Recently, eSentire TRU (Threat Response Unit) reported that since November 2022, it had observed the resurrection of a malicious campaign that Hackers Attack on targets explicitly the following organizations:-
While cybersecurity researchers acknowledge that the campaign is being carried out by threat actors who are native Russian speakers.
In this analysis, experts mainly focus on four separate instances where Bluesteel, a machine-learning tool for PowerShell of eSentire, identified harmful commands executing a script from a domain under the control of an attacker.
Weaponized PDF Files as Initial Vector
Here the phishing email has been identified as the initial infection vector.
To distribute the malicious payload, the Hackers attack are actively adopting email hijacking, and via PDF attachments, they deliver the malicious payload.
To deceive users into thinking the domain is genuine, the attackers include the sender domain within the Vesta Control Panel.
The user is redirected to saprefx[.]com domain via a link to the domain embedded with the PDF attachment.
The behavior of the domain changes depending on the user’s location.
Here we have mentioned the two options available:-
Users will encounter the TeamViewer installer page.
Using the C drive’s serial number as a parameter, the VBS file establishes a connection to the C2 server.
It subsequently fetches the Windows Installer product and stealthily launches it in the background without the user’s knowledge.
Several tools and scripts are included inside the MSI files, and they are mainly tailored to capture screenshots of the computer when it was infected.
This process is executed through the implementation of an AutoHotKey script. And here below, we have mentioned the tools that are observed:-
Hackers Use Weaponized PDF Files to Attack
In the early stages of the campaign, security analysts observed the threat actors dropping:-
Cobalt Strike payload
The previously mentioned malicious PowerShell command fetches and executes the PowerShell script, which is located at:-
The PowerShell script utilizes LoadLibraryA to load kernel32.dll and crypt32.dll.
Then to convert the base64 string into a binary format, it employs the CryptStringToBinaryA function from crypt32.dll.
Using CreateToolhelp32Snapshot, the Cobalt Strike loader, acting as the malicious payload, examines the “powershell.exe” process.
The threat actors introduced their personally developed backdoor tool called “resident2.exe” in the second incident, and this tool is a 32-bit executable written in C programming language.
In the last instance of the attack, the threat actors first employed au3.exe, which then generated a chain of additional malicious executables.
Here below, we have mentioned the files that the threat actors drop:-
Terminal App Service.vbs (C:ProgramDataCis)
app.js (C:ProgramDataDored) – similar to the previous case
index.js (C:ProgramDataDored) – screenshot sender script, similar to the 3rd incident
skev.jpg – screenshot image (C:ProgramDataDored)
Here below, we have mentioned all the recommendations offered by the security researchers:-
Validate that every device has the necessary EDR solutions implemented for enhanced protection.
Make use of PSAT to provide your employees with proper education on the risks involved with commodity stealers and drive-by downloads.
Ensure there are established protocols for employees to follow when submitting content that may be deemed malicious for proper assessment.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus.
Cyber Security News