Remote Access Trojans – Devstyler.io https://devstyler.io News for developers from tech to lifestyle Tue, 27 Jul 2021 12:08:12 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.2 Malware Developers turn to ‘Exotic’ Programming Languages to Thwart Researchers https://devstyler.io/blog/2021/07/27/malware-developers-turn-to-exotic-programming-languages-to-thwart-researchers/ Tue, 27 Jul 2021 12:08:12 +0000 https://devstyler.io/?p=61836 ...]]> Malware developers are increasingly turning to unusual or “exotic” programming languages to hamper analysis efforts. 

According to a new report published by BlackBerry’s Research & Intelligence team on Monday, there has been a recent “escalation” in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to “try to evade detection by the security community, or address specific pain-points in their development process.”

In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain.

BlackBerry’s team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans.

Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed.

Some developers, however, with more resources at their disposal are rewriting their malware fully into new languages, an example being Buer to RustyBuer. Based on current trends, cybersecurity researchers say that Go is of particular interest to the cybercriminal community.

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands but used a Go packer to encrypt its main payload. The team says:

“This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns.”

While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021.

By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written.

]]> New MosaicLoader Malware Targets Software Pirates via Online Ads https://devstyler.io/blog/2021/07/20/new-mosaicloader-malware-targets-software-pirates-via-online-ads/ Tue, 20 Jul 2021 09:53:11 +0000 https://devstyler.io/?p=60223 ...]]> An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates’ systems.

MosaicLoader is a malware downloader designed by its creators to deploy more second-stage payloads on infected systems, as Bitdefender researchers revealed in a report published today and shared with BleepingComputer last week. Janos Gergo Szeles, Senior Security Researcher at Bitdefender, revealed:

“We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.”

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers’ malware analysis efforts and to increase their attacks’ rate of success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

The researcher added that the campaign doesn’t target a specific region. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

The attackers are camouflaging their droppers as executables belonging to legitimate software, using similar icons and including info such as company names and descriptions within the files’ metadata info to pass superficial scrutiny.

After being deployed on a victim’s system, MosaicLoader downloads additional malware ranging from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using “a complex chain of processes.” To add to the danger of getting your system infected with MosaicLoader, the threat actors (or their clients) can harvest sensitive info such as credentials from compromised systems using RATs and similar malware with data theft capabilities. The stolen info can later be used to hijack victims’ online accounts and use the gained access in identity theft scams or blackmail scams.

Malware delivered by MosaicLoader (Bitdefender)

Bitdefender collected and analyzed multiple malware samples delivered by MosaicLoader via a malware sprayer that downloads further payloads from attacker-controlled domains hosting lists of URLs hosting malware (some of them are listed in the table embedded below). Szeles concluded:

“The best way to defend against MosaicLoader is to avoid downloading cracked software from any source. Besides being against the law, cybercriminals look to target and exploit users searching for illegal software.”

Additional technical info and indicators of compromise, including malware hashes and command-and-control infrastructure info, can be found at the end of Bitdefender’s whitepaper.

]]>