ModernLoader is a new remote access trojan detected by Cisco Talos researchers.
ModernLoader Campaigns in the Wild
More specifically, the researchers analyzed three separate, but related campaigns in the period March-June 2022 that delivered ModernLoader, RedLine and several cryptocurrency miners.
In these attacks, the threat actors use PowerShell, .NET, and HTA (HTML Application) and VBS files, eventually deploying malware such as SystemBC and DCRAT. The final payload of the campaigns is the said ModernLoader remote access trojan capable of harvesting system information and deploying numerous modules.
“In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian,” Cisco Talos explained.
ModernLoader provides remote access to targeted computers enabling further malicious operations such as dropping more malware, stealing information, and adding the target to a botnet. Due to the use of various off-the-shelf tools, the attack campaigns are attributed to a previously unknown threat actor, possibly of Russian origin, targeting Eastern Europe (Bulgaria, Poland, Hungary, and Russia).
This unknown threat actor is compromising vulnerable web WordPress and CPanel instances to drop the ModernLoader malware via fake Amazon gift cards. ModernLoader itself is a simple .NET remote access trojan that can collect system information, execute arbitrary commands, and download and run a file from the command-and-control server. Thanks to this capability, the threat actor can change the modules in real time.
It is also noteworthy that the threat actor “has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” Despite the versatile approaches and technical tactics, Cisco Talos estimates that the success of the analyzed campaigns is limited.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: