Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎07-18-2024 06:19 PM
‎07-18-2024 06:19 PM

New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users

Hi All

 

CRIL has discovered a multi-stage cyberattack campaign that starts with a Zip file containing a malicious shortcut file (.lnk). As of now, the source of this Zip file is unknown, but we suspect it to be spreading through phishing emails. The .lnk file, on execution, downloads a PowerShell script that eventually allows the Threat Actor (TA) to gain RDP access to the victim’s system. To mislead victims, a decoy PDF related to cryptocurrency trading on CoinDCX is presented on the victim’s screen, indicating a possible focus on Indian users.

The attack involves various components, including PowerShell scripts, batch files, Go-based binaries, and vulnerable drivers. The TA appears to be planning a Windows BYOVD attack using the Terminator (Spyboy) driver, which was not executed during the initial infection but may be executed after gaining a remote connection.

The TA has leveraged legitimate applications, including RDPWrapper for remote access and Tailscale for connecting to the TA’s private network. Tailscale is a virtual private network (VPN) that allows users to create private networks where devices can connect directly to each other using encrypted connections. It includes a web-based management service for easy administration and configuration.

 

https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrenc...

 

Regards

 

Caute_Cautim

Reply
0 Replies