The new campaign also involves replacing cryptocurrency addresses shared via clipboard and setting up fake cryptocurrency websites.
Trend Micro researchers have shared details of a new campaign distributing SpyAgent malware by abusing legitimate use RATs (remote access tools), including TeamViewer.
Safib assistant also abused in the scam
According to a report from Trend Micro, the campaign involves abusing a legitimate Russian RAT called Safib Assistant through a new variant of SpyAgent malware. The scammers exploit a DLL sideloading vulnerability that loads a malicious DLL, which hooks and patches different API functions that the RAT calls. This hides the RAT windows from the user.
Afterward, the malicious DLL starts reporting the RAT’s ID that the attacker requires to establish a connection with the infected device and gain control over it. The malware then changes the access password to a fixed one. Due to this, the attacker only needs to have the RAT’s ID to connect to the infected device.
Malware Dropper Distributed via Fake Websites
SpyAgent dropper is distributed via bogus cryptocurrency-related websites, most of which are in the Russian language. The dropper is equipped with a fake cryptocurrency wallet, surfing