. The researchers of Seqrite spotted that malware actors are leveraging multiple sophisticated techniques in this campaign to bypass traditional defence mechanisms. However, Seqrite is successfully detecting and blocking any such attempts using its patented Signatureless and Signature-based detection technology.
According to Seqrite, some of the common Remote-Access-Tools used by attackers are Agent Tesla, Remcos RAT and NanoCore RAT. Researchers at Seqrite have been following the tracks of these campaigns since April 2020 and have found that attackers don’t restrict themselves to a single geography or vertical. They also noticed that similar campaigns existed earlier as well that targeted varied organizations including those managed by the Government. The attackers generally use publicly available systems such as Pastebin and Bitly to host their payloads as it helps them hide behind legitimate services that remain undetected.
So, how does this attack begin?
The attack begins in the form of a phishing email sent to a genuine user. This contains MS Office PowerPoint files with a malicious Visual Basic for Applications (VBA) macro. Cyber Attackers use VBA programming in Microsoft Office macros as a medium to spread viruses, worms, and other forms of malware on a computer system.
LoLBins or living-off-the-land binaries – These are built-in tools on operating systems, which are used for legitimate purposes. Attackers abuse these tools for malicious objectives as security products usually whitelist them
Hosting payloads on legitimate file hosting service Pastebin –By hosting malicious payload on Pastebin, which is a web-based platform widely used for source code sharing, attackers can bypass network security controls and enter the computer system to steal critical data.
In memory payload execution (file less technique) – In this method, a file less infection directly loads malicious code into the memory of the system and evades antivirus protection as there is no file to be scanned and analyzed.
The timely detection and blocking of such attack campaigns is essential for maintaining the integrity and trust in the businesses. Seqrite recommends users to exercise ample caution and avoid opening attachments and clicking on web links in unsolicited emails. Businesses should consider disabling macros, keep their Operating Systems updated and have a full-fledged security solution installed on all the devices.