#ESETResearch warns of a new campaign using a fake Salesforce update as a lure to deploy the Sliver malware for macOS and Windows 1/9
The Mac infection chain is very similar to a COVID-19-themed campaign documented by SentinelOne last week. sentinelone.com/blog/from-the-… 2/9
This new campaign uses an additional GoLang Mach-O executable that downloads and runs the bash script used to deploy Sliver. 3/9
The shell script to deploy Sliver is very similar to the one found by SentinelOne, except it doesn’t include the “covid” malware and only installs the Sliver implant, which is sufficient to deploy additional malware if needed. 4/9
The download page includes a link to a PDF with instructions on how to disable macOS security features. 5/9
The Windows variant also uses a downloader written in GoLang to deploy Sliver. 6/9
Also interesting: it seems Salesforce credentials are phished before landing on the download page. 7/9
IoCs
saleforces-it[.]com
saleforces.s3-accelerate.amazonaws[.]com
3A72E433D2F5CC355BF6AA921D194C10F6CE6A71 SalesforceUpdate.dmg
5A1F7A22BE5C284D8FC419F022626F04D1EA0C7C salesforceupdate.exe
0E1BA414B40D783E17DB92C09F8CE8600C03DDA1 scupdate.exe
8/9
1C8A2D3AB764BF7D72B8CB869C33767707A4E50C SalesForceUpdate
D73FB7BA6A459ABFD382842A3384EC25EEA65196 yVcq.js
69780BA5E6DD19D0CB3F35E749273123393B464D salesforceupdate-arm
EFE8D0545D9629E424BBCECE73A21FD91E4E5635 salesforceupdate-amd
9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

Jul 13
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6
The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. 2/6
These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6
Read 6 tweets
May 20
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 Image
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6 ImageImage
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6 ImageImage
Read 6 tweets
May 12
#ESETresearch In November 2020, a Windows executable called mozila.cpl was submitted to VirusTotal from Germany 🇩🇪. At that time, it had zero detection rate and it is still very low now. The file is a trojanized sqlite-3.31.1 library and we attribute
it to #Lazarus. @pkalnai 1/4 Image
The library contains an embedded payload. A command line argument S0RMM-50QQE-F65DN-DCPYN-5QEQA must be provided for its decryption and additional parameters are passed to the payload.  2/4
The payload is an instance of the HTTP(s) uploader mentioned in the report by HvS-Consulting from December 2020. Its main purpose is to exfiltrate RAR archives from a victim’s system. 
hvs-consulting.de/public/ThreatR… 3/4 Image
Read 4 tweets
May 4
Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/
Blindly trusting code similarity can get one to make connections when there are none. This yields erroneous conclusions and can create very wrong media headlines. 2/ Image
An example of wrong use of code similarity was published by Cluster25 recently, where they connect #IsaacWiper to various other malware families. cluster25.io/2022/05/03/a-s… 3/
Read 9 tweets
May 4
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8
The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Both decoys are PDF v1.5 documents produced by Microsoft Word 2016. They are obviously not identical, as one uses Colonna MT font while the other uses Calibri, but the title and ornaments on the front page have the same colors (#569bd5 and #aacc5db). 3/8
Read 8 tweets
Apr 6
#ESETresearch identified an #Android banking trojan campaign active since October 2021, targeting 8 Malaysian banks. The malware is distributed via copycat websites of legitimate services – the majority being cleaning services available in Malaysia 🇲🇾. welivesecurity.com/2022/04/06/fak… 1/4
The copycat websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from #GooglePlay. However, these buttons do not actually lead to the Google Play store, but to malicious apps controlled by the attackers. 2/4
The malicious apps pretend to offer goods and services for purchase while matching the interface of the original stores. At the payment step, victims are presented with a fake FPX payment page, asked to select one of eight Malaysian banks, and enter their credentials. 3/4
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(