A new malware downloader delivered via multiple campaigns uses detection evasion techniques and Microsoft SQL queries to drop malicious payloads onto compromised machines.
The malware, dubbed WhiteShadow by researchers at Proofpoint Threat Insight Team who found it, comes in the form of a set of Microsoft Office macros designed to work together to infect targets with a large array of malware strains it downloads from attacker-controlled Microsoft SQL Servers.
WhiteShadow is delivered via malspam emails containing malicious URLs or Microsoft Word and Microsoft Excel attachments that bundle malicious the downloader's Visual Basic macros which will install the malware payloads after execution.
Sample WhiteShadow malspam email
Multiple WhiteShadow campaigns observed in just two months
Proofpoint's research team observed multiple malspam campaigns peddling the WhiteShadow downloader, with almost a dozen of them being spotted since the malware was first spotted in August.
While, in the beginning, the malware authors didn't bother to add any measures to prevent detection, during later campaigns they started slowly adopting various detection evasion techniques like code obfuscation.
For instance, they started altering the case of various strings that could be used for automated detection and misspelling some variables during early September, and got to use the StrReverse Visual Basic function to revers some strings in their macros' code and added randomized strings to prevent string re-use.
Most of the WhiteShadow campaigns detected by Proofpoint delivered the Crimson malware, another downloader used in the Operation Transparent Tribe malicious campaign that targeted Indian military and diplomatic victims.
WhiteShadow campaigns spanning two months
However, the attackers also distributed Agent Tesla, AZORult, Nanocore, njRat, Orion Logger, Remcos, and Formbook RA ..
Support the originator by clicking the read the rest link below.
