New Evasion Techniques Used by Threat Actors to Deliver Malicious Payloads
Threat actors have been found employing new evasion techniques to deliver malicious payloads to unsuspecting users. The sequence of events begins with the creation of fake websites on web hosting services, which go undetected by the hosting services themselves. When users search for relevant information and click on links from search results, they unknowingly access these malicious sites.
Interestingly, if a user directly enters the URL instead of clicking on a link, it bypasses the interaction, potentially to avoid detection by security researchers. The obfuscation methods used by threat actors include string concatenation and mathematical manipulation to hide the logic of the code, making it difficult to comprehend.
Once users land on these fake websites, the script checks the referral URL. If it comes from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, the site proceeds to the next page. However, if the user accesses the site directly, indicating potential analysis, the site avoids redirection to evade detection.
One example of how this works is when a user searches for a cracked version of software and a malicious website shows up in search results. Upon clicking on the link, the user is led to a fake MediaFire page hosted on Weebly.com, which appears legitimate. However, instead of downloading the expected software, the user unknowingly downloads malware, initiating the malicious payload delivery.
This payload delivery involves multiple layers of obfuscation and evasion techniques. For instance, extracted files from the fake MediaFire page are password-protected in a two-level zipped structure. Furthermore, the installation process involves dropping a malicious DLL into the directory along with a genuine GNU Privacy Guard, utilizing DLL sideloading techniques to execute malicious activities under the guise of legitimate processes.
The malicious DLL then triggers the execution of processes like explorer.exe using process hollowing techniques, effectively evading detection by security measures. Additionally, the attackers utilize PowerShell to download heavily obfuscated scripts that further enhance the malware’s ability to bypass antivirus software.
Overall, these new evasion techniques employed by threat actors showcase the increasing sophistication of cyber threats, highlighting the need for enhanced security measures to protect users from falling victim to such malicious activities.
