A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through cracked software.
This malicious operation leverages software cracks, often sought after for unauthorized activation of popular software, to distribute Remote Access Trojans (RATs) and coin miners, posing significant risks to personal and organizational cybersecurity.
Once installed on a victim’s system, the malware employs advanced techniques to ensure its persistence.
It cleverly registers commands within the task scheduler, which allows it to maintain a foothold on the infected system.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
According to the recent report from Broadcom, this persistence enables the continuous installation of new malware payloads, even after initial removal attempts, making it a particularly stubborn and dangerous threat.
Symantec, a leading cybersecurity firm, has identified several indicators of compromise associated with this campaign, including adaptive-based, carbon black-based, file-based, machine learning-based, and web-based indicators.
These indicators help detect and block the malicious activities initiated by this malware.
The malware variants identified in this campaign, such as ACM.Ps-Http!g2, ACM.Ps-Masq!g1, and ACM.Ps-Reg!g1, are effectively detected and blocked by existing policies within VMware Carbon Black products.
VMware Carbon Black recommends policies that, at a minimum, block all types of malware from executing, including known malware, suspect malware, and potentially unwanted programs (PUPs).
This approach, coupled with a delay in execution for cloud scans, maximizes the benefits derived from VMware Carbon Black Cloud’s reputation service.
The campaign also utilizes downloader malware and Trojan horses, identified as ISB.Downloader!gen221 and Trojan.Gen.MBT, respectively.
These threats are part of a broader strategy that uses advanced machine learning-based detection mechanisms, such as Heur.AdvML.A!300 and Heur.AdvML.B series to identify and neutralize potential threats before they can cause harm.
The operation’s web-based component involves using observed domains and IP addresses covered under security categories in all WebPulse-enabled products.
This comprehensive coverage ensures that attempts to communicate with command and control servers or download additional malicious payloads are blocked, further protecting users from the campaign’s reach.
This malware campaign underscores the risks associated with downloading and using cracked software.
Beyond the legal and ethical implications, such software exposes users to significant cybersecurity threats.
Users are urged to download software only from official vendor websites and to employ robust cybersecurity measures, including reputable antivirus and antimalware solutions, to protect against such sophisticated threats.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
In healthcare, strict adherence to the Health Insurance Portability and Accountability Act (HIPAA) is essential,…
Are you ready to break into the exciting world of cybersecurity but lack a technical…
Malware typically mimics mobile antivirus applications to trick users into installing the mimicked AV app,…
Hackers mainly aim at Windows systems as they are widely adopted and dominate the market,…
The Insikt Group at Recorded Future has found a sophisticated cybercrime operation run by Russian-speaking…
Cybersecurity experts have found a new banking Trojan horse for Android smartphones. It's called Antidot.…