CarderPlanet
Professional
How a simple Word document can turn out to be a Trojan. Or even two.
Cybersecurity specialists from NSFocus discovered two previously unknown Trojans, DangerAds and AtlasAgent, which are used by the AtlasCross group in their attacks.
According to the study, hackers from AtlasCross demonstrate a high degree of resourcefulness and do not give away their origin.
NSFocus states: "As a result of a thorough analysis of the attack, we came to the conclusion that the methods and tools of this APT group differ from the usual schemes. This applies to the execution flow, technologies and tools used, implementation details, attack targets, behavioral features, and other key points."
APT groups attack the victim over a long period of time, in an organized, methodical manner, and using advanced methods. Their goal is long and unobtrusive access to systems, not instant benefits.
It often turns out that "APT hackers" are supported by government agencies or large commercial organizations, but such conclusions require additional evidence and research.
It all starts with a phishing email, allegedly from the American Red Cross, with an offer to participate in one of the charity events. The message is accompanied by a Word document with macros. The victim needs to activate the "Enable Content" option to see the content.
After one click, malicious macros are launched on the Windows device. They unpack a ZIP archive, from which the KB4495667.pkg file, which is the DangerAds program, is unloaded. Then, a "Microsoft Office Updates" task is created in the task scheduler — it activates DangerAds regularly for three days.
DangerAds analyzes the environment and executes embedded code when certain strings are detected. The final step is downloading x64.dll, the AtlasAgent trojan.
AtlasAgent is written in C++ and performs a number of functions: collecting information about the system, blocking the launch of various programs, executing code on an infected computer, and downloading files from the attacker's servers.
When the Trojan is launched for the first time, it sends information about the system to its operators. In response, it can receive a number of commands from the server. In general, AtlasAgent performs tasks such as:
The NSFocus report was the first to describe AtlasCross activities in detail. However, the motives of the group are still a mystery.
Cybersecurity specialists from NSFocus discovered two previously unknown Trojans, DangerAds and AtlasAgent, which are used by the AtlasCross group in their attacks.
According to the study, hackers from AtlasCross demonstrate a high degree of resourcefulness and do not give away their origin.
NSFocus states: "As a result of a thorough analysis of the attack, we came to the conclusion that the methods and tools of this APT group differ from the usual schemes. This applies to the execution flow, technologies and tools used, implementation details, attack targets, behavioral features, and other key points."
APT groups attack the victim over a long period of time, in an organized, methodical manner, and using advanced methods. Their goal is long and unobtrusive access to systems, not instant benefits.
It often turns out that "APT hackers" are supported by government agencies or large commercial organizations, but such conclusions require additional evidence and research.
It all starts with a phishing email, allegedly from the American Red Cross, with an offer to participate in one of the charity events. The message is accompanied by a Word document with macros. The victim needs to activate the "Enable Content" option to see the content.
After one click, malicious macros are launched on the Windows device. They unpack a ZIP archive, from which the KB4495667.pkg file, which is the DangerAds program, is unloaded. Then, a "Microsoft Office Updates" task is created in the task scheduler — it activates DangerAds regularly for three days.
DangerAds analyzes the environment and executes embedded code when certain strings are detected. The final step is downloading x64.dll, the AtlasAgent trojan.
AtlasAgent is written in C++ and performs a number of functions: collecting information about the system, blocking the launch of various programs, executing code on an infected computer, and downloading files from the attacker's servers.
When the Trojan is launched for the first time, it sends information about the system to its operators. In response, it can receive a number of commands from the server. In general, AtlasAgent performs tasks such as:
- Collecting system information
- Feedback (Reverse Shell)
- Downloading data from the control server (CnC) and saving it
- Suspension of work for a certain period of time
- Monitoring active processes
- Running or injecting code into individual system processes
- and others.
The NSFocus report was the first to describe AtlasCross activities in detail. However, the motives of the group are still a mystery.
