The new campaign also involves replacing cryptocurrency addresses shared via clipboard and setting up fake cryptocurrency websites.
Trend Micro researchers have shared details of a new campaign distributing SpyAgent malware by abusing legitimate use RATs (remote access tools), including TeamViewer.
Safib assistant also abused in the scam
According to a report from Trend Micro, the campaign involves abusing a legitimate Russian RAT called Safib Assistant through a new variant of SpyAgent malware. The scammers exploit a DLL sideloading vulnerability that loads a malicious DLL, which hooks and patches different API functions that the RAT calls. This hides the RAT windows from the user.
Afterward, the malicious DLL starts reporting the RAT’s ID that the attacker requires to establish a connection with the infected device and gain control over it. The malware then changes the access password to a fixed one. Due to this, the attacker only needs to have the RAT’s ID to connect to the infected device.
Malware Dropper Distributed via Fake Websites
SpyAgent dropper is distributed via bogus cryptocurrency-related websites, most of which are in the Russian language. The dropper is equipped with a fake cryptocurrency wallet, surfing plug-ins, or miner.
How a user is lured to these websites involves social engineering tactics, such as some websites display ads that say “earn cryptocurrency for browsing.” Scammers are also using social media, specifically Twitter, as a potential infection vector.
When a user visits these fake websites, a file-downloading dialog box appears almost immediately, urging the user to download, save, and execute the application, which is actually a SpyAgent dropper.
RATs and other malware used in the campaign
According to Trend Micro’s blog post, after getting installed on a device, SpyAgent malware downloads other malware having extensive capabilities, including stealing sensitive data. Moreover, Trend Micro researchers noticed that SpyAgent downloads additional stealers such as:
Further, it downloads Clipper, a clipboard replacer that replaces different cryptocurrency addresses with attacker-controlled addresses. The RATs used in this campaign include:
The campaign is Financially Motivated
This campaign seems to have financial motivation. The primary objective of hackers is to steal credentials and crypto-wallets, and they also replace cryptocurrency addresses shared through Clipboard. Users must stay clear of fake websites, unrealistic advertisements, and misleading social media posts.