Researchers have disclosed multiple malicious campaigns delivering several malware, including ModernLoader, RedLine information-stealer, and other cryptominers to Eastern European users. The campaigns were reportedly active between March and June.

More about the campaigns

Cisco Talos researchers have attributed the attacks to a Russian-speaking threat actor, based on its use of off-the-shelf tools. The campaigns are suspected to target users in Hungary, Poland, Bulgaria, and Russia.
  • Attackers compromise vulnerable web apps to host their malware that are delivered via files masquerading as Amazon gift cards.
  • The threat actor uses PowerShell, VBS and HTA files, and .NET assemblies to penetrate the targeted network. 
  • It drops additional malware, such as DCRat and SystemBC trojan, which allows it to carry out the further stages of the attack.
  • Researchers said that all three campaigns delivered ModernLoader as the final payload.

ModernLoader capabilities

  • ModernLoader has been described as a .NET RAT, referred to as Avatar bot by some researchers.
  • This RAT is designed to provide typical remote access capabilities, allowing the adversary to deploy additional malware, steal some information, or turn the machine into a bot.
  • Further, it can download and execute files from C2 and execute arbitrary commands in real time.

Ending notes

According to the researchers, the campaigns had limited success. However, the threat actor uncovered in these campaigns is previously undocumented and has access to a good range of ready-made malicious tools. Cisco Talos has provided a link containing the list of indicators of compromise (IOCs) associated with the threat.
Cyware Publisher