TeamViewer.

Safib assistant also abused in the scam

According to a report from Trend Micro, the campaign involves abusing a legitimate Russian RAT called Safib Assistant through a new variant of SpyAgent malware. The scammers exploit a DLL sideloading vulnerability that loads a malicious DLL, which hooks and patches different API functions that the RAT calls. This hides the RAT windows from the user.

SEE: Fake TeamViewer download ads distributing new ZLoader variant

Afterward, the malicious DLL starts reporting the RAT’s ID that the attacker requires to establish a connection with the infected device and gain control over it. The malware then changes the access password to a fixed one. Due to this, the attacker only needs to have the RAT’s ID to connect to the infected device.

Malware Dropper Distributed via Fake Websites

SpyAgent dropper is distributed via bogus cryptocurrency-related websites, most of which are in the Russian language. The dropper is equipped with a fake cryptocurrency wallet, surfing plug-ins, or miner.

Legit RAT SpyAgent malware fake cryptocurrency website stealing data

Fake cryptocurrency miners in Russian (Image: TrendMicro)

How a user is lured to these websites involves social engineering tactics, such as some websites display ads that say “earn cryptocurrency for browsing.” Scammers are also using social media, specifically Twitter, as a potential infection vector.

When a user visits these fake websites, a file-downloading dialog box appears almost immediately, urging the user to download, save, and execute the application, which is actually a SpyAgent dropper.  

RATs and other malware used in the campaign

After getting installed on a device, SpyAgent malware downloads other malware having extensive capabilities, including stealing sensitive data. Moreover, Trend Micro researchers noticed that SpyAgent downloads additional stealers such as:

AZOrult

RedLine Stealer

Cypress Stealer

Ducky Stealer

Further, it downloads Clipper, a clipboard replacer that replaces different cryptocurrency addresses with attacker-controlled addresses. The RATs used in this campaign include:

njRAT

NanoCore

AsyncRAT

Remcos RAT

The campaign is Financially Motivated

This campaign seems to have financial motivation. The primary objective of hackers is to steal credentials and crypto-wallets, and they also replace cryptocurrency addresses shared through Clipboard. Users must stay clear of fake websites, unrealistic advertisements, and misleading social media posts.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie