ESET Research Profile picture
Jul 15, 2022 9 tweets 3 min read Read on X
#ESETResearch warns of a new campaign using a fake Salesforce update as a lure to deploy the Sliver malware for macOS and Windows 1/9
The Mac infection chain is very similar to a COVID-19-themed campaign documented by SentinelOne last week. sentinelone.com/blog/from-the-… 2/9
This new campaign uses an additional GoLang Mach-O executable that downloads and runs the bash script used to deploy Sliver. 3/9
The shell script to deploy Sliver is very similar to the one found by SentinelOne, except it doesn’t include the “covid” malware and only installs the Sliver implant, which is sufficient to deploy additional malware if needed. 4/9
The download page includes a link to a PDF with instructions on how to disable macOS security features. 5/9
The Windows variant also uses a downloader written in GoLang to deploy Sliver. 6/9
Also interesting: it seems Salesforce credentials are phished before landing on the download page. 7/9
IoCs
saleforces-it[.]com
saleforces.s3-accelerate.amazonaws[.]com
3A72E433D2F5CC355BF6AA921D194C10F6CE6A71 SalesforceUpdate.dmg
5A1F7A22BE5C284D8FC419F022626F04D1EA0C7C salesforceupdate.exe
0E1BA414B40D783E17DB92C09F8CE8600C03DDA1 scupdate.exe
8/9
1C8A2D3AB764BF7D72B8CB869C33767707A4E50C SalesForceUpdate
D73FB7BA6A459ABFD382842A3384EC25EEA65196 yVcq.js
69780BA5E6DD19D0CB3F35E749273123393B464D salesforceupdate-arm
EFE8D0545D9629E424BBCECE73A21FD91E4E5635 salesforceupdate-amd
9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET Research

ESET Research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

Sep 26
By analyzing thousands of samples, #ESETresearch has conducted a comprehensive technical analysis of the toolset the 🇷🇺Russia-aligned #Gamaredon #APTgroup used in 2022 and 2023 to spy on Ukraine🇺🇦 . 1/9welivesecurity.com/en/eset-resear…
This most active APT group in Ukraine doesn’t try to be stealthy and relies on extensive obfuscation, constant switching between C&C servers, and regular updates of its arsenal with new malware and other tools at a rapid pace, as depicted in the image below. 2/9 Image
#Gamaredon’s initial attack involves #spearphishing and then, for lateral movement, custom malware weaponizes existing and new Word documents and USB drives, which are hoped to be shared among potential victims. Word docs are weaponized either by #PteroTemplate or #PteroDoc. 3/9 Image
Read 9 tweets
Jul 18
#ESETresearch discovered a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which we dubbed HotPage, comes self-contained in an executable that installs its main driver and injects libraries into Chromium-based browsers. 1/7
Image
Image
Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load network-tampering libraries. 2/7
Image
Image
Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. 3/7 Image
Read 7 tweets
Aug 30, 2023
#ESETresearch identified two GREF campaigns targeting #Android users with @signalapp and @telegram apps trojanized into cyberespionage tools .
@LukasStefanko

1/9 welivesecurity.com/en/eset-resear…
Image
Signal Plus Messenger and FlyGram were built by merging the BadBazaar espionage code, previously used to target #Uyghurs and other #Turkic minorities, into the respective base app’s code. 2/9
The purpose of both apps is data exfiltration. Signal Plus Messenger presents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device. 3/9 Image
Read 9 tweets
May 10, 2023
#ESETResearch warns about a CPIO archive named “Jump Crypto Investment ” uploaded to VirusTotal from the USA 🇺🇸. It is another malicious PDF viewer distributed by #Lazarus #APT for #macOS @pkalnai @michalmalik 1/7 Agreement.zip

Image
@pkalnai @michalmalik The archive contains a fully functional – but malicious – PDF viewer, and a crafted “locked” PDF file. When the file is opened in the viewer, the malicious code is triggered. The functionality is very similar to the malware reported by @JamfSoftware. 2/7 jamf.com/blog/bluenorof…
Image
@pkalnai @michalmalik @JamfSoftware First, the malicious PDF viewer decrypts a decoy document embedded inside the original PDF file, and displays it to the target. 3/7 Image
Read 7 tweets
Apr 20, 2023
#ESETResearch confirms Lazarus is linked to the recent #3CX supply-chain attacks. Based on code similarities and network infrastructure, we connect the 3CX incident with a Linux case of DreamJob, a long-term Lazarus operation using job offer as lures. 1/6 welivesecurity.com/2023/04/20/lin…
First, let’s look at the timeline. It shows that the trojanized macOS version of the 3CX Desktop App was ready two months prior to the distribution of the Windows version. Also interesting is that the attack was in preparation as early as December 2022. 2/6 Image
It was reported that Mandiant has found Mac malware they call SIMPLESEA inside the 3CX network. While we do not have the sample, their description of this malware overlaps with second-stage Linux malware we found while investigating a recent Operation DreamJob case. 3/6 Image
Read 6 tweets
Mar 14, 2023
#ESETResearch discovered an attack by APT group Tick against a data-loss prevention (DLP) company in East Asia and found a previously unreported tool used by the group. welivesecurity.com/2023/03/14/slo… @0xfmz 1/6
In 2021, in the DLP company’s network, the attackers introduced trojanized installers of the legitimate application Q-dir, part of a toolkit used by the company. When executed, the installer dropped the open-source ReVBShell backdoor and ran the original Q-dir application. 2/6 Image
Subsequently, in 2022, on customers of the DLP company’s software, the trojanized Q-dir installers were deployed using remote support tools. Our hypothesis is that this occurred while the DLP company provided technical support to their customers. 3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(