Three disparate campaigns between March and June 2022 have been found to utilize the same techniques and malware as each other to deliver Remote Access Trojans and cryptocurrency miners to compromised systems. One key feature of these campaigns is the use of ModernLoader, a .NET Remote Access Trojan that has been around since 2019, as the primary Command and Control (C2) channel.
The infection chain of these campaigns used fake Amazon gift card lures to distribute malware that was hosted on compromised WordPress sites. The first stage downloads an encrypted HTA payload that, when executed, downloads additional PowerShell code to run. This PowerShell code performs two tasks: it disables AMSI scanning on the system, and then it injects the final stage payload into a newly created svchost.exe process via process hollowing. This final payload is an instance of ModernLoader, which then automatically collects and sends information about the system to the C2 server. This information includes things such as: the Active Directory or workgroup name, the external IP address of the system, operating system version details, user privileges, anti-virus products installed on the system, and so on. The RAT is then set up to receive commands from the C2 server to execute on the system. In these campaigns, further malware was seen being delivered by ModernLoader, such as XMRig for cryptocurrency mining and other RATs such as DCRat.
These campaigns have been attributed to a previously undocumented Russian-speaking threat actor, potentially targeting users in Eastern European regions. The advancements made between campaigns shows a threat actor that is experimenting with different tools and techniques, but that primarily uses open-source code or off-the-shelf tools in their infection chains.