Google Forms Exploited in New PureHVNC Malware Attack

Google Forms Exploited in New PureHVNC Malware Attack

Posted on By CWS

Cybersecurity experts have uncovered a sophisticated malware campaign leveraging Google Forms to distribute a Remote Access Trojan (RAT) known as PureHVNC. This new threat, identified by Malwarebytes analysts, employs business-themed lures, such as fake job interviews and project documents, to deceive victims into downloading malicious software.

Deceptive Use of Google Forms

In a novel approach, attackers are using Google Forms to imitate legitimate recruitment or business processes, requesting professional information to establish credibility. Once users submit their details, they are redirected to download business-themed ZIP files from platforms like Dropbox and fshare.vn, cleverly masked by URL shorteners.

These malicious links are also distributed through professional networks such as LinkedIn, targeting individuals seeking job opportunities. The forms often impersonate reputable companies in various sectors, displaying authentic logos and branding to enhance the illusion of legitimacy.

Understanding PureHVNC RAT

The PureHVNC RAT is a modular .NET-based Trojan from the ‘Pure’ malware family, granting attackers full control over infected machines. Capabilities include executing commands, stealing browser data, and extracting information from cryptocurrency wallets and messaging apps. The malware’s configuration is base64 encoded and compressed, with its command-and-control server operating on specific IP ports.

The infection begins when victims extract the downloaded ZIP, revealing job-related documents alongside hidden executables. The malware uses DLL hijacking to load malicious code, evading immediate detection. If debugging environments are detected, the malware halts operations to avoid analysis.

Mitigation Strategies and Security Recommendations

To counter this threat, individuals and organizations should verify the authenticity of Google Forms and scrutinize unexpected job offers through official channels. Avoid clicking on shortened URLs without verifying their destination, and maintain up-to-date endpoint defenses to detect unusual DLL loads and PowerShell activity.

Security teams are advised to monitor for unauthorized process injections and encoded PowerShell tasks, particularly those targeting Windows processes like SearchUI.exe. By staying vigilant and implementing these measures, the risk of falling victim to such sophisticated cyber threats can be significantly reduced.

For ongoing updates and insights into cybersecurity trends, follow us on Google News, LinkedIn, and X. Ensure your digital resilience by setting CSN as a preferred source in Google.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

Critical Cisco Vulnerability Exposes SD-WAN to Attacks Critical Cisco Vulnerability Exposes SD-WAN to Attacks Cyber Security News
NIST Releases Control Overlays to Manage Cybersecurity Risks in Use and Developments of AI Systems NIST Releases Control Overlays to Manage Cybersecurity Risks in Use and Developments of AI Systems Cyber Security News
Hackers Abusing Legitimate Cloud and CDN Platforms to Host Phishing Kits Hackers Abusing Legitimate Cloud and CDN Platforms to Host Phishing Kits Cyber Security News
North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data North Korean Hackers Weaponizing NPM Packages to Steal Cryptocurrency and Sensitive Data Cyber Security News
Hacker Extradited to US for Stealing Over .5 Million in Tax Fraud Attacks Hacker Extradited to US for Stealing Over $2.5 Million in Tax Fraud Attacks Cyber Security News
Microsoft Criticizes Premature Zero-Day Disclosures Microsoft Criticizes Premature Zero-Day Disclosures Cyber Security News