Cybersecurity researchers from VMware Carbon Black have identified a concerning rise in using the NetSupport Remote Access Trojan (RAT), with a particular focus on the education, government, and business services sectors.
The NetSupport RAT is being delivered through various means, including the following:
In the past weeks alone, at least fifteen new infections related to NetSupport RAT have been detected.
A previous campaign revealed compromised WordPress sites displaying fake Cloudflare DDoS protection pages, leading to the distribution of NetSupport RAT.
Deceptive web browser updates align with the deployment of SocGholish, a JavaScript-based downloader malware.
The security firm Cofense, has reported a resurgence in phishing campaigns employing the DarkGate and PikaBot malware families, finding strategies of the now-defunct QakBot trojan.
These campaigns leverage hijacked email threads for initial infections, utilize URLs with unique patterns restricting user access, and follow an infection chain closely resembling QakBot’s delivery method.
The choice of DarkGate and PikaBot is strategic, as both can serve to deliver additional payloads to compromised hosts, making them appealing tools for cybercriminals.
DarkGate, with its advanced evasion techniques against antivirus systems, is capable of keystroke logging, PowerShell execution, and establishing a bidirectional connection for real-time control over infected hosts.
Cofense’s analysis reveals a high-volume phishing campaign targeting diverse sectors, employing booby-trapped URLs in hijacked email threads.
The LummaC2 stealer malware has evolved with a new anti-sandbox technique, employing trigonometry to delay sample detonation until human mouse activity is detected.
Sold in underground forums since December 2022, LummaC2, written in the C programming language, has undergone updates for enhanced complexity, incorporating control flow flattening and the ability to deliver additional payloads.
The trigonometry-based technique captures the cursor position five times at 50 millisecond intervals, checking for differences between consecutive positions.
LummaC2 treats these positions as vectors, calculating angles formed between them. If all calculated angles are below 45º, indicating human mouse behaviour, the malware proceeds with execution.
If any angle exceeds 45º, LummaC2 restarts the process, ensuring mouse movement within 300 milliseconds.
Advanced phishing campaigns, evasion tactics, and a better performance from the previous malware is the alarm for us to get ready for a proactive defense.
Did you read about the LummaC2 trigonometry tactics?
This shocked us. This sophistication employed to improve the payloads keeps you motivated that cyber security is not a one-time job.
To fight with malware of amazing strengths, we only need resilience.