Skip to main content

Hackers Attacking Indian Banks via JAVA RAT To Hack Java Installed Windows, Linux, and Mac

Hackers Attacking Indian Banks via JAVA RAT To Hack Java Installed Windows, Linux, and Mac

Currently, the whole world is in lockdown due to the deadly COVID-19 pandemic, but, for the cybercriminals, this is the most luring opportunity. And as a result, recently, the cyber attackers have targeted all the co-operative banks in India.
Researchers uncovered a new campaign in which the attackers have used the renewed wave of the “Adwind Java RAT” to initiate the attacks against the co-operative banks in India.
Don’t know about the co-operative banks? The co-operative banks are small banks that are small in size, and they generally don’t have any large trained IT and cybersecurity team to handle such types of cyberattacks.
Just like the other popular COVID-19 themed cyber-attacks, this Java RAT campaign also starts its operation with a spear-phishing email.
But, here, the difference is that the phishing emails that the attacker send to its victims, claims to be from the Reserve Bank of India or any other large banking institution in the country.
According to the Quick Heal report, all these phishing emails refers to the new RBI guidelines or any transaction with detailed information in an attached file, that contains the real surprise, in the form of a zip file.
Actually, inside that zip file, the attacker attaches a malicious JAR file as an attachment in the name of a detailed report.
In the above image, you can see the malicious zip file attached by the attacker in the name of the detailed report. Apart from this to deceive the victims, the attacker uses the popular file extensions like xlsx, pdf, and much more.

Infection Vector

The malicious JAR file, which is sent to the victims by the attackers is a remote admin trojan, that’s why the attackers can easily run them on any windows, Linux, and Mac PCs with Java installed.
The malicious payload endures itself by altering the registry key, and then the payload drops a JAR file in %appdata% location; all these happen automatically once the user manually opens the attachment sent by the attacker.

To bypass the detection from antivirus products, this malicious JAR file contains multiple layers of encryption and complex coding.
Once the malicious JAR file executed in the victim’s system, it automatically transforms into a Remote admin tool (JRAT) that allows the attackers to perform several types of malicious activities of the following:-
  • This backdoor can create or delete its persistence by sending commands.
  • Adwind RAT is capable of controlling the victim’s desktop remotely
  •  The attacker used robot class to control mouse, keyboard by sending commands from a remote machine and take a screenshot
  • Backdoors often lead to stealing of credentials for important financial infrastructure
  • Cyberattacks on banks can lead to stealing of all customer data and important financial infrastructure details. .

Here Are Some Attachment Names Used in the Java RAT Campaign:-

Email Subjects:
  • Urgent – COVID measures monitoring template
  • Query Reports for RBI INSPECTION
  • Moratorium
  • FMR returns
  • Assessment Advice-MH-603
  • [874890897] – MIS for NEFT/RTGS, 06-04-2020 [1]
  • Deal confr.
  • DI form
Attachment Names:
  • Covid_19_measures_Monitoring_Template-Final_xlsx.zip
  • NSBL-AccListOnTheBasisOfKYCData_0600402020_pdf.zip
  • Gazette notification&RBI_Directives_file-00000120_pdf.zip
  • Fmr-2_n_fmr_3_file_000002-pdf.zip
  • MON01803_DIC_pdf.zip
  • FIXEDCOMPNULL_xls.zip
  • SHRIGOVARDHANSING0023JI001_pdf.zip
  • DI_form_HY_file_00002_pdf .zip
These malicious campaigns could have their direct impact on the banks and their customers; as a result, the cyber actors could easily steal customers’ data and important financial infrastructure details of the banks.
Moreover, the security firm, Quick Heal strongly recommended the users to take necessary security measures and avoid opening the attachments attached in the emails from unknown sources.
Source: GbHackers

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...