Shulou(Shulou.com)11/24 Report--

CTOnews.com November 13 news, software developer RARLab repaired WinRAR's zero-day vulnerability CVE-2023-38831 in July this year, but a security company Seqrite pointed out that a number of SideCopy hacker organization members still take advantage of this loophole a few days ago to launch attacks on computers that have not yet had time to repair, deploying malicious Trojans such as AllaKore RAT, DRat, and Ares RAT variants on these computers.

Hackers first use phishing techniques to entice users to download phishing PDF files, but PDF is actually a disguised Windows LNK executable file. Once the victim opens the PDF file, the Trojan will begin to analyze the .NET version and antivirus software information installed on the computer, and then use Base64 to start the malicious DLL library by DLL side loading (DLL Side-loading).

▲ fishing PDF file, image source Seqrite

▲ phishing PDF file, image source Seqrite it is reported that this DLL library will first open the phishing PDF file content to reduce the user's guard, and then secretly send information to the hacker's domain name, download a series of malicious software in the background, and then carry out attacks. Hackers can steal user system information, record user keyboard input, take screenshots of user desktops, upload and download content, and so on.

In one of the attacks, hackers spread PDF files related to the Indian space research organization NSRO, named ACR.pdf or ACR_ICR_ECR_Form_for_Endorsement_New_Policy.pdf,Windows and Linux devices, and were hit.

After inquiry, CTOnews.com learned that SideCopy's attacks date back to 2019 and have long targeted South Asian countries, while Seqrite researchers pointed out that since the beginning of this year, they have seen the hacker organization launch new attacks almost every month, and have also found that hackers have begun to use a series of new tools, such as Double Action RAT and a. NET developed the RAT Trojan, and also began to execute commands remotely through PowerShell.

In addition, these hackers actively targeted the computers of college students this year, leaking private information about students, and using honeypot traps (Honeypot) to lure people from relevant departments into deceiving them, thus stealing confidential information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.