Google Forms Exploited in New PureHVNC Malware Attack

Google Forms Exploited in New PureHVNC Malware Attack

Posted on By CWS

Cybersecurity experts have uncovered a sophisticated malware campaign leveraging Google Forms to distribute a Remote Access Trojan (RAT) known as PureHVNC. This new threat, identified by Malwarebytes analysts, employs business-themed lures, such as fake job interviews and project documents, to deceive victims into downloading malicious software.

Deceptive Use of Google Forms

In a novel approach, attackers are using Google Forms to imitate legitimate recruitment or business processes, requesting professional information to establish credibility. Once users submit their details, they are redirected to download business-themed ZIP files from platforms like Dropbox and fshare.vn, cleverly masked by URL shorteners.

These malicious links are also distributed through professional networks such as LinkedIn, targeting individuals seeking job opportunities. The forms often impersonate reputable companies in various sectors, displaying authentic logos and branding to enhance the illusion of legitimacy.

Understanding PureHVNC RAT

The PureHVNC RAT is a modular .NET-based Trojan from the ‘Pure’ malware family, granting attackers full control over infected machines. Capabilities include executing commands, stealing browser data, and extracting information from cryptocurrency wallets and messaging apps. The malware’s configuration is base64 encoded and compressed, with its command-and-control server operating on specific IP ports.

The infection begins when victims extract the downloaded ZIP, revealing job-related documents alongside hidden executables. The malware uses DLL hijacking to load malicious code, evading immediate detection. If debugging environments are detected, the malware halts operations to avoid analysis.

Mitigation Strategies and Security Recommendations

To counter this threat, individuals and organizations should verify the authenticity of Google Forms and scrutinize unexpected job offers through official channels. Avoid clicking on shortened URLs without verifying their destination, and maintain up-to-date endpoint defenses to detect unusual DLL loads and PowerShell activity.

Security teams are advised to monitor for unauthorized process injections and encoded PowerShell tasks, particularly those targeting Windows processes like SearchUI.exe. By staying vigilant and implementing these measures, the risk of falling victim to such sophisticated cyber threats can be significantly reduced.

For ongoing updates and insights into cybersecurity trends, follow us on Google News, LinkedIn, and X. Ensure your digital resilience by setting CSN as a preferred source in Google.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

Red Hat Breach Exposes 5000+ High Profile Enterprise Customers at Risk Red Hat Breach Exposes 5000+ High Profile Enterprise Customers at Risk Cyber Security News
New Polymorphic Python Malware Repeatedly Mutate its Appearance at Every Execution Time New Polymorphic Python Malware Repeatedly Mutate its Appearance at Every Execution Time Cyber Security News
Critical Jenkins Security Flaws Threaten Server Safety Critical Jenkins Security Flaws Threaten Server Safety Cyber Security News
Humata Health Enhances Security with AccuKnox Partnership Humata Health Enhances Security with AccuKnox Partnership Cyber Security News
Windows Remote Desktop Services Vulnerability Let Attackers Escalate Privileges Windows Remote Desktop Services Vulnerability Let Attackers Escalate Privileges Cyber Security News
How Fiber Optic Cables Can Secretly Eavesdrop on Conversations How Fiber Optic Cables Can Secretly Eavesdrop on Conversations Cyber Security News