#ESETresearch confirms that malicious digitally signed AnyDesk installers are distributed from anydesk.s3-us-west-1.amazonaws[.]com. Our telemetry shows that victims are redirected there from three attacker-controlled domains: zgnuo[.]com, clamspit[.]com and domohop[.]com. 1/4
The three domains resolve to 176.111.174[.]127, 176.111.174[.]129 and 176.111.174[.]130, in the same IP range as the C&C server, 176.111.174[.]125. It seems victims, mainly located in North America, are redirected through malicious ads from different legitimate websites. 2/4
The fake installers are malicious downloaders that download a PowerShell script b.ps1 leading, in a few cases, to Cobalt Strike, as mentioned in the analysis of a past campaign: inde.nz/blog/different…. We also observed further recon activity using BloodHound and AdFind. 3/4
We identified part of the Cobalt Strike network infrastructure but at this point we were unable to link them to a known cybercriminal campaign:
195.149.87[.]136
108.177.235[.]180 4/4
We have received a lot questions about the Silver Sparrow malware for macOS after a publication by @redcanary. #ESETresearch has investigated and found that, far from speculations about nation-state malware, it is likely related to adware and pay-per-install schemes. 1/10
We have first seen Silver Sparrow in the wild early September. Our telemetry (although limited) showed under 50 instances of this threat, spread all around the globe. We have monitored the configuration file and never seen any actual payload delivered. 2/10
The fact that the configuration file is hosted in AWS S3 bucket means there is no way for the attackers to send different configuration to specific targets. S3 only supports serving static content and cannot generate a dynamic response based on IP or any request parameters. 3/10
WIZVERA VeraPort software is often used on internet banking and government websites in 🇰🇷 South Korea. The purpose of this software is to install additional security software required by some of these websites. 2/7
The attackers abused a combination of WIZVERA VeraPort software and compromised South Korean websites with VeraPort support, to deploy Lazarus malware. 3/7
#InvisiMole#APT group resurfaced in targeted attacks against high-profile organizations in Eastern Europe, targeting military sector and diplomatic missions. We previously documented their two feature-rich backdoors RC2CL and RC2FM; now we reveal the rest of their TTPs. 2/9
We discovered that the most interesting targets of #Gamaredon are upgraded to far stealthier #InvisiMole spyware, with Gamaredon’s .NET downloader delivering InvisiMole’s TCP downloader. This cooperation allows InvisiMole to devise creative ways to operate under the radar. 3/9
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
#ESETresearch stumbled upon strange samples which use the packer we described in publications on the #Winnti Group. The payload in these samples is an implant attributed to Equation. It is known as PeddleCheap according to the project names seen in the Shadow Brokers leaks. 1/8
Those samples were first seen in 2017, one year before it was used in the compromised games in 2018 (welivesecurity.com/2019/03/11/gam…). They are 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 and b48beb5e49976294287b1d6910d7445db83e5cf2. #ESETresearch@marc_etienne_ 2/8
These particular executables do 3 things: launch the legitimate Adobe Flash installer, copy itself to %TEMP%\micrit.exe and start PeddleCheap. #ESETresearch@marc_etienne_ 3/8