Legitimate Software Abused for Targeted Attacks

What happened?

• A file named notepad.exe was being dropped on the target system using the executable ntoskrnl.exe (a Windows NT kernel executable file). This was performed by either exploiting ntoskrnl.exe or via network shares.
• The file description, product name, and original filename are similar to the legitimate Notepad++ software but some of the file’s info was found to be fake.
• The user interface of the file looks and works exactly similar to a normal legitimate Notepad++, however, it was equipped with several malicious capabilities, such as performing backdoor routines and delivering malicious payloads.
• The malicious notepad.exe file can perform suspicious actions by calling several tools, namely ipconfig.exe, net.exe, reg.exe, systeminfo.exe, and tasklist.exe. It also delivers payloads, including TrojanSpy.Win32.LAZAGNE.B, and the Defray ransomware.

Other incidents

• A China-based hacking group was observed abusing the Windows Zerologon vulnerability. They were found using a .NET Loader that was found to be obfuscated with the ConfuserEx open-source tool.
• A recent report from security researcher Vitali Kremez suggests that the Ryuk ransomware gang has leveraged several open-source tools including Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec for their malicious operations.

Conclusion