Attackers Continue to Make Hay with Backdoor Malware

A peek into the current backdoor landscape

• The notorious OceanLotus threat actor group was identified using a backdoor named Backdoor.MacOS.OCEANLOTUS.F that provided the ability to snoop on and steal confidential information from targeted systems.
• Last month, a new Jupyter malware—a blend of infostealer and backdoor—emerged in the wild. It targets browsers such as Chromium, Firefox, and Chrome to steal data, precisely, users’ login credentials. 
• In the first half of November, ESET researchers shared details about a new backdoor called ModPipe, which gives its operators access to sensitive data stored in POS systems. One of the distinctive features of the malware is the ‘GetMicInfo’ module that enables attackers to gather database passwords by decrypting them from Windows registry values. 
• During the same time period, Sophos uncovered a new KillSomeOne backdoor used by Chinese adversaries to target non-governmental organizations in Myanmar. The backdoor ultimately dropped a new variant of PlugX trojan on infected systems.

Worth noting

• One of them is tracked as PowerPepper, a backdoor developed by the hacker-for-hire group DeathStalker. The PowerShell-based implant was first discovered in May and, since then, it has been under constant development with new versions. 
• The other backdoor is Crutch, associated with the Turla APT group. According to ESET researchers, the malware was used from 2015 to at least early 2020. 

What else to worry about?

• In one case, threat actors promoted a free tool named symchanger.php on Facebook as a part of the attack campaign that tricked users into installing a backdoor.   
• Fake npm packages that posed as Twilio were also used to distribute backdoors. The malicious packages were downloaded more than 370 times before they were removed by security experts. 

The bottom line