- Hackers reach out to businesses via a “contact us” site form
- They then talk to the victims for weeks before inserting malware
- The hackers are attacking with custom -built back doors
Cyber criminals are trying to deliver malware to backdoor to US-based organizations by fooling them into signing fake non-disclosure agreements (NDA), experts have warned.
A new report from the Security Researchers Check Point, which describes how in the campaign, Miscreans constitutes as a US-based company looking for partners, suppliers and the like.
Often, they buy abandoned or sleeping domains with legitimate business stories to seem authentic. Then they reach out to potential victims, not via E -email (as it is standard practice), but through their “contact us” forms or other communication channels delivered on the site.
Dropping Mixshell
When the victims return to their query, it is usually via E -email that opens the doors to deliver malware.
However, the striker doesn’t do it right away. Instead, they build reports with the victims and go back and forth for weeks, until at one point they ask their victims to sign an attached NDA.
The archive contains a few documents, including pure PDF and DOCX files to throw the victims off, and a malicious .lnk file that triggers a Powershell-based loader.
This loader ultimately exposes a back door called Mixshell, which is a custom implant in memory with a DNS-based command and control (C2) and improved persistence mechanisms.
Check Point did not discuss the number of potential victims, but it said they are in dozens, varying in size, geography and industries.
The majority (about 80%) are located in the US, with Singapore, Japan and Switzerland, which also has a remarkable number of victims. Companies are mostly in industrial manufacturing, hardware and semiconductors, consumer goods and services and Biotech & Pharma.
“This distribution suggests that the striker is looking for entry points across wealthy operational and supply chain -critical industries instead of focusing on a particular vertical,” claims check points.
The researchers could not certainly attribute the campaign to any well -known threat actor, but said there is evidence pointing to the Transferloader campaign, and a cyber criminal cluster traced as UNK_Greenesec.
Via The post
