Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Recently, the Red Raindrop team of Qi'anxin Threat Intelligence Center captured several attack samples of the organization in daily threat hunting. In this attack, the attacker uses a vulnerable RTF file to carry out a spear phishing attack. When the victim clicks and executes the decoy file, the BADNEWS Trojan will be executed through the vulnerability.
BADNEWS is a specific Trojan which spy on the victim through the network to steal the information and run it offline. This attack is actually a modified version of BADNEWS which is designed to steal information from the victim. When BADNEWS gets installed, it will check for Windows updates and restart itself whenever downloads are available.
After downloading the first update, BADNEWS will check for new vulnerabilities in its configuration file and overwrites it with its own malicious configuration data automatically. If there is no update available, BADNEWS will wait for 10 days to download another one when there is a new vulnerability found by Microsoft.
To confirm whether the infection is successful, BADNEWS will run a command line and view the attacker's CNC website.
The attackers' malicious domain is: www . anti-ghost . com and its CNC server is hosted on the same domain name.
The CNC website has a simple control panel interface which allows the attackers to monitor the zombie.