From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
Contents
Key Points
- Avast discovered a new campaign targeting specific individuals through fabricated job offers.
- Avast uncovered a full attack chain from infection vector to deploying
“FudModule 2.0”rootkit with 0-day
Admin -> Kernelexploit.
- Avast found a previously undocumented
KaolinRAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believe it was loading FudModule along with a 0-day exploit.
Introduction
In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is evident from previous research where the Lazarus group exploited vulnerable drivers and performed several rootkit techniques to effectively blind security products and achieve better persistence.
In this …
- Avast discovered a new campaign targeting specific individuals through fabricated job offers.
- Avast uncovered a full attack chain from infection vector to deploying
“FudModule 2.0”rootkit with 0-day
Admin -> Kernelexploit.
- Avast found a previously undocumented
KaolinRAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believe it was loading FudModule along with a 0-day exploit.
Introduction
In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is evident from previous research where the Lazarus group exploited vulnerable drivers and performed several rootkit techniques to effectively blind security products and achieve better persistence.
In this …
IoC
01ca7070bbe4bfa6254886f8599d6ce9537bafcbab6663f1f41bfc43f2ee370e
7248d66dea78a73b9b80b528d7e9f53bae7a77bad974ededeeb16c33b14b9c56
9a4bc647c09775ed633c134643d18a0be8f37c21afa3c0f8adf41e038695643e
a3fe80540363ee2f1216ec3d01209d7c517f6e749004c91901494fb94852332b
a75399f9492a8d2683d4406fa3e1320e84010b3affdff0b8f2444ac33ce3e690
b8a4c1792ce2ec15611932437a4a1a7e43b7c3783870afebf6eae043bcfade30
e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f
f47f78b5eef672e8e1bd0f26fb4aa699dec113d6225e2fcbd57129d6dada7def
https://www.henraux.com/
https://www.henraux.com/sitemaps/about/about.asp
7248d66dea78a73b9b80b528d7e9f53bae7a77bad974ededeeb16c33b14b9c56
9a4bc647c09775ed633c134643d18a0be8f37c21afa3c0f8adf41e038695643e
a3fe80540363ee2f1216ec3d01209d7c517f6e749004c91901494fb94852332b
a75399f9492a8d2683d4406fa3e1320e84010b3affdff0b8f2444ac33ce3e690
b8a4c1792ce2ec15611932437a4a1a7e43b7c3783870afebf6eae043bcfade30
e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f
f47f78b5eef672e8e1bd0f26fb4aa699dec113d6225e2fcbd57129d6dada7def
https://www.henraux.com/
https://www.henraux.com/sitemaps/about/about.asp