This week, Facebook sued against the Israeli company NSO Group, which develops and sells spyware…
The DarkUniverse group distributed malware using the “targeted phishing” method. For each victim was formed a separate letter in order to attract attention and force to open the attached malicious Microsoft Office document.
“Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document. Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable”, — note Kaspersky Lab researchers.
The malware built into the documents contained two malicious modules (updater.modand glue30.dll). The first was responsible for communicating with the management server, as well as loading additional malicious modules, the second acted as a keylogger. To run the updater.mod library, was used rundll32.exe. The updater.mod module was responsible for ensuring communication with the C & C server, integrity and persistence of malicious programs, as well as managing other malicious modules.
In addition to these functions, updater.mod loaded a number of additional modules, such as dfrgntfs5.sqt (for executing commands from a C&C server), msvcrt58.sqt (for stealing mail credentials and email content), zl4vq.sqt (the legitimate zlib library, used by dfrgntfs5 module) and %tims_ID%.upe (additional plugin for dfrgntfs5).
The malicious glue30.dll module provided keylogging functionality. The updater.mod module used the SetWindowsHookExW Win API function to intercept keystrokes and inject glue30.dll into processes that receive keyboard input data. The msvcrt58.sqt module intercepted unencrypted POP3 traffic to collect email messages and victim credentials, analyzed it, and sent the result to the main module (updater.mod) for downloading to the C & C server. The dfrgntfs5.sqt module was the most functional component of the DarkUniverse environment. He processed a huge list of commands from a C&C server.
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…