CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability.

CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability.

This malware is distributed via spam email campaigns that target multiple categories of users. Typically, these campaigns are sent out using compromised email addresses, which makes them more likely to be successful. In order to stay under the radar, these campaigns typically target users in countries where their native language differs from the one used by the recipients, or where the recipients are less likely to be tech-savvy. At the moment, such campaigns are primarily focused on users in the United States, Brazil, Russia, and India. This malware is typically downloaded by infected systems when the user visits an infected website or via compromised email. Once this has happened, the attacker can deploy the next step of the campaign by sending out another batch of spam emails. One of the most effective ways of doing this is to compromise the email account of the target user. Once the attacker has been able to compromise the email account, he can send out another batch of spam emails.

Observations: What we learned during the investigation

The operators of this malware campaign have been using spam emails to target victims and spreading malware. The spam email campaigns they deploy are centered around a range of different topics and are sent from compromised email accounts and domains. These campaigns typically use two main tactics to send their spam emails: compromised email accounts, which allow for the sending out of more than one email per day; or compromised websites, which allow for the sending out of a larger number of emails at once. In order to stay under the radar, these campaigns typically target users in countries where their native language differs from the one used by the recipients, or where the recipients are less likely to be tech-savvy.

How It Works:

The most common method for deploying this malware is by sending out a spam email that contains a link to an infected website, as well as the text "see more." If successful, the user will be tricked into visiting the website and will download the file.
The next most common method of delivering this malware is by sending it via an email with a malicious attachment. Once opened, the attachment will install the malware on the system.
Finally, if the user clicks on an embedded link in a Facebook ad or similar social media platform, they will also be able to download this malware.

How Does BlackShades Malware Work?

This malware has multiple methods for infecting a computer. The primary method is the installation of a backdoor that allows the attacker to gain remote control over the infected system and perform actions like uploading malicious files, downloading, uploading, deleting, and otherwise manipulating data on the system. The second method is by installing a malicious application that will search and download new components of this malware if it detects changes in the operating system. However, this malware is mostly effective at being able to download and execute arbitrary code on an infected computer. This gives it full access to the compromised system.

The BlackShades malware was developed by a group of people known as "Blackshades" or "Blackshades Team".

How Does Adwinder.YT malware work?

The Adwinder.YT malware is typically downloaded when the user visits an infected website or receives a spam email containing an attachment that pretends to be a form for a job application. Once the file has been executed, it will drop a JavaScript file onto the system in such a way so as to be able to execute it on any of the affected machines. This JavaScript file will then serve as the main component responsible for downloading and executing other files, including additional Windows executable files (e.g. C:\Windows\system32).
When executed, this JavaScript code will first attempt to install malware on the computer by using PowerShell commands. If this fails, it will download and execute 10 files from three different URLs:

https://adwinder-ytservices.com/file/A2C752F6EAA36B1B5C41CC0AF39EC8A8
https://adwinder-ytservices.com/file/BB3D2E78AB13407E7C4EE891FD99B069
https://adwinder-ytservices.com/file/F69077E4C7230384744D34EA9CEE2223
These 10 files are all Windows executables designed to run in the background and have no clear functionality other than serving as "lures" to get more unsuspecting victims - which is what makes them so successful

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe