Seqrite reports new Malicious Spam targeting Manufacturing and Export industries

Also known by names such as ‘Roma225’, ‘RG’ and ‘Aggah’, the campaign leverages sophisticated malware like Agent Tesla, Remcos RAT and NanoCore RAT to bypass defence mechanisms
 
India, July 20, 2020: While the world is engrossed in coronavirus-themed attacks, Seqrite, a specialist provider of endpoint security, network security, enterprise mobility management, and data protection solutions, has detected a new MalSpam (malicious spam) campaign, targeting manufacturing and export sectors in India. The researchers of Seqrite spotted that malware actors are leveraging multiple sophisticated techniques in this campaign to bypass traditional defence mechanisms. However, Seqrite is successfully detecting and blocking any such attempts using its patented Signatureless and Signature-based detection technology.

According to Seqrite, some of the common Remote-Access-Tools used by attackers are Agent Tesla, Remcos RAT and NanoCore RAT. Researchers at Seqrite have been following the tracks of these campaigns since April 2020 and have found that attackers don’t restrict themselves to a single geography or vertical. They also noticed that similar campaigns existed earlier as well that targeted varied organizations including those managed by the Government. The attackers generally use publicly available systems such as Pastebin and Bitly to host their payloads as it helps them hide behind legitimate services that remain undetected.

So, how does this attack begin?                                                                                                                        
The attack begins in the form of a phishing email sent to a genuine user. This contains MS Office PowerPoint files with a malicious Visual Basic for Applications (VBA) macro. Cyber Attackers use VBA programming in Microsoft Office macros as a medium to spread viruses, worms, and other forms of malware on a computer system.

Post execution, the malware takes advantage of pre-existing legitimate software to download malicious payload from Pastebin and continues to spread the infection

What are the techniques used in this attack campaign?
LoLBins or living-off-the-land binaries 
– These are built-in tools on operating systems, which are used for legitimate purposes. Attackers abuse these tools for malicious objectives as security products usually whitelist them

Hosting payloads on legitimate file hosting service Pastebin –By hosting malicious payload on Pastebin, which is a web-based platform widely used for source code sharing, attackers can bypass network security controls and enter the computer system to steal critical data.
Bypass Anti-Malware Scan Interface (AMSI) – AMSI is a Windows feature that allows security products to integrate with frameworks such as PowerShell and provide better protection against script-based malware. Cyber Attackers use variety of techniques to bypass AMSI and potentially detection by security products.

In memory payload execution (file less technique) – In this method, a file less infection directly loads malicious code into the memory of the system and evades antivirus protection as there is no file to be scanned and analyzed.

Final advice?
The timely detection and blocking of such attack campaigns is essential for maintaining the integrity and trust in the businesses. Seqrite recommends users to exercise ample caution and avoid opening attachments and clicking on web links in unsolicited emails. Businesses should consider disabling macros, keep their Operating Systems updated and have a full-fledged security solution installed on all the devices.
Seqrite reports new Malicious Spam targeting Manufacturing and Export industries Seqrite reports new Malicious Spam targeting Manufacturing and Export industries Reviewed by Twinkle on 02:05:00 Rating: 5
Powered by Blogger.