German companies BASF, Siemens and Henkel became victims of cybeattacks that aimed espionage. German companies…
The arsenal of criminals includes backdoors Sakabota, Hisoka, Netero and Killua. They use not only the HTTP protocol to communicate with the C & C server, but also email and DNS tunneling. The latter method uses the Microsoft Exchange Web service (EWS) and the stolen credentials to create “draft” emails for communication between the criminal and the malware.
“While DNS tunneling as a C2 channel is fairly common, the specific method in which this group used email to facilitate C2 communications has not been observed by Unit 42 in quite some time. This method uses Exchange Web Services (EWS) and stolen credentials to create email “drafts” to communicate between the actor and the tool. In addition to the aforementioned backdoor tools, we also observed tools referred to as Gon and EYE, which provide the backdoor access and the ability to carry out post-exploitation activities”, — reported researchers from Unit 42.
For the first time, xHunt activity was recorded in May of this year, when a malicious binary file was installed on the network of one of the victims in Kuwait.
It is not established exactly how the cybercriminals compromised the computers, but they managed to install the Hisoka backdoor (version 0.8), which provided the download for additional malware.
Read also: Criminals buy security certificates pretending to be company directors
One of these malware is called Gon and it allows scanning open ports on remote systems, uploading and downloading files, taking screenshots, finding other systems on the network, executing commands, and creating your own Remote Desktop Protocol (RDP) function.
During a malware analysis, researchers found similarities in code with the Sakabota malware tool. Experts suggest that Sakabota is the predecessor of Hisoka, developed by the same author. The Gon backdoor also contains the code used in Sakabota, pointing to a common author.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…