惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
SegmentFault 最新的问题
Y
Y Combinator Blog
Recorded Future
Recorded Future
博客园 - Franky
I
InfoQ
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园_首页
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Cyberwarzone
Cyberwarzone
The Register - Security
The Register - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
P
Palo Alto Networks Blog
G
GRAHAM CLULEY
Cloudbric
Cloudbric
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
MongoDB | Blog
MongoDB | Blog
F
Full Disclosure
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Check Point Blog
爱范儿
爱范儿
The GitHub Blog
The GitHub Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
U
Unit 42
N
Netflix TechBlog - Medium
The Cloudflare Blog
Spread Privacy
Spread Privacy
Microsoft Azure Blog
Microsoft Azure Blog
美团技术团队
T
Troy Hunt's Blog
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tenable Blog
B
Blog
S
Securelist
H
Hacker News: Front Page
Google Online Security Blog
Google Online Security Blog
G
Google Developers Blog

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan Watch out! Mobidash Android adware spread through phishing and online links
A visit to a print shop put a password stealer on a co-worker’s laptop
Pieter Arntz · 2024-10-01 · via Threat Walkthroughs – ThreatDown by Malwarebytes
USB stick

Old-school malware distribution methods have a habit of hanging around long after people stop talking about them.

A remote co-worker was recently reminded that old-school malware distribution methods have a habit of hanging around long after people stop talking about them. In this case, the reminder came in the form of an infected USB stick.

The co-worker needed to have a document printed, and their own printer refused to do the job. Since it was urgent, they stored the document on a clean USB stick and went to the local print shop.

The document was printed, so mission accomplished. But when they got home and inserted their USB stick for another transfer a few days later, they found two new shortcuts titled “Documents” and “System Volume Information”.

Clicking on the shortcuts triggered a malware detection for Trojan.PasswordStealer.JS. (The print shop likely had some malware on its systems that it was unaware of, and was dropping a password stealer on every USB drive that was plugged in to it.)

Malwarebytes warning for Trojan.PasswordStealer.JS
Malwarebytes warning for Trojan.PasswordStealer.JS

After some investigation, they discovered that the shortcuts ran a malicious JavaScript file called rrrnqu.js before opening the Documents and System Volume Information folders, using the commands below:

C:\WINDOWS\system32\cmd.exe /c start rrrnqu.js&start explorer Documents&exit

C:\WINDOWS\system32\cmd.exe /c start rrrnqu.js&start explorer System" "Volume" "Information&exit

Some of the more complex functions in the JavaScript file followed a two-layer obfuscation pattern, presumably in an attempt to hide what they do from static analysis. The complex functions’ code was stored in large base64-encoded strings, which were decoded and then passed through a custom decoding function that output more base64-encoded text, which was decoded again, and then executed.

The decoded functions gathered system information, elevated the script’s permissions, tried to uninstall antivirus software, and tried to steal passwords stored in the Chrome browser, as well as credentials for remote monitoring and management tools like UltraVNC and the Windows Remote Desktop Protocol (RDP).

Credentials for remote desktop applications like UltraVNC and RDP allow criminals to log into a computer and use it from anywhere in the world, as if they were sat at the keyboard, and the credentials stolen by rrrnqu.js might be just what an Initial Access Broker (IAB) would love to build out and sell to a Ransomware-as-a-Service (RaaS) group.

Despite the use of an old and unfashionable technique, if this infection had happened on an unprotected machine in a business environment, it could have been catastrophic.

function that looks for passwords stored in Chrome
function that looks for passwords stored in Chrome

The bottom line is that old techniques don’t care if people are talking about them or writing articles about them—they will hang around until they no longer work. And that means you need to keep protections in place to keep them at bay, even if you don’t hear about them very often. Protect your USB drives and think twice before inserting them in an unknown system.

The ThreatDown user agent detects Trojan.PasswordStealer.JS and can clean infected USB drives.