Home SECURITY new phishing campaign attacks users from India and the US

new phishing campaign attacks users from India and the US

new phishing campaign attacks users from India and the US


MULTI#STORM: new phishing campaign attacks users from India and the US

Remote Access Trojans are delivered via JavaScript files and download additional payloads.

The attackers responsible for spreading a new phishing campaign codenamed MULTI#STORM have targeted India and the US using JavaScript-files for delivery of remote access trojans (RAT), such as Warzone RAT and Quasar RAT, on infected systems. About it report company researchers Securonix.

The multi-stage chain of attacks begins with an email recipient clicking an embedded link in the email to a password-protected “12345” ZIP file (“REQUEST.zip”) hosted on Microsoft OneDrive.

After unpacking, the potential victim is exposed to a heavily obfuscated JavaScript file (“REQUEST.js”), which, when double-clicked, activates the infection by executing two commands PowerShellleading to retrieving two separate payloads from OneDrive and then executing them.

The first of the two files is a fake PDF document that is displayed to the victim, while the second file is an executable based on Python – Runs silently in the background.

The binary acts as a dropper to extract and run the main payload packaged inside it as strings Base64 (“Storm.exe”), but not before establishing system persistence via a registry change Windows.

Also decoded as a binary file is a second ZIP file (“files.zip”), which contains four different files, each designed to bypass User Account Control (UAC) and Windows privilege escalation by creating fake trusted directories.

Chain of infection

Among the malicious files found in the operation is also a batch file (“check.bat”), which Securonix experts say has several similarities with another loader called DBatLoader, despite the difference in the programming language used.

Notably, a separate file named “KDECO.bat” executes a special PowerShell command to tell Microsoft Defender to add an antivirus exclusion rule to skip the “C:\Users” directory.

The attack culminates with the deployment of the Warzone RAT (also known as Ave Maria) distributed over the model MaaS for $38 per month. The malware has an extensive list of features for stealing sensitive data and downloading additional malware, such as Quasar RAT.

“It is important to be especially vigilant of phishing emails, especially when they emphasize urgency. This particular bait wasn’t very stealthy, as it required the user to execute a JavaScript file directly. However, shortcuts or files with double extensions would probably have been much more successful,” the researchers say.


Source link



Please enter your comment!
Please enter your name here