Researchers found a large-scale campaign distributing crypto mining and crypto stealing malware, which was hidden in office programs, game cheats, and online trading bots.
The malware used a disguised system component to launch a command-line interpreter and then used the Ncat network utility to connect to a remote server, which allowed the malware to infect victims’ computers.
The attackers use fraudulent GitHub or YouTube pages to distribute malware disguised as self-extracting RAR archives.
Once downloaded and extracted using a provided password, the malware extracts and runs malicious DLL files that install and execute a script to delete the malware and restart the computer.
The script also creates a task to run the malicious script again after the restart, making it difficult to detect and remove, while the malware’s obfuscation and encryption techniques prevent traditional antivirus software from detecting it.
Cybercriminals are using the AutoIt language interpreter, disguised as a WinRAR library named ShellExt.dll, to execute malicious scripts, which unpack a payload of obfuscated files.
The attackers are exploiting the legitimate Uninstall Tool utility, UTShellExt.dll, to distribute their malware, where the script is attached to the utility, which is signed and therefore appears trustworthy.
According to Dr. Web, autoIt’s ease of use and versatility make it a popular choice for malware authors, leading to some antivirus programs falsely flagging all compiled AutoIt scripts as malicious.
The UTShellExt.dll file employs a multi-stage attack strategy. Initially, it scans the system for known debugging tools and terminates the attack if any are detected.
If the system is deemed safe, it extracts necessary files for network communication and malicious activities.
Subsequently, it creates system events to gain network access and execute malicious files and modifies the registry to achieve persistence using the IFEO technique, which hijacks legitimate Windows system services and browser update processes to execute malicious code whenever these applications are launched.
The attackers successfully compromised a Windows machine by exploiting vulnerabilities in the .NET framework and 7-Zip archiver.
Malicious files DeviceId.dll and 7zxa.dll were injected into explorer.exe to execute hidden crypto mining and crypto stealing operations.
The former used AutoIt to silently mine cryptocurrency, while the latter monitored clipboard data for wallet addresses to steal funds. Hackers exploited this to gain over $6000 in cryptocurrency.
They further enhanced their control by revoking permissions for folders and files and disabling Windows Recovery Service, and finally, they sent device specifications to attackers via a Telegram bot.
A malware campaign targeting Russian-speaking users exploited the Process Hollowing technique to replace legitimate explorer.exe processes with malicious code, which resulted in multiple copies of explorer.exe running on infected systems, a suspicious anomaly.
The attackers distributed the malware through pirated software, emphasizing the importance of downloading software from official sources or using open-source alternatives, as the campaign successfully compromised over 28,000 computers, primarily in Russia and neighboring countries.
Also read: