November 14, 2024

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.

“The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations,” Cisco Talos researcher Vanja Svajcer said in a report shared with The Hacker News.

The malicious implant in question, ModernLoader, is designed to provide attackers with remote control over the victim’s machine, which enables the adversaries to deploy additional malware, steal sensitive information, or even ensnare the computer in a botnet.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve attempts to compromise vulnerable web applications like WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

The first stage payload is a HTML Application (HTA) file that runs a PowerShell script hosted on the command-and-control (C2) server to initiate the deployment of intertim payloads that ultimately inject the malware using a technique called process hollowing.

Described as a simple .NET remote access trojan, ModernLoader (aka Avatar bot) is equipped with features to gather system information, execute arbitrary commands, or download and run a file from the C2 server, allowing the adversary to alter the modules in real-time.

Cisco’s investigation also unearthed two earlier campaigns in March 2022 with similar modus operandi that leverage ModerLoader as the primary malware C2 communications and serve additional malware, including XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others.

“These campaigns portray an actor experimenting with different technology,” Svajcer said. “The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools.”