https://community.isc2.org/t5/Threats/New-Malware-Campaign-Abusing-RDPWrapper-and-Tailscale-to-Target/m-p/72161#M1261 <P>Hi All</P><P>&nbsp;</P><P>CRIL has discovered a multi-stage cyberattack campaign that starts with a Zip file containing a malicious shortcut file (.lnk). As of now, the source of this Zip file is unknown, but we suspect it to be spreading through phishing emails. The .lnk file, on execution, downloads a PowerShell script that eventually allows the Threat Actor (TA) to gain RDP access to the victim’s system. To mislead victims, a decoy PDF related to cryptocurrency trading on CoinDCX is presented on the victim’s screen, indicating a possible focus on Indian users.</P><P>The attack involves various components, including PowerShell scripts, batch files, Go-based binaries, and vulnerable drivers. The TA appears to be planning a Windows BYOVD attack using the Terminator (Spyboy) driver, which was not executed during the initial infection but may be executed after gaining a remote connection.</P><P>The TA has leveraged legitimate applications, including RDPWrapper for remote access and Tailscale for connecting to the TA’s private network. Tailscale is a virtual private network (VPN) that allows users to create private networks where devices can connect directly to each other using encrypted connections. It includes a web-based management service for easy administration and configuration.</P><P>&nbsp;</P><P><A href="https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrency-users/" target="_blank">https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrency-users/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Thu, 18 Jul 2024 22:19:42 GMT Caute_cautim 2024-07-18T22:19:42Z https://community.isc2.org/t5/Threats/New-Malware-Campaign-Abusing-RDPWrapper-and-Tailscale-to-Target/m-p/72161#M1261 <P>Hi All</P><P>&nbsp;</P><P>CRIL has discovered a multi-stage cyberattack campaign that starts with a Zip file containing a malicious shortcut file (.lnk). As of now, the source of this Zip file is unknown, but we suspect it to be spreading through phishing emails. The .lnk file, on execution, downloads a PowerShell script that eventually allows the Threat Actor (TA) to gain RDP access to the victim’s system. To mislead victims, a decoy PDF related to cryptocurrency trading on CoinDCX is presented on the victim’s screen, indicating a possible focus on Indian users.</P><P>The attack involves various components, including PowerShell scripts, batch files, Go-based binaries, and vulnerable drivers. The TA appears to be planning a Windows BYOVD attack using the Terminator (Spyboy) driver, which was not executed during the initial infection but may be executed after gaining a remote connection.</P><P>The TA has leveraged legitimate applications, including RDPWrapper for remote access and Tailscale for connecting to the TA’s private network. Tailscale is a virtual private network (VPN) that allows users to create private networks where devices can connect directly to each other using encrypted connections. It includes a web-based management service for easy administration and configuration.</P><P>&nbsp;</P><P><A href="https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrency-users/" target="_blank">https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrency-users/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Thu, 18 Jul 2024 22:19:42 GMT https://community.isc2.org/t5/Threats/New-Malware-Campaign-Abusing-RDPWrapper-and-Tailscale-to-Target/m-p/72161#M1261 Caute_cautim 2024-07-18T22:19:42Z