Proofpoint uncovers malware delivery service for hire
Cybercriminals are using a new method of exploiting Microsoft Office macros and SQL commands to retrieve and install malware, according to Proofpoint.
The security company’s researchers have uncovered a new staged malware downloader they have named WhiteShadow, which appears to be operated as a malware delivery service for hire.
According to Proofpoint, WhiteShadow operates by using macros embedded in malicious document attachments to execute SQL queries against attacker-controlled Microsoft SQL Server databases.
The malware is stored as long ASCII-encoded strings within the SQL database. The macro decodes the string and writes it to disk as a PKZip archive of a Windows executable.
Once extracted by the macro, the executable is run on the system to start installing malware based on specifications within the script configuration stored in the malicious documents.
While early campaigns using WhiteShadow were used to distribute the known Crimson RAT (remote access trojan) malware, Proofpoint has uncovered no evidence tying this round of malware distribution with the culprits behind previous Crimson campaigns.
Instead, the downloader has been observed being used to install other RATs, downloaders and keyloggers, which could suggest that it is being offered as a new malware delivery service for a range of potential threat actors to incorporate into their campaigns.
To guard against the risk of attack, Proofpoint is urging organisations to be cognisant of both the incoming malicious email and outbound traffic on TCP port 1433, which the company said should be blocked — or at least restricted — on modern firewall access control list configurations.
Cyber attackers using sophisticated deepfake tools: report
A new report from Trend Micro demonstrates that malicious actors are using convincing deepfake...
Barracuda launches backup solution for Entra ID
Barracuda's Entra ID Backup Premium solution aims to protect customers' Microsoft...
Cloudflare has changed how AI crawlers scrape the internet
Cloudflare is now protecting online IP by blocking AI crawlers by default, and offering a...