30 C
Jaipur
Wednesday, October 21, 2020

Hacking Tools launching Crypto-Malware by Exploit a SMB Server Flaw

Must read

Netflix StreamFest: Free Netflix And Chill For A Weekend

After killing its 30-day free trial, Netflix is bringing StreamFest to give users a free weekend of its streaming services. First reported by Protocol,...

DJI Pocket 2 is a Tiny Vlogging Camera with a Modular Design, Improved Audio

Renowned drone maker, DJI, has upgraded its tiny gimbal camera for bloggers today. The company has launched the DJI Pocket 2, a successor to...

Safari Among Seven Mobile Browsers Affected by Address Bar Spoofing Vulnerabilities

Researchers at cyber-security firm, Rapid7, have claimed that several popular mobile browsers are vulnerable to ten new ‘Address Bar Spoofing’ vulnerabilities, thereby jeopardizing the...

Jio and Qualcomm Begin 5G Network Trials in India; Achieves Over 1Gbps Speeds

Reliance Jio, the leading telecom operator in India, first talked about its 5G ambitions and the use of in-house stack at its AGM earlier...

Cybercriminals now leveraging new hacking tools and remote access software to drop cryptocurrency malware by exploiting a Windows SMB Server Vulnerability .

There are 2 main hacking tools that are used by attackers to drop random file info to the targeted systems windows registry.

First one is MIMIKATZ , a powerful post-exploitation hacking tool which is used with other hacking tools to collect user accounts and system credentials.

At the same time threat actors using another legitimate remote access tool
RADMIN, enterprise tool for remote access to network computers and servers.

RADMIN mainly used by attackers to gain admin rights and introduce other malware into targeted systems.

In this case, both MIMIKATZ and RADMIN combined to targeting the enterprise assets for data exfiltration by evading the detection by lunching random name with valid Windows functions.

Malware Infection Process

Apart from the samples of a random name, its drops finally a Monero miner malware payload from a remote server through the command sent via RADMIN to the target machine.

This malware variant mainly drops when user visiting the compromising websites or it some time drop into victims system by other malware. later its create a file from its resource and name it as names it as  C:windowstempttt.exe and finally execute it.

After the complete infection process, it connects to the command & control server IP address and send the information and download the coinminer into the infected system and later it will decrypt and execute the Monero miner.

According to Trend Micro research, “It continues to save and execute the downloaded file a Python-compiled executable that imports several other Python modules to gather credentials, as well as psexec, enabling the attacker to remotely execute commands. It is also capable of randomly scanning generated IP addresses over the internet and local networks for open port 445. “

Threat actors behind this malware targeting victims with the main motivation of stealing credentials and developing the module for future attack via escalated privileges and remote access.

“Since the info stealer is able to send back information such as user accounts, port forwarding, and system specifics, and capable of planting the hack tool for remote admin functions, it can let attackers remotely access the system to initiate more attacks in the future if left unchecked.” Trend Micro said.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

Netflix StreamFest: Free Netflix And Chill For A Weekend

After killing its 30-day free trial, Netflix is bringing StreamFest to give users a free weekend of its streaming services. First reported by Protocol,...

DJI Pocket 2 is a Tiny Vlogging Camera with a Modular Design, Improved Audio

Renowned drone maker, DJI, has upgraded its tiny gimbal camera for bloggers today. The company has launched the DJI Pocket 2, a successor to...

Safari Among Seven Mobile Browsers Affected by Address Bar Spoofing Vulnerabilities

Researchers at cyber-security firm, Rapid7, have claimed that several popular mobile browsers are vulnerable to ten new ‘Address Bar Spoofing’ vulnerabilities, thereby jeopardizing the...

Jio and Qualcomm Begin 5G Network Trials in India; Achieves Over 1Gbps Speeds

Reliance Jio, the leading telecom operator in India, first talked about its 5G ambitions and the use of in-house stack at its AGM earlier...

US Justice Department Files Antitrust Lawsuit Against Google

The US Justice Department on Tuesday filed an antitrust lawsuit against tech giant Google. It alleges that Google is abusing its dominance in the...