Malware campaign attempts abuse of defender binaries
Essential information
- Published
- 30/05/2024 14:20
- Modified
- 30/05/2024 14:39
- Tags
- 2024-05-30 edr shellcode
- Related entities
- 200 observables, 5 techniques (mitre), 3 malware
Description
The report details a ransomware campaign that modifies legitimate security software files from vendors like Sophos, AVG, BitDefender, Emsisoft, and Microsoft by overwriting their entry-point code and inserting decrypted payloads as resources. This allows the malicious files to masquerade as trusted binaries and potentially avoid detection. The eventual payloads observed include malware like Cobalt Strike, Brute Ratel, Qakbot, and Latrodectus. The campaign involves abuse of expired digital signatures, malicious downloaders, and fake installers, suggesting involvement of multiple threat groups.