Lmst

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

This article explores a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in benign 32-bit .NET applications. The malware executes through a multi-stage process of extracting, deobfuscating, loading, and executing secondary payloads. The analysis focuses on a sample from recent malspam campaigns targeting financial organizations in Turkey and logistics sectors in Asia. The malware uses steganography to hide its payloads, making it challenging to detect. The article details the technical analysis of each stage, from the initial payload to the final execution of malware families like Agent Tesla, XLoader, and Remcos RAT. It also provides guidance on how to overcome this obfuscation technique using debugging methods.

Pulse ID: 681e0c16eca08864c8cd9614
Pulse Link: https://otx.alienvault.com/pulse/681e0c16eca08864c8cd9614
Pulse Author: AlienVault
Created: 2025-05-09 14:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AgentTesla #Asia #CyberSecurity #ICS #InfoSec #MalSpam #Malware #NET #OTX #OpenThreatExchange #RAT #RCE #Remcos #RemcosRAT #Spam #Steganography #Tesla #Turkey #XLoader #bot #AlienVault

Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcare, technology, financial services, and telecommunications sectors across multiple countries. NETXLOADER employs sophisticated methods such as JIT hooking, API obfuscation, and memory manipulation to deploy payloads like Agenda ransomware and SmokeLoader. The attack chain involves multiple stages of evasion, discovery, and command and control communications. This evolution in tactics poses increased risks of data theft and device compromise for potential targets.

Pulse ID: 681bc89f39996f610a89a741
Pulse Link: https://otx.alienvault.com/pulse/681bc89f39996f610a89a741
Pulse Author: AlienVault
Created: 2025-05-07 20:54:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #Healthcare #ICS #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #RansomWare #Telecom #Telecommunication #XLoader #bot #AlienVault

XLoader Info-stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)

An analysis reveals the distribution of XLoader info-stealer through phishing emails exploiting the MS Equation Editor vulnerability (CVE-2017-11882). The attack begins with a DOCX file containing an RTF document that creates a VBE file in a temporary folder. This VBE file, built using HorusProtector, contains the final malware and creates registry keys for execution. The malware process injects into RegAsm.exe and executes the XLoader info-stealer. The distribution method has evolved from single VBE files to Office documents with embedded vulnerabilities, indicating persistent risks in unpatched environments. Users are advised to update their Office products and exercise caution when opening email attachments from unknown sources.

Pulse ID: 68138a203701500b7458e62d
Pulse Link: https://otx.alienvault.com/pulse/68138a203701500b7458e62d
Pulse Author: AlienVault
Created: 2025-05-01 14:50:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Malware #OTX #Office #OpenThreatExchange #Phishing #RCE #RTF #Vulnerability #XLoader #bot #AlienVault

2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam. The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files that use DLL side-loading for XLoader.

https://bit.ly/4bgKRU8

Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

Details at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-26-IOCs-for-XLoader-infection.txt

Los #hackers están utilizando #Eclipse #Jarsigner para desplegar el #malware #XLoader a través de archivos ZIP
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/ciberdelincuentes-estan-usando-eclipse-jarsigner-para-desplegar-el-malware-xloader-a-traves-de-archivos-zip/

2025-01-30 (Thursday): #XLoader infection

Unlike my previous XLoader infections, this one didn't run in a VM, so I used a physical host.

A #pcap of the infection traffic, the associated malware samples, and more info is available at https://malware-traffic-analysis.net/2025/01/30/index.html

Screenshot of my blog post with analysis of the XLoader infection.

XLoader distributed as a RAR attachment to an email. The malware is a Windows executable file within that RAR archive.

XLoader persistent on the infected Windows host through a Windows registry update.

Traffic from the XLoader infection filtered in Wireshark.

Technical Analysis of Xloader Versions 6 and 7 | Part 1
#Xloader
https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1

Hey @da_667 ...you seen this UA with #xloader yet?

An #expiro (believe it or not) dropping #xloader

https://app.any.run/tasks/43f807db-2361-4807-8e05-19831c56b5e4

fake c2 and campaign:
http ://www.sunnyz.store/px6j

@pawel_lukasik These have been #xloader as of late.

#xloader continues to change...never seen a samsung UA before:

fbe048c713eda8c6d74504c440ecba4507760aed537fbba6171a4566b6452455

This report has a link to a real example of how Revolver Rabbit uses an RDGA in Xloader. Tracking their domains is tricky and I suspect the full size is much larger than we have caught. if they invest such huge sums into their infrastructure, they must be making bank. #dns #threatintel #threatintelligence #malware #xloader #infoblox #rdga #cybercrime #cybersecurity #infosec #phishing @InfobloxThreatIntel https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about

Not sure when it happened, but #xloader / #formbook now appears to rotate through campaign ID's:

https://app.any.run/tasks/4cb7b5ef-5c1d-4565-a370-5d0cf1a5c255

Experts warn of #JinxLoader loader used to spread #Formbook and #XLoader
https://securityaffairs.com/156760/malware/jinxloader-loader.html
#securityaffairs #hacking

The malware pays homage to the League of Legends character Jinx, prominently featuring the character on its advertising poster and command-and-control login panel. JinxLoader’s primary purpose is straightforward – loading malware.

#Cybersecurity #Formbook #JinxLoader #Malware #Xloader

https://cybersec84.wordpress.com/2024/01/01/jinxloader-new-malware-front-for-formbook-and-xloader-attacks/

#XLoader #malware has targeted #macOS since 2015, but it was recently updated. It now pretends to be an #Office application, so it can infect users’ machines and steal information from their clipboards and browsers. https://tchlp.com/3PclOIr

#Researchers have discovered a new #variant of the #XLoader #malware that is better at dodging #Apple’s #security measures as it tries to steal sensitive information from #macOS devices. https://tchlp.com/47GTe9v

The most recent iteration of XLoader has successfully addressed this restriction by utilizing programming languages such as Objective C and C.

#Apple #cybersecurity #macOS #malware #XLoader

https://cybersec84.wordpress.com/2023/08/22/macos-users-beware-new-xloader-malware-disguised-as-officenote-app/

#XLoader

Client Info