spam attack Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/spam-attack/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 26 Feb 2024 18:10:42 +0000 en-US hourly 1 https://wordpress.org/?v=75505 200474804 Meta Infostealer Malware Spread via Spam https://gridinsoft.com/blogs/meta-infostealer-malware/ https://gridinsoft.com/blogs/meta-infostealer-malware/#respond Tue, 12 Apr 2022 15:09:51 +0000 https://gridinsoft.com/blogs/?p=7271 Meta, a newly crafted information-stealing malware, is distributed via a vast spam spree. The mechanism of the stealer injection within this campaign is already well-known. However, Meta is now a mainstream tool among hackers. Therefore, further attacks featuring this software but with different scenarios are inevitable. This article explains how the current malspam scheme works.… Continue reading Meta Infostealer Malware Spread via Spam

The post Meta Infostealer Malware Spread via Spam appeared first on Gridinsoft Blog.

]]>
Meta, a newly crafted information-stealing malware, is distributed via a vast spam spree. The mechanism of the stealer injection within this campaign is already well-known. However, Meta is now a mainstream tool among hackers. Therefore, further attacks featuring this software but with different scenarios are inevitable. This article explains how the current malspam scheme works. We also share the story behind the info stealer.

READ ALSO: Spyware vs. Infostealer – what’s the difference?

The information provided within the current article, including the images, is courtesy of Brad Duncan, an independent cybersecurity analyst, the man behind the malware-traffic-analysis.net blog.

Meta Infostealer Malware Spread via Spam

Spam Campaign details

The Meta infostealer malware gets into the victim’s computer. It begins with an email with an attachment. Already a stay-away thing for the experienced ones, but someone might still buy into that. The bait is classic: you have received payment, and there is a little paperwork to be done before getting your money.

Meta Stealer Infection Scheme
This is a Meta Stealer Infection Scheme provided by Brad Duncan. Source: isc.sans.edu

After the user downloads the attachment (an excel table within the current campaign,) the file will, just as expected, request allowance to execute macros. The sheets file features a DocuSign image to be more persuasive, although it is unnecessary since it is already downloaded. If the victim consents, enabled scripts (VBS) start downloading stuff from several sources.

Request for Macros
The attached excel file with a DocuSign seal asks for macros allowance. Source: isc.sans.edu

The downloaded payload gets encoded with base64 (schemes presenting binary data as text) or undergoes byte reversal. Both methods increase the malware’s chances of passing undetected by antivirus programs. The fetched content constitutes *.dll and *.exe files.

Reversed bytes in the downloaded DLL
You can see the reversed byte order in the downloaded DLL. Source: isc.sans.edu

The hacker’s plan succeeds as a malicious executable gets assembled on the victim’s computer, and it starts sending data to the server with 193[.]106[.]191[.]162 address. The file name is ‘qwveqwveqw,’ and it even gets itself a system registry entry. Meta steals passwords for cryptocurrency wallets and web browsers, namely Chrome, Firefox, and Edge. By the way, Meta alters PowerShell and Windows Security settings, excluding *.exe files from antivirus examination.

Meta Stealer's Traffic
Meta-generated traffic. Source: isc.sans.edu

Brief information on Meta malware

The hacker community quickly reacted to the suspension of Raccoon Stealer malware. Its operators stopped selling and supporting the tool as one of the developers became a victim of the war in Ukraine. Meta, advertised as the successor of RedLine, is one of several stealers that arrived to occupy the vacant niche. Its monthly price on the 2Easy botnet marketplace is $125 and a lifetime subscription costs $1000. For a more thorough analysis of the Meta malware, consider reading the original report by Brad Duncan on the Internet Storm Center security forum.

RELATED: Why is the 2easy trading platform gaining popularity?

The post Meta Infostealer Malware Spread via Spam appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/meta-infostealer-malware/feed/ 0 7271
Spammers hide behind hexadecimal IP addresses https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/ https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/#respond Mon, 21 Sep 2020 16:21:01 +0000 https://blog.gridinsoft.com/?p=4315 Trustwave experts have discovered that pharmaceutical spam attackers have started to insert unusual URLs into their messages. Spammers hide behind hexadecimal IP addresses. They use hexadecimal IPs to bypass email filters and other security solutions. The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as… Continue reading Spammers hide behind hexadecimal IP addresses

The post Spammers hide behind hexadecimal IP addresses appeared first on Gridinsoft Blog.

