The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023 (although there are reports that its infrastructure and inventory were sold on the underground, which might explain why techniques connected with Genesis Market are being used in this attack). The threat actor behind these operations abused Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites. Infected users could be vulnerable to attackers executing backdoor commands on their system, as well as payloads such as the Lu0bot malware, which can perform a number of functions that includes gathering data and performing distributed-denial-of-service (DDoS) attacks.
This blog entry provides a technical analysis of these attacks, including what we can definitively confirm and our speculations on the other techniques used by the threat actor behind these activities.
Infection chain
We observed the following timeline of events:
Timeline | Activity |
---|---|
T0 | The file, microsoft_barcode_control_16.0_download.exe, (3364dd410527f6fc2c2615aa906454116462bf96) is downloaded using a browser |
+ 20 seconds | The file is executed by the user |
+ 1 minute and 15 seconds | The first payload is executed |
+ 1 second | The second payload is executed. |
+ 13 seconds | The first backdoor... |
Read Full Story: https://news.google.com/rss/articles/CBMiZGh0dHBzOi8vd3d3LnRyZW5kbWljcm8uY29tL2VuX3VzL3Jlc2VhcmNoLzIzL2svYXR0YWNrLXNpZ25hbHMtcG9zc2libGUtcmV0dXJuLW9mLWdlbmVzaXMtbWFya2V0Lmh0bWzSAQA?oc=5
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.