Malware Actors Using New File Hosting Service to Launch Attacks
Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware.
Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment. In the sample analyzed by Deep Instinct, this attachment was an RTF document that exploited two vulnerabilities affecting Microsoft ActiveX and the tech giant’s Equation Editor.
Clicking on the RFT document caused Microsoft Office’s Equation Editor to contact a bit.ly short URL and receive a redirection to a page hosting FormBook, a well-known infostealer. Ultimately, an executable called “EQNEDT32.exe” executed and dropped the payload in the user’s root directory. The malware then achieved persistence before launching its main activity of stealing usernames and passwords.
Over the course of its analysis, Deep Instinct found that a domain called files.dropmybin[.]me had dropped the malware. Their curiosity piqued, the researchers searched several digital crime forums until they arrived at a post advertising DropMyBin, a file hosting service newly registered in January.
Deep Instinct discovered that the service lets users conceal their IP addresses with the help of Cloudflare. But it also found that the creators of DropMyBin aren’t too concerned about individuals who abuse their service. As the digital security firm explains in a blog post:
A particular point of interest arises when one examines DropMyBin’s FAQ page, which seems to hint that this “File sharing” service is operated by individuals based in Russia, and while the page declares no malware should be uploaded it clearly states that all abuse claims should be made to “appropriate law enforcement agency” as the operators are not qualified (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/malware-new-file-hosting-service/