Twittersploit Attack Leverages Dangerous Twitter Malware

Security experts alerted of a dangerous new infection methodology known as the Twittersploit Attack. In the center of it all is the use of several malware instances that use the Twitter social network service as a C&C (command and control) server interface. The analysts note that a complex behavior pattern is being executed upon the time of infection.

The Malware Behind the Twittersploit Attack

One of the first malicious instances that are used in the attacks is called CozyCar (also known as CozyDuke). It was used primarily by the APT hacking collective from 2015 to 2015 and represents a modular framework that can be customized according to the unique characteristics of the ongoing targets. One of the highlights behind it is the fact that the dropper used by this malware performs a stealth protection module which will scan the infected computer for any security software and services that can interfere with its correct execution. The CozyCar threat looks for anti-virus programs or sandbox environment and if any are found the attack will conceal itself and stop running. This is done in order to avoid system administrators from finding out that there has been a weakness in the system.

The main engine is obfuscated with a rotating cipher which makes it very hard to identify the infections. The dropper also uses a malicious of the rundll32.exe system service in order to execute the main component. It is also automatically started once the computer boots, this is done via Windows Registry changes. It is set as a scheduled service and a scheduled task. The main method of communication to the hacker-controlled server is via a normal connection or a secure interface. The CozyCar malware allows the hackers to execute arbitrary commands. The other dangerous module associated with it is the use (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Martin Beltov. Read the original post at: