GitHub Developers Attacked with Malicious Macro-Embedded e-Mails

Developers of open-source and users of GitHub are being targeted with sophisticated malware which's capable of stealing passwords, taking screenshots, pulling down sensitive files, as well as destroying themselves when required.

According to security researchers from Palo Alto Networks, during mid-January, many developers, the number unknown, received e-mails posing as job offers. There were files attached to the messages, the files- malevolent .doc files having macro implanted. This macro ran certain PowerShell command according to which malicious software would get seized from one C&C website as well as get executed.

There were .gz filename attachments consisting of Word files having harmful macro. When run, this macro ran one PowerShell script, which contacted one distant server followed with downloading Dimnie a malicious program.

Palo Alto says Dimnie's existence dates back to 2014 if not earlier, however has remained undetected till the present since it mainly attacked end-users in Russia. Infoworld.com posted this, March 30, 2017.

When 2017 began, developers using GitHub started receiving e-mails whose content were something like the writer telling they loved the e-mail recipient's code and that there was scope for him. The messages would then ask to open one tainted Word file.

Soon as this file is opened, one macro gets triggered which executes PowerShell scripts for pulling down and running Dimnie an executable. That drew the researchers' notice. Proceeding further, the binary connects to one central command-and-control server utilizing one HTTP GET Proxy query, like highlighted within RFC2616. Consequently, the connection gets masked; and the binary looks like connecting to toolbarqueries.google.com which's presently defunct, but in reality it talks to the IP address 176.9.81.4 that has no relation whatsoever with Google.

Likewise, while transmitting home data over the phone from victim's PC, Dimnie dispatched genuine appearing HTTP POST queries destined for gmail.com that really ended up on backend servers of the executable's mastermind.

Palo Alto states that Dimnie, by camouflaging network traffic both downloaded and uploaded like it was harmless user activity, capitalizes on defenders' assumptions regarding the way normal traffic appears. Such blending of ruses together with early inclination towards targeting computers that Russian speakers use probably let Dimnie be unknown.

» SPAMfighter News - 4/4/2017