A recent campaign against cryptocurrency companies has seen the Malware-as-a-Service (MaaS) Remote Access Trojan (RAT) Parallax utilizing process hollowing to make itself more difficult to detect. According to threat researchers at Uptycs, the initial payload was delivered via a phishing email and established persistence by adding itself to the Windows startup folder. The first payload then injected the second stage of the attack into a legitimate Windows component called “pipanel.exe”. From here, the malware begins to steal information from the victim machine. The attackers have also been noted to use notepad.exe to communicate with their victims, typically instructing them to connect to an attacker-controlled Telegram channel.
Analyst Notes
Phishing continues to be a popular method of initial access for threat actors. The effectiveness of phishing attacks, when paired with increasingly popular evasion techniques such as process injection and process hollowing, create a dangerous combination. These types of attacks will likely continue to grow in popularity due to the accessibility of closed source tools like this. They also serve to highlight the importance of a mature detection program that can respond to complex attacks and the critical nature of phishing awareness programs.
https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration
