ModernLoader Bot Detection: Spreads via Bogus Amazon Gift Cards, Compromises Users in Eastern Europe

ModernLoader Bot

ModernLoader bot, aka Avatar bot, is a .NET remote access trojan with the capabilities to download and run files from the C&C server, harvest system information, and run arbitrary instructions. With the remote control provided by the malware, threat actors use the breached network for botnet propagation.

The chain of evidence suggests that these attacks can be attributed to a new group of russian-speaking cyber criminals targeting users in Poland, Hungary, Bulgaria, and russia. Adversaries compromise vulnerabilities in WordPress and CPanel, luring users into downloading malicious implants disguised as Amazon gift certificates.

Detect ModernLoader Bot

To proactively defend against ModernLoader RAT, SOC Prime has released a unique, context-enriched Sigma rule developed by the perspicacious Threat Bounty Program contributor Aykut Gürses:

Scheduled Task Detection of ModernLoader crypto miners and RATs (via cmdline)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, Devo, LimaCharlie, Snowflake, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, AWS OpenSearch, Carbon Black, Securonix, and Open Distro.

The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Scheduled Task/Job (T1053) as the primary technique.

Aspiring security professionals striving to keep up with the latest trends shaping the current cyber threat landscape will benefit from the industry-first Cyber Threats Search Engine. Press the Explore Threat Context button to instantly navigate the pool of the top RAT-related threats and newly released detection algorithms, exploring relevant contextual information in a single place. Both aspiring and experienced security professionals striving to keep up with the latest trends shaping the current cyber threat landscape will benefit from browsing the vast content library is constantly updated with vetted pieces, now reaching the amount of more than 200,000 context-enriched detections. Explore available subscription plans by pressing the Choose a Plan button. Stay ahead of the adversary hussle-free!

Explore Detections Choose a Plan

ModernLoader Distribution Campaign

Cisco Talos research team detected a tidal wave of malware distribution within the March to June 2022 timeframe. Based on observed attacks and news reports, it is possible to single out three malware distribution campaigns, spreading ModernLoader RAT, RedLine information stealer malware, and cryptocurrency miners. The attackers leverage PowerShell, .NET assemblies, and HTA and VBS files to move laterally across the compromised networks, dropping additional malicious payloads. These attacks expose global organizations in various industry sectors to severe risks.

The threat actor behind the listed campaigns is using off-the-shelf tools; researchers take it as an indicator of the criminal actor’s lack of technical skills required to design their own tooling.

In 2022, the number of cyber-attacks worldwide is expected to surpass prior year records. We practice the Follow the Sun (FTS) model, ensuring timely response to threats enabled by industry leaders from locations in different time zones, so our clients can yield the best results with the innovative Detection as Code approach. Get ahead of adversaries with comprehensive solutions crafted by industry leaders from SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts