![]() ![]() Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches." Tax season and scammers … Since all the samples that Securonix Threat Research identified are fairly recent, it's clear that this campaign is still ongoing. "However the possibility of false flag operations cannot be ruled out at this point. "This could indicate Russian origins," the researchers wrote. Malware disguised as Tor browser steals $400k in cryptocash.AlienFox malware caught in the cloud hen house.Ukrainian cops nab suspects accused of stealing $4.3m from victims across Europe.Why a top US cyber spy urges: 'Get religion on backups'.The third address was registered to Des Capital in the US. ![]() Two of the three C2 IP addresses were registered to a company called Petersburg Internet Network in Russia. The Securonix researchers saw the ieinstal.exe binary capturing clipboard data and recording keystrokes as soon as it was up and running. The code, when made readable, looks similar to code that has been seen in the wild executing other attacks involving Cobalt Strike and backdoor remote access trojans (RATs), like Kovter.Īfter the binary payload – also obfuscated – is launched and one of the three C2 servers linked to the campaign is contacted, attackers can access to the targeted system. The next stage of the PowerShell execution also includes similar obfuscation techniques. Next comes the PowerShell code, which includes unconventional obfuscation methods, including manipulating strings of text pulled into it by passing it into a function called "Unrhe9" and converted into valid PowerShell syntax, which is then executed. However, the PowerShell and VBScript code used are unique and sophisticated, especially from an AV avoidance and obfuscation standpoint, making this campaign important to watch." It's a multi-step attackĪfter the shortcut file is opened, the heavily obfuscated VBScript is launched, containing nonsensical sentences used to evade detection by antivirus tools. lnk file execution is trivial and used by many threat actors these days. "The initial code execution tactic through.
0 Comments
Leave a Reply. |