CTI Roundup: PayPal Phishing, PLAYFULGHOST, and NonEuclid

This week, CTI looks at a phishing campaign that impersonates PayPal to steal credentials and take over user accounts. Next, CTI shares details of a new malware called PLAYFULGHOST. Finally, CTI provides the latest details about NonEuclid RAT, a malware that enables remote access and control over machines.

Phishing campaign impersonates PayPal

A recent phishing campaign is impersonating PayPal to steal user credentials and take over accounts. Fortinet CISO Carl Windsor recently discovered the campaign after receiving and investigating a suspicious email due to the “to” field in the email containing an “onmicrosoft” address.

How the PayPal phishing attack works

Windsor clarifies that the phishing attack seemed to originate from a legitimate PayPal email address. When he hovered over the “pay now” link in the email, he noticed that it redirected to a valid PayPal domain, which also did not raise much suspicion.

Clicking the button in the email redirects the user to a PayPal login page that shows a payment request. However, as Windsor mentions in his post, entering your credentials on this page will actually connect your PayPal account address to the email address that received the email – the “onmicrosoft” address.

How is this possible? According to Windsor, the perpetrator behind the campaign had registered a MS365 test domain and created a distribution list of victim emails. It’s important to note that these test domains are provided for free for the first three months, making them low-cost options for threat actors.

After setting up the test domain and distribution list, the actor can go to the PayPal web portal and request money from the distribution list. This action triggers an email to the victims and rewrites the sender to pass security checks. Once the victim enters credentials, their account links with the actor’s account, enabling them to take full control of the PayPal account.

[Read also: What is Identity and Access Management (IAM)?]

Analyst comments from Tanium’s Cyber Threat Intelligence team

This phishing example is very interesting, especially because it doesn’t use many traditional phishing techniques. Many of the tips and tricks included in security awareness training (verifying the sender, looking for suspicious URLs, etc.) would not raise a red flag for this email, which contained a valid sender and URL.

Windsor says the best solution is the human firewall, or “someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.”

PLAYFULGHOST spreads via phishing and SEO poisoning

Google’s Managed Defense team released details of a new malware called PLAYFULGHOST. The malware possesses several features, including keylogging, screenshot and audio capture, remote shell access, and file transfer capabilities.

Additionally, the backdoor exhibits functional similarities to the famous Gh0st RAT malware, whose source code was leaked in 2008.

PLAYFULGHOST delivery methods

Google identified two known distribution methods for PLAYFULGHOST: phishing emails and SEO poisoning.

1. PLAYFULGHOST phishing example
   In one phishing attack, the infection began by attempting to trick the victim into opening a malicious RAR archive attached to the email. The RAR archive had a .jpg extension, which further tricked the victim into believing it was a harmless image file.
   
   If the victim extracts the archive, it will drop a malicious Windows executable that downloads and executes PLAYFULGHOST from a remote server.
2. PLAYFULGHOST SEO poisoning example
   In this infection, the victims are deceived into downloading the malicious Windows executable. The executable pretends to be an installer for legitimate software like LetsVPN.
   
   Once this runs, it will drop another malicious Windows executable that downloads components of PLAYFULGHOST from a remote server.

How does PLAYFULGHOST work?

PLAYFULGHOST uses a three-part system: a legitimate executable that hijacks the DLL search order, a malicious launcher DLL file located in the same folder, and a file containing the actual payload. The legitimate executable loads the malicious launcher DLL, which decrypts the payload into memory.

In one scenario, Google identified the actor renaming a legitimate signed executable from Tencent to svchost.exe to disguise it. This was then used to load the malicious launcher DLL and decrypt the payload.

In another case, they observed a more sophisticated scenario that started with a Windows LNK file. This file combined a text file containing characters with a second file that held the remainder of the payload to create a new malicious DLL file.

Supported features

PLAYFULGHOST supports various functions that enable a threat actor to remotely control the system. Its data mining functions include capturing screenshots and audio, wiping and copying clipboard data, collecting hardware information, enumerating/enabling/disconnecting/logging off RDP sessions, and more.

It also has file management, data deletion, remote execution, privilege escalation, and anti-forensic capabilities. Additionally, it can download more payloads and carry out nuisance activities like changing screen resolution and hiding taskbars.

Analyst comments from Tanium’s Cyber Threat Intelligence team

While PLAYFULGHOST’s delivery methods aren’t novel, the malware does have a very expansive list of features that fit a range of threat actors’ needs.

It’s interesting to see malware with “nuisance activity,” such as blocking keyboard input, changing screen resolution, hiding taskbars, and making a beeping sound.

It’s unclear if these features are meant to enable the malware or simply be annoying. Google has also provided detections to help identify artifacts related to PLAYFULGHOST.

NonEuclid RAT gains traction

Cyfirma is sharing details related to the NonEuclid RAT, a new type of malware that grants remote access and control over a victim’s machine.

According to Cyfirma, the malware offers unauthorized remote access and advanced evasion techniques. It’s currently being promoted in underground cybercriminal forums.

About NonEuclid

The malware, developed in C#, comes equipped with mechanisms like antivirus bypass, privilege escalation, antidetection, and ransomware encryption.

Researchers have noted that the malware has gained traction due to its features, including stealth, dynamic DLL loading, anti-VM checks, and AES encryption capabilities. They have also observed tutorials and discussions about NonEuclid on Discord and even YouTube, further indicating its popularity.

How does NonEuclid work?

The malware initializes a client application through several mechanisms. It configures settings, delays startup, and ensures that certain features have administrative privileges. It then performs mutex and anti-detection checks that, if successful, establish a client socket for communication — reconnecting if the connection is lost.

The malware has an anti-scan feature that attempts to bypass Windows Defender scans by adding certain exclusions to the Defender registry settings. It also has an anti-process method that monitors running processes to identify and kill specified processes, such as Taskmgr and ProcessHacker. The malware comes with additional methods, such as anti-VM checks, ASMI bypass, and camera access.

The malware also creates a scheduled task that runs at specified intervals, hiding the command window and suppressing the output using the Windows command line to ensure persistence. This task. For privilege escalation, the malware attempts to manipulate the Windows registry and execute a command that bypasses certain restrictions.

Cyfirma examined the two executable files that are deployed when the malware runs. Using the Task Scheduler, these files operate automatically and maintain persistence by executing without requiring any interaction.

[Read also: What is Active Directory security? Risks and best practices]

Analyst comments from Tanium’s Cyber Threat Intelligence team

Cyfirma summarizes NonEuclid by stating it “exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities.”

Researchers have observed discussions about this malware on multiple underground forums, which indicates that its creator is working hard to appeal to threat actors. Whether or not NonEuclid takes off remains to be seen, but its extensive list of capabilities is likely to interest threat actors.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.