Geofenced Malware Campaign Targets Victims with Tailored Payloads

By /

A new multi-stage malware campaign has emerged, leveraging sophisticated techniques such as JScript and obfuscated PowerShell scripts. This attack, discovered by cybersecurity researcher Andrew Petrus, delivers tailored malware payloads based on the victim’s geographic location. The campaign’s clever use of geofencing, fileless execution, and process injection make it highly evasive, challenging traditional security measures. This blog post delves into the attack’s flow, its technical evasive tactics, and the distinct payloads delivered depending on regional targets.

Attack Flow Overview

This malware campaign begins with an innocuous-seeming JScript file, often distributed through fake CAPTCHA campaigns or scheduled tasks designed to deceive victims. The JScript is used to dynamically construct a PowerShell command by rearranging array elements in random order, which significantly complicates static analysis. The full command is revealed only during runtime, making it harder for traditional security systems to detect the threat.

Key stages of the attack chain include:

  1. Geolocation Check: The first step in the attack is to determine the victim’s location by sending a request to an external geolocation service (hxxps://get.geojs.io/v1/ip/geo.json). This enables the attackers to decide which payload to deliver based on the victim’s country.

2. Payload Selection:

  • US Victims: If the victim is located in the United States, they receive the XWorm RAT, a .NET-based remote access trojan capable of clipboard hijacking and launching DDoS attacks.
  • Non-US Victims: For victims outside the US, the attack delivers Rhadamanthys, a sophisticated C++-based info-stealer. This malware uses AI algorithms to extract cryptocurrency seed phrases from images, targeting cryptocurrency wallets and credentials.
  1. Environment Hardening: The script takes measures to make analysis difficult. It kills processes like mshta and wscript and deletes temporary files, including .bat and .ps1 files, to erase traces of its activities.

  2. Obfuscated Payload Execution: The payload is obfuscated using custom techniques. The script includes a Convert-DecimalToText function that converts decimal-encoded strings into executable code, ultimately loading the malicious payload into a legitimate utility, RegSvcs.exe, via PowerShell reflection.

Technical Evasion Tactics

The attack employs several sophisticated tactics to evade detection:

  • Process Injection: By leveraging PowerShell reflection, the malware injects its payload into the legitimate RegSvcs.exe process. This allows the malware to run in a fileless manner, without writing files to disk, which makes it harder for traditional security tools to detect.

  • Directory Manipulation: A temporary directory is created at C:\ProgramData\loralylomyra to stage the payloads. This directory is deleted after execution, further reducing the chances of detection.

  • String Reversal: Key variables, such as $lora (representing the payload) and $PE (representing the loader), are stored in reverse order. This deliberate obfuscation requires deobfuscation before execution, making it more challenging for analysts to identify the malware’s true behavior.

Payload Analysis

The malware delivers two primary payloads, each targeting different regions and using different tactics:

| Malware | Target Region | Language | Capabilities |

|-|-|–||

| XWorm RAT | United States | .NET | Remote access, clipboard hijacking, DDoS attacks |
| Rhadamanthys | Non-US | C++ | Credential theft, AI-driven seed phrase extraction, cryptocurrency wallet targeting |

Indicators of Compromise (IOCs)

The following IOCs have been observed as part of this campaign:

– Loader Script Hash: `70c52b2dac24420378afbb59e1f4705c8b0e521523280e29f48140a98fdd07bb`

– XWorm Sample Hash: `b5b4359ee5a79b06b388cebabb9fa2faabd4d920a10563947a0e5c5f94056bda`

  • Network Activity: Malicious HTTP requests are made to get.geojs.io and other payload hosting domains, such as imgbox.com.

The use of geofencing, along with the malware’s layered obfuscation, represents an increasingly sophisticated approach by attackers. These tactics maximize the effectiveness of the campaign while minimizing the likelihood of detection by traditional security systems. Defenders should focus on monitoring PowerShell activities, restricting unnecessary process injections, and analyzing suspicious network traffic that communicates with geolocation services.

What Undercode Says:

This malware campaign represents a significant shift towards more targeted and evasive cyberattacks. The combination of geofencing and fileless execution is an advanced technique that makes it more difficult for traditional security tools to detect the attack. The attackers’ use of AI to specifically target cryptocurrency wallets is particularly alarming, as it highlights a growing trend of cybercriminals exploiting the popularity of digital currencies.

Moreover, the use of PowerShell for process injection and the obfuscation techniques such as string reversal show a deep understanding of how security systems operate. By injecting malicious code into legitimate system processes like RegSvcs.exe, the attackers are able to bypass traditional antivirus software, which often overlooks processes that are integral to the functioning of Windows.

The payload selection based on geolocation is another smart tactic, allowing attackers to increase their chances of success by tailoring the payload to the specific region of the victim. This not only improves the likelihood of the malware being executed but also reduces the chances of detection by security systems that may flag generic or widespread threats.

From a defense perspective, this attack underscores the importance of implementing advanced monitoring systems that focus on anomaly detection and network traffic analysis. Regularly auditing PowerShell activity, blocking unnecessary processes, and monitoring communications with external geolocation services can help prevent or mitigate the damage caused by such attacks.

Fact Checker Results:

  • Geolocation-Based Targeting: The use of geofencing to deliver different payloads based on the victim’s country is a strategic approach that maximizes the attack’s impact while minimizing exposure.
  • Advanced Evasion Techniques: The use of obfuscation, fileless execution, and process injection makes this malware campaign particularly difficult to detect by traditional security measures.
  • Payload Specialization: The AI-driven capabilities of Rhadamanthys for cryptocurrency seed phrase extraction show how attackers are adapting to new technologies and targeting specific industries.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related posts:

  1. Meta’s AI Training with Public Data: What It Means for Users in the EU