MalwareBytes cybersecurity experts find 4 campaigns to spread a RAT with different baits but the same custom malware.
Kaspersky: At least eight banks in Eastern Europe targeted by a series of cyber attacks, dubbed DarkVishnya. The cybercrime connected an unknown device directly to the company’s local network
At least eight banks in Eastern Europe were the targets of a series of cyber attacks, dubbed DarkVishnya, which caused damage estimated in the tens of millions of dollars. The Kaspersky cyber security experts analyzed the cyberthefts, discovering a common point between them. An unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. Each attack can be divided into several identical stages, the company’s blog reported.
The cyber attacks had 3 stages. In the first, the aggressors entered the organization’s building under a trick to connect the device. In the second, they scanned the local networks to harvest informations
According to Kaspersky’s cyber security researchers, in the first stage a cyber criminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion. The devices used in the DarkVishnya cyber attacks varied in accordance with the cybercrime’ abilities and personal preferences. “In the cases we researched, it was one of three tools: netbook or inexpensive laptop, Raspberry Pi computer, Bash Bunny, a special tool for carrying out USB attacks.” the blog added. In the second stage, the attackers remotely connected to the device and scanned the local network, seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments.
The cyber security experts: In the last stage, the cyber criminals logged into the targeted system and uses the remote access software to start malicious activities
At the same time, the malicious hackers tried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the cybercrime used a different payload to build tunnels. Having succeeded, they proceeded to stage three. The aggressors logged into the target system and used remote access software to retain access. Next, malicious services created using the msfvenom tool were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, they used impacket, and winexesvc.exe or psexec.exe to run executable files remotely.