]]>
Trustwave experts have discovered that pharmaceutical spam attackers have started to insert unusual URLs into their messages. Spammers hide behind hexadecimal IP addresses. They use hexadecimal IPs to bypass email filters and other security solutions.

The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as https://216.58.199.78, it’s just the first option that is easier to remember.

“Technically, an IP address can be represented in several formats and therefore can be used in a URL in a variety of ways”, — explain Trustwave researchers.

For example, any IP address can be written in other formats, including:

  • octal IP address: https://0330.0072.0307.0116;
  • hexadecimal IP address: https://0xD83AC74E;
  • integer or DWORD IP address: https://3627730766.

This feature uses spammer, who have been using hexadecimal IP addresses in their mailings since July this year. While browsers understand these formats and direct the user to google.com anyway, as in the example above, many spam filters stop “seeing” dangerous URLs because of this.

“Any threat actor equipped with this knowledge can craft an obscure-looking URL like the ones shown above and send it via email with a convincing message to deceive the email gateway and the victim and lure them to click and open a site controlled by the attacker”, — write Trustwave researchers.

Spammers hide behind IP addresses
Attack scheme

Experts note that since the start of this trick, the activity of the enterprising spam group has markedly increased, as much more spam began to fall into user inboxes. At the peak of the campaign, scammers sent out about 25,000 letters. Spammers advertised various drugs to lower cholesterol, antifungal, anti-aging, anti-inflammatory drugs, medical masks, UV lamps, as well as all kinds of dietary supplements.

Interestingly, this is not the first such case discovered by information security specialists.

For example, last summer, Proofpoint experts talked about the PsiXBot Trojan, whose operators also used hexadecimal IP addresses to hide the location of their control servers.

Find out better how spam works in our blog post: Spam Email. What Do Spammers Hope For?

Spammers hide behind hexadecimal IP addresses

The post Spammers hide behind hexadecimal IP addresses appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/spammers-hide-behind-hexadecimal-ip-addresses/feed/ 0 4315
Smoke Loader Malware: New Password-Stealing Infection Method https://gridinsoft.com/blogs/smoke-loader-malware-new-password-stealing-infection-method/ https://gridinsoft.com/blogs/smoke-loader-malware-new-password-stealing-infection-method/#respond Mon, 09 Jul 2018 15:02:55 +0000 https://blog.gridinsoft.com/?p=2748 A new variant of the Smoke Loader malware has been discovered that uses a new method to infect computers. Smoke Loader is a sophisticated malware that has been around since 2011, but it continues to evolve and adapt to new security measures. The new infection method involves the use of spam emails that contain a… Continue reading Smoke Loader Malware: New Password-Stealing Infection Method

The post Smoke Loader Malware: New Password-Stealing Infection Method appeared first on Gridinsoft Blog.

]]>
A new variant of the Smoke Loader malware has been discovered that uses a new method to infect computers. Smoke Loader is a sophisticated malware that has been around since 2011, but it continues to evolve and adapt to new security measures.

The new infection method involves the use of spam emails that contain a link to a malicious website. When a user clicks on the link, it downloads a file that appears to be a PDF document but is actually an executable file that installs the Smoke Loader malware on the computer.

Once installed, the malware can steal sensitive information from the infected computer, such as login credentials, banking information, and personal data. It can also download additional malware, making the infection even more dangerous.

Smoke Loader
Smoke Loader

Smoke Loader is designed to evade detection by traditional antivirus software. It uses a variety of obfuscation and encryption techniques to hide its presence on the infected computer.

To protect yourself from this type of malware, it is important to be cautious when clicking on links or downloading files from unknown sources. You should also ensure that your antivirus software is up-to-date and that you are using a firewall to block incoming traffic.

Smoke Loader Malware: New Password-Stealing Infection Method

IoC Smoke Loader

If you believe that your computer may be infected with Smoke Loader or any other malware, you should immediately disconnect it from the internet and run a full system scan with your antivirus software. You should also change any passwords that may have been compromised and monitor your bank accounts and credit card statements for any suspicious activity.

In conclusion, the discovery of this new infection method for Smoke Loader is a reminder of the ongoing threat posed by malware and the importance of taking proactive measures to protect your computer and personal information. By following best practices for online security and staying vigilant, you can help minimize the risk of falling victim to these types of attacks.

The post Smoke Loader Malware: New Password-Stealing Infection Method appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/smoke-loader-malware-new-password-stealing-infection-method/feed/ 0 2748