GBHackers News reports that the newly emergent CastleBot malware-as-a-service framework, which has ramped up activity since May, has enabled the distribution of a plethora of malicious payloads, including information-stealing malware and other ransomware-linked backdoors.
Attacks involving CastleBot which features victim filtering, infection management, and host enumeration data gathering capabilities commence with weaponized software installers spread via malicious websites promoted using search engine optimization poisoning, according to an IBM X-Force report. Integrated within CastleBot is a shellcode stager, a PE section mapping and import resolving loader, and a primary backdoor that conducts AP hashing and configuration decryption to facilitate the deployment of the WarmCookie, Rhadamanthys, Remcos, and DeerStealer payloads, said researchers. Additional findings showed the CastleBot has been improved last month to include WOW64 bypass, msiexec.exe-based MSI execution, and QueueUserAPC-based advanced injection. CastleBot's continuing evolution should prompt organizations to further refine their security measures, researchers added.
Attacks involving CastleBot which features victim filtering, infection management, and host enumeration data gathering capabilities commence with weaponized software installers spread via malicious websites promoted using search engine optimization poisoning, according to an IBM X-Force report. Integrated within CastleBot is a shellcode stager, a PE section mapping and import resolving loader, and a primary backdoor that conducts AP hashing and configuration decryption to facilitate the deployment of the WarmCookie, Rhadamanthys, Remcos, and DeerStealer payloads, said researchers. Additional findings showed the CastleBot has been improved last month to include WOW64 bypass, msiexec.exe-based MSI execution, and QueueUserAPC-based advanced injection. CastleBot's continuing evolution should prompt organizations to further refine their security measures, researchers added.
