BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Lazarus hackers infect security professionals with previously unknown backdoors

    North Korean hackers are attacking cybersecurity researchers and media organizations in the US and Europe with fake job offers that lead to the deployment of three new families of malware, Mandiant said.

    The attackers use social engineering to convince their targets to contact them via WhatsApp, where they deliver a malware payload of "PlankWalk", a C++ backdoor that allows hackers to gain a foothold in the target's corporate environment, onto victims' devices.

    Experts have been tracking the campaign since June 2022 and have attributed it to a group they track as "UNC2970". In addition, the attackers are using previously unknown malware named "TOUCHMOVE", "SIDESHOW", and "TOUCHHIFT".

    The chain of attacks begins with hackers contacting LinkedIn targets posing as recruiters. They then convince the victims to go to WhatsApp, where they send a Word document with malicious macros embedded. In some cases, these Word documents are styled for specific positions.

    Word document macros perform a Remote Template Injection attack to obtain an infected version of "TightVNC" (remote desktop connection program) from compromised WordPress sites that serve as the attacker's command and control (C2, C&C) servers.

    The trojanized version of TightVNC is a "LidShift" backdoor that, once executed, uses the Reflective DLL Injection method to load the encrypted DLL of the trojanized Notepad++ plugin into system memory. The downloaded file is a malware downloader called "LidShot" that performs a system enumeration and deploys the "PlankWalk" backdoor payload.

    In the post-exploitation phase, the hackers use a new special dropper called "TOUCHHIFT" that masquerades as a Windows binary (mscoree.dll or netplwix.dll).

    Then "TouchShift" loads:

    • utility for creating screenshots "TouchShot";
    • keylogger "TouchKey";
    • the program for creating tunnels "HookShot";
    • bootloader "TouchMove";
    • backdoor "SideShow".

    The most notable of the list is the "SideShow" backdoor, which supports 49 commands that allow an attacker to, among other things:

    • execute arbitrary code on the device;
    • change the registry;
    • manage firewall settings;
    • add new scheduled tasks;
    • deliver additional payloads.

    Mandiant also discovered that in the latest campaign, UNC2970 used a BYOVD (Bring Your Own Vulnerable Driver) attack to deliver a LightShift dropper that downloads an obfuscated payload called LightShow.

    LightShow uses a vulnerable ASUS driver (Driver7.sys) to perform arbitrary reads and writes to kernel memory to fix kernel routines used by EDR solutions, allowing attackers to evade detection.

    North Korean hackers have previously harassed security professionals by contacting them on social media via fake security researcher profiles and then sending victims malicious Visual Studio projects and MHTML files that exploited the Internet Explorer 0-day vulnerability. These files were used to deploy malware on devices to gain remote access to computers.

    Author DeepWeb
    Medusa ransomware gang gains momentum and attacks companies around the world
    New 'Dark Power' ransomware hits its first dozens of victims

    Comments 0

    Add comment