Kali Linux 2023.2, the second version of 2023, is now available with a pre-built Hyper-V image and thirteen new tools, including the Evilginx framework for stealing credentials and session cookies. […]
Related Posts
P2PInfect botnet activity surges 600x with stealthier malware variants
P2PInfect botnet activity surges 600x with stealthier malware variants
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023. […] Read More
BleepingComputer
Title insurance giant First American offline after cyberattack
Title insurance giant First American offline after cyberattack
First American Financial Corporation, the second-largest title insurance company in the United States, took some of its systems offline today to contain the impact of a cyberattack. […] Read More
BleepingComputer
Chinese Hackers use .chm files to Hijack Execution Chain and Deploy Malware
Chinese Hackers use .chm files to Hijack Execution Chain and Deploy Malware
The Chinese state-backed group TAG-74 is known for conducting intelligence collection on organizations in the following countries:-
South Korea
Japan
Russia
The TAG-74 utilizes .chm files to trigger a DLL search order hijack execution chain and deploy malware for loading a customized ReVBShell VBScript backdoor.
Cybersecurity analysts at Recorded Future’s Insikt Group recently analyzed a Chinese state-sponsored cyber-espionage campaign, attributed to TAG-74, targeting South Korean academic, political, and government bodies, primarily linked to Chinese military intelligence.
This complete assessment primarily relies on the past targeting behavior and PLA Northern Theater Command-aligned actors’ usual areas of operation.
Document
FREE Webinar
Live DDoS Attack Simulation
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
Infection Chain
TAG-74’s infection chain, observed since 2020, relies on spearphishing via .chm files containing three main components.
Here below, we have mentioned those three key components of .chm files:-
An embedded legitimate executable.
A malicious DLL.
An HTML file.
The HTML file initiates a DLL search order hijack chain by executing hh.exe and vias.exe via bitmap shortcut objects; simulating mouse clicks on the objects in sequence.
The loaded malicious DLL generates and runs a customized ReVBShell VBscript backdoor in %TEMP%.
TAG-74 employs South Korean VPS infrastructure from various providers and dynamic DNS domains for C2, often impersonating South Korean organizations.
IPs used
Here below, we have mentioned all the IP addresses observed in use by TAG-74:-
45.133.194[.]135
92.38.135[.]92
141.164.60[.]28
158.247.223[.]50
158.247.234[.]163
Technical Analysis
TAG-74 uses a modified ReVBShell backdoor that sleeps for a set duration after a C2 server NOOP response. TAG-74 typically alters the sleep time from 5 seconds to 5 minutes, with added C2 command capability for adjusting the interval.
Insikt Group spotted Bisonal samples communicating with TAG-74’s C2 infrastructure, suggesting it’s a follow-on malware family with enhanced features beyond ReVBShell.
Bisonal is an exclusive Chinese state-sponsored backdoor that has been active since 2010 in the following countries:-
Japan
South Korea
Russia
Spoofed Domains
Here below, we have mentioned all the domains that TAG-74 spoofs:-
attachdaum.servecounterstrike[.]com
attachmaildaum.servecounterstrike[.]com
attachmaildaum.serveblog[.]net
logindaums.ddnsking[.]com
loginsdaum.viewdns[.]net
bizmeka.viewdns[.]net
hamonsoft.serveblog[.]net
hanseo1.hopto[.]org
hometax.onthewifi[.]com
mailplug.ddnsking[.]com
minjoo2.servehttp[.]com
necgo.serveblog[.]net
pixoneer.myvnc[.]com
puacgo1.servemp3[.]com
satreci.bounceme[.]net
sejonglog.hopto[.]org
unipedu.servebeer[.]com
Mitigations
Here below, we have mentioned all the mitigations offered by the cybersecurity researchers-
Set up your IDS, IPS, or network defense systems to alert and potentially block connections to/from the listed external IP addresses and domains.
Block .chm and similar file attachments at email gateways and in application deny lists to mitigate potential abuse due to their limited legitimate use.
Recorded Future identifies malicious server configurations in the Command and Control Security Control Feed, so, the clients are advised to alert and block these C2 servers for intrusion detection and remediation.
Make sure to block and log all TCP/UDP network traffic related to DDNS subdomains, as state-sponsored and financially motivated threat groups frequently use them for network intrusions.
Use the Brand Intelligence modules to detect domain abuse, including typosquat domains mimicking your organization.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Chinese Hackers use .chm files to Hijack Execution Chain and Deploy Malware appeared first on Cyber Security News.
Cyber Security News