Russian cybercrime group TA505 has been observed using new hVNC (Hidden Virtual Network Computing) malware in recent attacks, threat intelligence company Elastic reports.
Called Lobshot, the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.
The threat actor distributes the malware through malvertising, abusing Google Ads and a network of fake websites to trick users into downloading legitimate-looking installers containing backdoors.
To evade detection, Lobshot relies on dynamic import resolution, where the names of the required Windows APIs are resolved at runtime. Upon execution, the threat performs a Windows Defender anti-emulation check and exits its process if the anti-malware solution is detected.
In the cases where it continues with its execution, the malware builds a custom structure based on data harvested from the machine, and only then it initiates network connection. Lobshot also copies itself to a new location, spawns a new process using exporer.exe, and erases the original file.
Lobshot then registers a new registry key for persistence and begins its information stealing routine, targeting over 50 Chrome, Edge, and Firefox extensions related to cryptocurrency wallets.
The malware’s core functionality, however, revolves around its hVNC module, which is implemented by generating a hidden desktop and assigning it to the malware itself.
Once the functionality is up-and-running, the attacker gains full remote control of the machine, being able to take screenshots, interact with the keyboard, and click the mouse.
The attackers issue commands to start a new explorer.exe process, start a Run command window, start a new Windows process with a provided command, start browsers, terminate the existing explorer.exe process, modify sound settings, access the clipboard, activate the Start menu, and modify DPI awareness settings.
Lobshot can also swap the command-and-control (C&C) server provided by the operator and can update itself.
According to Elastic, TA505 has been using Lobshot in attacks since at least 2022, with more than 500 unique malware samples observed since July last year.
Also referred to as Evil Corp and active since at least 2014, TA505 is a financially motivated threat actor known for operating the Dridex trojan and ransomware families such as Locky, Bart, BitPaymer, WastedLocker, and Cl0p.
Related: Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability
Related: Russia-Linked TA505 Back at Targeting Financial Institutions
Related: FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group