Introduction
We are often asked how targets are infected with malware. Our answer is nearly always the same: (spear) phishing. There will be exceptions, naturally, as we will encounter RCE vulnerabilities every now and then, or if the attacker is already on the network, they will use tools like PsExec. But that’s it — most of the time, anyway.
Last month, we focused on infection methods used in various malware campaigns: methods that we do not see used very often. In this blog post, we provide excerpts from these reports.
For questions or more information on our crimeware reporting service, please contact [email protected].
BlackBasta: a new propagation method
BlackBasta, the notorious ransomware we have written about before, recently received an update. It now has a second optional command line parameter: “-bomb”.
When that parameter is used, the malware does the following:
сonnect to the AD using the LDAP library and obtain a list of machines on the network,
using the list of machines, copy itself to each machine,
using the Component Object Model (COM), run remotely on each machine.
Code snippet showing the LDAP functionality
The benefit of using an in-built propagation method is that it leaves fewer traces in the system and it is stealthier than using public tools. For example, one of the attackers’ favorite tools, PsExec, is easily detected on the network. The new method leaves the network defenders with fewer possibilities of detecting the malicious activity.
CLoader: infection through malicious torrents
Cybercrimin ..
Support the originator by clicking the read the rest link below.
