SafeBreach Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/safebreach/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 04 Nov 2022 17:26:57 +0000 en-US hourly 1 https://wordpress.org/?v=97570 200474804 New PowerShell Backdoor Masquerades as a Windows Update https://gridinsoft.com/blogs/new-powershell-backdoor/ https://gridinsoft.com/blogs/new-powershell-backdoor/#respond Thu, 20 Oct 2022 10:45:24 +0000 https://gridinsoft.com/blogs/?p=11272 Cybersecurity experts from SafeBreach have found a new, previously undocumented and “undetectable” PowerShell backdoor, which hackers actively use and has been used to attack at least 69 targets. Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware. The backdoor spreads through… Continue reading New PowerShell Backdoor Masquerades as a Windows Update

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.

]]>
Cybersecurity experts from SafeBreach have found a new, previously undocumented and “undetectable” PowerShell backdoor, which hackers actively use and has been used to attack at least 69 targets.

Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware.

The PowerShell backdoor is a stealthy tool of its own design and its associated command and control servers appear to be the work of a sophisticated unknown attacker, who already has about 100 victims.”the researchers note in their report.

The backdoor spreads through spear phishing, as part of malicious Word documents that are usually disguised as job offers. When such a document is opened, a macro is triggered within it that delivers the updater.vbs PowerShell script to the victim’s computer, which creates a scheduled task claiming to be part of a Windows update.

New PowerShell Backdoor
Bait from hacker’s letter

The VBS script executes two other PowerShell scripts (Script.ps1 and Temp.ps1), which are stored obfuscated inside the malicious document itself. When SafeBreach analysts first discovered these scripts, none of the products featured on VirusTotal identified them as malicious.

New PowerShell Backdoor

Script.ps1 connects to the C&C servers of the attackers, sends the victim ID to its operators, and then waits for further commands, which it receives in encrypted form (AES-256 CBC). Based on the count of such identifiers, the analysts could conclude that about 69 victims were registered on the attackers’ control servers, which probably corresponds to the approximate number of hacked computers.

The Temp.ps1 script, in turn, decodes the commands received from the server as a response, executes them, and then encrypts and uploads the result via a POST request to the control server.

The experts created a script that deciphered the commands of the malware operators, and found that two-thirds of them were intended to steal data, and the rest were used to compile lists of users, files, delete files and accounts, and also compile lists of RDP clients.

Researchers believe that this PowerShell backdoor seems to be created by some previously unknown attackers, and so far there is too little data to talk about the attribution of these attacks.

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-powershell-backdoor/feed/ 0 11272
Developer of CodeRAT Trojan Releases Source Code https://gridinsoft.com/blogs/coderat-source-code/ https://gridinsoft.com/blogs/coderat-source-code/#respond Tue, 06 Sep 2022 06:56:34 +0000 https://gridinsoft.com/blogs/?p=10395 The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used. SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign was aimed… Continue reading Developer of CodeRAT Trojan Releases Source Code

The post Developer of CodeRAT Trojan Releases Source Code appeared first on Gridinsoft Blog.

]]>
The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.

SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.

These exploits downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the clipboard’s contents, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.

Developer of CodeRAT Trojan Releases Source Code

Let me remind you that we also wrote that ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Trojan Qbot Took Advantage of the Famous Follina Vulnerability.

The CodeRAT malware also has extensive capabilities for monitoring webmail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the Eitaa web messenger in Farsi). In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.

CodeRAT Source code
CodeRAT UI

Such monitoring, especially spying on porn sites, social media activity, and anonymous browsing tools, leads us to believe that CodeRAT is an intelligence tool used by government-linked attackers. Usually, this is observed in attacks behind the Islamic regime of Iran, which monitors its citizens’ illegal and immoral actions.experts say.

To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure).

Although this campaign was abruptly interrupted, the researchers could track down the malware developer behind the nickname Mr. Moded. When SafeBreach contacted the CodeRAT developer, he did not initially deny their accusations but instead asked the experts for more information.

CodeRAT Source code

After the experts provided Mr. Moded with evidence linking him to CodeRAT, he was not at a loss and posted the malware’s source code on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.

The post Developer of CodeRAT Trojan Releases Source Code appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/coderat-source-code/feed/ 0 10395