October 15, 2024 at 03:42AM
Cybersecurity researchers identified a new malware campaign delivering Hijack Loader artifacts signed with legitimate certificates. The campaign employs deceptive tactics like fake CAPTCHA pages and PowerShell scripts to deploy the Lumma information stealer. Meanwhile, other malware, including CoreWarrior and XWorm, exhibit increasing sophistication and capabilities in cyberattacks.
### Meeting Takeaways – October 15, 2024
**1. New Malware Campaign Disclosed:**
– A malware campaign delivering **Hijack Loader** artifacts has been reported, utilizing legitimate code-signing certificates.
– The French cybersecurity firm **HarfangLab** detected this activity, particularly focusing on deploying an information stealer known as **Lumma**.
**2. Characteristics of Hijack Loader:**
– **Hijack Loader** (also referred to as **DOILoader, IDAT Loader**, and **SHADOWLADDER**) initially came to attention in September 2023.
– Attack tactics often involve misleading users into downloading malicious binaries masquerading as pirated software or media.
**3. Recent Attack Vectors:**
– Users are directed to fake CAPTCHA pages prompting them to run encoded PowerShell commands that deliver malware, typically within a ZIP archive.
– HarfangLab identified three types of PowerShell scripts being used:
– Utilizes **mshta.exe** to execute remote code.
– Direct execution via **Invoke-Expression (iex)** cmdlet.
– Employs **msiexec.exe** to fetch and run remote payloads.
**4. Changes in Delivery Mechanisms:**
– Transition from DLL side-loading to utilizing multiple signed binaries began in early October 2024 to enhance evasion from detection tools.
– Code-signing certificates used in the attacks have been revoked; uncertainty remains regarding their origin (stolen or generated by attackers).
**5. Code-Signing Certificates:**
– There is an automated process in place for acquiring code-signing certificates that requires minimal verification (company registration number and contact person).
– This highlights that code-signature alone is not a reliable indicator of software trustworthiness.
**6. Rise in Cyber Attacks:**
– **SonicWall Capture Labs** reported an increase in infections involving a malware called **CoreWarrior**, which functions as a persistent trojan to spread rapidly and create multiple backdoor access points.
**7. Phishing Campaigns:**
– New phishing tactics have been recorded, distributing **XWorm** via Windows Script Files (WSF) that trigger PowerShell scripts to inject this malware into legitimate processes.
– The latest **XWorm** version (5.6) is equipped with functionalities for monitoring, denial-of-service attacks, and evading forensic tracing.
**8. Security Implications:**
– The evolving tactics and technologies used by attackers underline a significant need for enhanced cybersecurity measures and vigilance.
– Organizations must be wary of malware that uses signed binaries and sophisticated delivery methods to undermine defenses.
For ongoing updates, please follow our social media channels on **Twitter** and **LinkedIn**.