Archetyp Links

Subscribe to Canaltech's newsletter and receive news and reviews about firsthand technology. A new malicious agent, known as TA558, was linked to a series of remote access trojans (RAT) attacks in Brazil and Latin America, playing last quarter in a campaign under the title of Revengehotels.The infections were studied and described by Kaspersky. According to experts, phishing emails are used imitating receipts and other documents to bring Venomrat virus via JavaScript and Powershell, with much of the code appearing to have been generated by AI models such as ChatgPT. Venomrat in Brazilian hotels Canaltech is on WhatsApp!Enter the channel and follow news and technology tips WhatsApp Continues after advertising Kaspersky researchers remember that Revengehotels has been seen active since 2015, mainly aiming at travel agencies, hotels and other hospitable services in Latin America.At first, attacks by emails with Word, Excel and PDF files were used that explored a remote code execution failure in Microsoft Office-CVE-2017-0199-, managing to take the Virus Rat, Njrat, Nanocorerat, 888 RAT and Procc to computers. Then the attacks began to incorporate other remote access trojans, nominally Agent Tesla, Asyncrat, Formbook, Glooader, Loda Rat, Lokibot, Remcos Rat, Snake Keylogger and VJW0RM.The goal, from the beginning, has been to steal guest credit card data stored in the hotel system, as well as virtual travel agencies such as Booking.com. In the latest attacks, phishing emails were already written in Portuguese and Spanish, imitating hotel reservations and job applications to make employees click on malicious links.This leads to download of payloads in WScript and JavaScript.Large sections of code commented and its format indicate the use of AI in the creation of scripts. The main function of malicious code is to load more scripts that facilitate infection, including a powerShell that seeks a basser called CargoR.TXT of an external server.He downloads two more payloads, responsible for launching Venomrat.This malware is a commercial tool that has been sold in monthly subscriptions of $ 350 (about $ 1,850) or lifetime of $ 650 ($ 3,440). The virus is equipped with data theft tools and acts as a reverse proxy, with various mechanisms to prevent its interruption.It modifies the discretionary access access list (DACL) to remove any permission that can interfere with its operation.A loop still checks if the malware process is running every 50 milliseconds, leaving it active again if it has been closed. Loop aims at processes run by security analysts and system administrators to monitor suspicious activities.The tool can still put persistence on the host using Windows record, making malware run again each time your process is not found on the active program list. Continues after advertising If he has achieved high privileges, he uses the token Sedebugprivilege and marks himself as a critical system of the system, resisting any closing attempt.It also forces the PC to remain connected and avoids entering suspension mode. Finally, Venomrat can still spread to USB and close the native Windows Defender antivirus, stirring the task agender and computer record.According to Kaspersky, this shows the advance of Revengehotels skills and LLMS help in the continuous modification of phishing tactics. Read more: Continues after advertising Video |What is phishing?Learn how to protect yourself!#Shorts Source: Securelist