Hackers target 7ZIP due to its widespread use and popularity, making it a lucrative vector for spreading malware.
Exploiting vulnerabilities in 7ZIP allows them to compromise a large number of systems, potentially leading to unauthorized access or data theft.
Cybersecurity researchers at QiAnXin Threat Intelligence Center recently discovered that hackers are actively targeting 7ZIP to deliver or spread malware via the Microsoft App Store.
QiAnXin found WindowsPackageManagerServer triggering Lumma Stealer in a unique endpoint twist.
Investigation revealed a fake Russian 7Zip on the Microsoft App Store, which is not legit 7ZIP, and the malicious packages surfaced in “7z” searches.
Malicious 7ZIP on the Microsoft App Store
Microsoft quickly removed malicious software from its App Store after researchers reported it. The rogue package, named UTG-Q-003, went undetected for almost a year since its January 2023 appearance.
Internally, the incident details were disclosed, and IOCs were shared publicly. It’s unknown how attackers uploaded the package. The 7z-soft software was first downloaded on March 17, 2023, according to QiAnXin’s data platform.
JPHP, an open-source project, uses Java to run PHP code, evading detection effectively. Attackers employed the “jurl” function from the JPHP library to fetch payloads from a remote server.
Attackers kept changing payloads on their C2 server for extended evasion. Daily, 2 to 3 soft.exe files with different MD5 hashes were requested, aiming to steal the following file types:-
- txt
- doc
- rdp
- key
- wallet
- seed
- lnk
Besides this, the malware included:-
- Redline
- Lumma Stealer
- Amadey
The 7z-soft.exe had multiple download methods, and URLs are now inaccessible. Historical data shows a link from:-
- “deputadojoaodaniel.com.br”
- “cdn.discordapp.com”
Both domains were WordPress sites, suggesting UTG-Q-003 invaded WordPress to store payloads and redirect webpages.
Attackers simulate Cloudflare DDoS protection, tricking victims with a fake verification dialog leading to “brolink2s.site.” A JavaScript script, on clicking “allow,” adds the site to Chrome’s push notification list, enabling cross-platform notifications.
Despite browser closure, Windows notifications can still deliver links. 10 domains redirected to “browserneedupdate.com” from Oct. to the present, spanning movie and software sites. Initial phishing emails prompt enabling message notifications, evading email gateway detection.
Domains Detected
Here below, we have mentioned all the domains that were detected:-
- analiticaderetail[.]com
- creatologics[.]com
- www[.]50kmovie[.]com
- linta[.]software
- captionhost[.]net
- www[.]bcca[.]kr
- opwer[.]top
- fms[.]net[.]br
- leanbiome-leanbioome[.]com
- zuripvp[.]tk
- creatologics[.]com
In the second stage, tailored phishing links exploit the target host’s platform. UTG-Q-003 delivers JPHP framework-based installation packages. Downloads surged on the Microsoft App Store, potentially tied to the WinRAR vulnerability.
After the CVE-2023-38831 disclosure, East Asian APT groups initiated phishing attacks in China. SEO manipulation and difficulty finding 7zip on official sites push users to the Microsoft App Store, leading to compromise.
Russian package gets negative reviews from Chinese users, highlighting China’s software download challenges. Moreover, the attacker domains link to Russia and Ukraine, preventing attribution, especially in Russian-speaking regions.