[MART] - Daily Diary #306 - LuminousMoth impersonating Zoom app to avoid detection
CTAS-MAT
ctas-mat at appgate.com
Fri Jul 16 22:07:39 UTC 2021
Hello,
I hope everyone is doing well!
Below is the entry for today.
07/16/2021 - Diary entry #306
This week a new campaign from the Chinese APT group known as LuminousMoth was disclosed using fake Zoom apps to spy on South East Asian high-profile targets.
The infection chain starts with a spear phishing email campaign, containing a URL to download a RAR archive from Dropbox. The RAR file contains two legitimates executables and two malicious DLLs that are loaded in the process memory through a technique known as side-loading (covered in our Daily Diary #47).
This threat has the capability to spread itself to other devices through USB drives following by a signed fake Zoom software. The malware impersonating Zoom is used to exfiltrate data from the infected systems as a post exploitation tool. After collecting the data, the malware sends the files as RAR archives to its C2 server.
Also, the malware can deploy a tool to steal cookies from the Chrome Browser. The attackers can use those to impersonate social media and e-mail sessions of the targets to spread their malware to other contacts.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Tarijon de Almeida
Malware Analyst
Appgate
E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210716/e9080fbb/attachment.html>
More information about the MART
mailing list