Hackers Attacking Users Searching For W2 Form


A malicious campaign emerged on June 21, 2024, distributing a JavaScript file hosted on grupotefex.com, which executes an MSI installer, subsequently dropping a Brute Ratel Badger DLL into the user’s AppData. 

The command-and-control framework Brute Ratel then downloads and inserts the stealthy Latrodectus backdoor, which gives threat actors remote control, the ability to steal data, and the ability to send out more payloads. 

Zscaler ThreatLabz independently verified Brute Ratel’s involvement as an initial access broker for the Latrodectus malware family on June 23. 

Search Result for `w2 form 2024` Using Bing

An attacker leveraged Bing search results to redirect users from a lookalike domain (appointopia.com) to a fake IRS website (hxxps://grupotefex.com/forms-pubs/about-form-w-2/). 

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Clicking on the website triggered a CAPTCHA challenge. Solving the seemingly innocuous CAPTCHA resulted in downloading a malicious JavaScript file (Form_Ver-*.js) hosted on a Google Firebase storage bucket, which likely initiated the next stage of the attack. 

Hackers Attacking Users Searching For W2 Form
Sample CAPTCHA to Solve on `hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/`

Analysis of the JS file `Form_ver-14-00-21.js` revealed a malicious code obfuscation technique where threat actors concealed malicious code within seemingly innocuous comments. 

The file leveraged a ScriptHandler class to extract hidden code starting with ‘/////’ and execute it using `new Function()`, which effectively hides malicious payloads, inflates file size, and evades antivirus detection. 

Additionally, the file’s inclusion of a valid authentication certificate enhances its legitimacy, emphasizing the threat actor’s intent to deceive. 

Hackers Attacking Users Searching For W2 Form
File Details for JS File `Form_ver-14-00-21.js`

The `Form_ver-14-00-21.js` script revealed its sole purpose as a downloader and executor of MSI packages from specified URLs by retrieving the MSI named “BST.msi” from the IP address 85.208.108.63 and initiating its installation. 

A similar incident on June 25th involved a different script downloading another MSI, “neuro.msi,” from a closely related IP, 85.208.108.30, indicating a potential campaign targeting systems with identical malicious payloads. 

Hackers Attacking Users Searching For W2 Form
Cleaned-up Contents of `Form_ver-14-00-21.js`

Rapid7 analyzed an MSI file named neuro.msi and found it contained a cabinet archive (disk1.cab) with a DLL named capisp.dll. 

The MSI installer also included a custom action that dropped capisp.dll into the user’s AppData/Roaming folder and executed it using rundll32.exe with the export named “remi,”  which suggests that the MSI package installs and runs capisp.dll, likely for a purpose related to the “remi” export function. 

Hackers Attacking Users Searching For W2 Form
Snippet of Code Contained Within `capisp.dll`

capisp.dll revealed a multi-stage malware infection chain, while the DLL associated with VLC contains an encrypted resource decrypted using a hardcoded XOR key. 

The decrypted data is a loader for a packed Brute Ratel Badger (BRC4) payload, which connects to multiple C2 domains and downloads Latrodectus malware, which is injected into Explorer.exe and communicates with several additional C2 URLs.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo



Source link