New obfuscated malware targets sensitive data
Researchers have discovered a new type of obfuscated malware that is specifically designed to steal sensitive data from victims’ computers. Malware is distributed through phishing emails that appear to be legitimate but contain a link to a malicious website that downloads malware onto the victim’s computer.
“Most of these packages had well thought out names, to purposely confuse people,” security researcher and journalist Ax Sharma said. Lines 50 and 54 containing a Python “bytes object” in hex are essentially creating a Linux binary (ELF) file which is a Meterpreter trojan generated by the pentesting tool, Metasploit [VirusTotal analysis]. The file is highly stripped and obfuscated which hinders analysis. Meterpreter payload executes in-memory and enables an attacker to gain shell access to the infected machine.
Once installed, the malware employs a variety of techniques to avoid detection, such as encrypting its payload and employing code obfuscation. The malware is also capable of evading security software and firewalls by masquerading as legitimate network traffic.
The packages in question are aptx, bingchilling2, httops, and tkint3rs, which were downloaded approximately 450 times before being removed. While aptx is an attempt to imitate Qualcomm’s widely used audio codec of the same name, httops and tkint3rs are misspellings of https and tkinter, respectively.
The malware is intended to steal sensitive information such as usernames, passwords, credit card numbers, and other financial information. To capture sensitive information, it also takes screenshots and records keystrokes.
The code then tries to create/modify the “authorized keys” file in the “.ssh” folder. This makes it even easier for the attacker to install an SSH backdoor on the infected machine, to which they can later connect.
The malware, according to the researchers, is part of a larger campaign to steal sensitive information from targeted organizations. They have advised businesses to monitor their networks for any suspicious activity and to keep their security software up to date with the latest patches.
The sources for this piece include an article in TheHackerNews.