ModernLoader Delivers Stealers, Cryptominers and RATs Via Fake Amazon Gift Cards

Written by

Three connected campaigns delivered a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims between March and June 2022.

The association between the three apparently unrelated campaigns was made by security researchers at Cisco Talos, who said the aforementioned threat actors compromised vulnerable web applications to deliver threats via fake Amazon gift cards.

"This technique was observed on one of the infected systems in our telemetry," the company wrote in a blog post.

"We observed the addition of a fake Amazon voucher named Amazon.com Gift Card 500 USD.gift.hta to archive files, such as RAR, 7-Zip and ZIP already present on the infected system. Each file's checksum is different, which indicates the use of mild obfuscation to evade detection."

Further, the actors used PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network and eventually drop other types of malware, including the SystemBC trojan and DCRAT, to perform various tasks connected to their operations.

"The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary," explained Cisco Talos.

Despite the uncertainty regarding attribution, however, the company said all three campaigns saw threat actors deliver ModernLoader as the final payload, which in turn acted as a remote access trojan (RAT) by collecting system information and deploying additional modules. 

"In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig," the company said.

"The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian."

In its advisory, Cisco Talos also included a link to a list of indicators of compromise associated with the threat.

The post comes days after the company held a webinar where it renewed its cybersecurity support for Ukraine on the occasion of the country's Independence Day.

What’s hot on Infosecurity Magazine?