Weekly Cyber Round-up

RolandSkimmer campaign uses malicious browser extensions to steal financial data

Fortinet researchers observed a credit card skimming campaign, dubbed RolandSkimmer, targeting individuals in Bulgaria. The campaign leverages malicious browser extensions across Google Chrome, Microsoft Edge, and Firefox to harvest and exfiltrate sensitive financial data from users. The attack begins with a malicious ZIP file containing a deceptive LNK file, which deploys obfuscated VBScripts to establish persistent and covert access. The attacker then downloads additional files, with malicious JavaScript payloads and encoded RAR files used to install the malicious browser extensions, depending on the target browser. The attackers also replaced legitimate Microsoft Edge shortcuts in the Desktop and Taskbar with the malicious shortcuts.

Phishing campaigns distribute Grandoreiro banking trojan to Latin America and Europe

Forcepoint researchers observed a resurgence in Grandoreiro banking trojan activity, with the malware currently being distributed in large-scale phishing campaigns to banking users in Latin American and Europe. Threat actors leverage VPS hosting providers and obfuscation techniques to evade detection, as well as dynamic URLs and social engineering to maximize the malware’s reach and effectiveness. A recent campaign, targeting Mexico, Argentina, and Spain, impersonates tax agencies and uses fraudulent government emails to trick users. The emails are marked as high importance and contain malicious URLs that redirect users to the website of the Contabo hosting service, where they are prompted to download a PDF, which downloads a ZIP file. The ZIP file leads victims to download an obfuscated VBScript and an EXE payload disguised as an Acrobat Reader error pop-up designed to steal credentials.

Gamaredon targets Ukrainian users with war-related lures to deliver Remcos backdoor

Cisco Talos researchers discovered a suspected Gamaredon campaign, ongoing since at least November 2024, targeting Ukrainian users with malicious LNK files that ultimately deliver the Remcos backdoor. The LNK files are compressed inside ZIP archives and often disguised as Office documents, named using Russian words related to the movement of troops in Ukraine as a lure. The researchers believe that Gamaredon is likely maintaining its technique of sending phishing emails attached with a ZIP file or containing a URL link to download the file from a remote host. The LNK files contain PowerShell code that downloads and executes the next-stage payload in ZIP format, as well as a decoy file. The ZIP payload contains an executable binary that loads a malicious DLL via DLL sideloading, which in turn serves as the loader for Remcos.

First Ukrainian International Bank users targeted with Emmenhtal to deliver SmokeLoader

G DATA researchers discovered a campaign impersonating First Ukrainian International Bank to deliver the Emmenhtal malware loader to users. The malware was observed being chained with SmokeLoader, enabling the attackers to deploy additional malware dynamically using SmokeLoader’s modular capabilities. The campaign starts with an email claiming to confirm a payment has been made. The email contains a 7z archive file attachment with supposed payment instructions, which, once extracted, reveals a decoy PDF file and a PDF shortcut. The latter is used to download a file from a remote server that executes mshta via PowerShell to download Emmenhtal, which is later used to deploy SmokeLoader.