- Cybercriminals exploit fear of copyright to push malware in daily online spaces
- Telegram bots are now doubled as order centers for the evolution of malware threats
- False legal companies offer malicious software by scams back in several languages
Cybercriminals have long been counting on fear as a way to manipulate victims, and copyright allegations prove to be one of the last tools of choice.
The search for Cofense Intelligence found that attackers send messages designed to resemble legitimate requests for withdrawal from several users.
However, the real intention of these messages is to deliver malware under the guise of legal pressure.
A campaign built on deception
The report described how an actor of Vietnamese threat called the only draw distributed campaigns that usurted legal firms, sending messages that claim to report copyright counterfeit content on the target website or social media account.
What makes this wave of activity notable is the use of several languages, suggesting dependence on automatic translation or AI tools to generate convincing models between regions.
The victims are in a hurry to make the following links, which, instead of solving an alleged copyright problem, lead to downloads of malicious software.
The attack chain has several unusual characteristics which distinguish it from more traditional phishing attempts.
Instead of relying on ordinary accommodation methods, operators have integrated information on the payload in Bot Telegram profile pages.
From there, the targets are directed to archive files hosted on free platforms such as Dropbox or Mediafire.
Within these archives, legitimate applications such as PDF players are grouped alongside malware.
The malware charger is disguised to look like normal Windows processes, and it uses obscured python scripts to establish persistence and recover additional components.
Beyond the familiar purelogs thief, Cofense reports the presence of a new malicious strain named lonegain, also called PXA Stealer.
This tool is designed to focus on cryptocurrency flight, quietly replacing the wallet addresses copied by those controlled by attackers.
Communication with operators is managed by telegram robots, keeping the flexible infrastructure and more difficult to disturb.
Although current campaigns focus on theft of information, the methods used could just as easily provide ransomware in future iterations.
While technical indicators such as unusual python installations on a host can help detection, the most effective shield is always training and vigilance.
A combination of advanced e-mail and protection of end-up tools offers solid defense, because filtering alone cannot completely prevent these copyright purchase campaigns.
