RUSSIAN CYBERCRIME GROUP TA505 HAS BEEN OBSERVED USING NEW HVNC (HIDDEN VIRTUAL NETWORK COMPUTING) MALWARE IN RECENT ATTACKS, THREAT INTELLIGENCE COMPANY ELASTIC REPORTS.
Called Lobshot, the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.
In order to evade detection, Lobshot uses dynamic import resolution to resolve the names of the required Windows APIs at runtime. Upon execution, the threat performs an anti-emulation check on Windows Defender and terminates its process if it detects the presence of an anti-malware solution.
If the malware continues its execution, it builds a custom structure using data harvested from the machine before initiating a network connection. Lobshot also copies itself to a new location, spawns a new process using exporer.exe, and erases the original file.
Lobshot then registers a new registry key for persistence and begins its information-stealing routine, targeting over 50 Chrome, Edge, and Firefox extensions related to cryptocurrency wallets.
The HVNC module is the core functionality of the malware, generating a hidden desktop and assigning it to the malware itself.
Once running, the attacker has full remote control of the machine, allowing them to take screenshots, interact with the keyboard, and click the mouse.
The attackers command to start/terminate explorer.exe, run commands, launch Windows processes/browsers, modify settings (sound, DPI awareness, clipboard), and activate the Start menu.
Lobshot can also swap the command-and-control (C&C) server provided by the operator and can update itself.
Elastic reports TA505 used Lobshot in over 500 attacks since July 2021.
TA505, a financially motivated threat actor, has been operating the Dridex Trojan and ransomware families such as Locky, Bart, BitPaymer, WastedLocker, and Cl0p since at least 2014.
Reference: https://www.securityweek.com/new-lobshot-hvnc-malware-used-by-russian-cybercriminals/