A Malware Attack Pattern to Infect Devices


DangerousPassword

Recently, it has been observed by JPCERT/CC that threat actors are actively targeting the cryptocurrency exchanges linked to the DangerousPassword attack campaign (aka CryptoMimic or SnatchCrypto), involving the distribution of malware through email shortcuts since June 2019.

Apart from malware distribution through email, various attack patterns are utilized by the attackers to infect targets with malware, with four specific patterns being observed.

Here below we have mentioned those four attack patterns:-

  • Attacks by sending malicious CHM files from LinkedIn
  • Attacks using OneNote files
  • Attacks using virtual hard disk files
  • Attacks targeting macOS

Analysis of Attack Patterns

Here below, we have mentioned the complete analysis of the four attack patterns that are observed:-

Attacks by sending malicious CHM files from LinkedIn

Attackers employ alternative methods of reaching targets by utilizing LinkedIn to send malware, where the compressed RAR file received contains a CHM file that, upon execution, downloads and runs an external MSI file.

DangerousPassword

Upon execution, the MSI file deploys a PowerShell script to download and execute another MSI file (Administrator-a214051.msi) which, in turn, collects and transmits information about infected hosts via HTTP POST request in Base64 encoded format.

Researchers have confirmed that compromised LinkedIn accounts, posing as job providers, are used to send malware to targets, although the method of compromising social networking accounts by the attackers remains unknown.

DangerousPassword

Attacks Using OneNote files

The utilization of OneNote file exploitation for malware infection, observed in Emotet and other malware attacks, is increasingly prevalent in email attachment-based infection campaigns.

In line with other malware attacks, DangerousPassword employs a OneNote file containing embedded malware, and opening the file triggers the infection.

DangerousPassword

The OneNote file contains a malicious MSI file that installs a DLL on the host and executes it, while also possessing the ability to identify AV tools.

Upon detecting specific antivirus software, the malware adjusts its actions by terminating the following things:-

  • It hooks the process to NTDLL to evade monitoring
  • Modifying data…

Source…