"The campaign began in late February, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files. The attacker tricks the message recipient into executing the malicious file on their system, likely using a compromised WhatsApp session."
"Once executed, the malicious script creates hidden folders in C:\ProgramData and drops renamed versions of legitimate Windows utilities, allowing attackers to blend in with normal network activity. This technique is known as 'living off the land'."
"Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe. This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal."
A multi-stage attack using WhatsApp messages has been identified, where malicious Visual Basic Script files are sent to victims. Attackers trick recipients into executing these files, often using compromised accounts or urgent lures. Once executed, the scripts create hidden folders and drop renamed legitimate Windows utilities, allowing attackers to blend in with normal activity. However, these renamed binaries retain original metadata, which can be used by security solutions to detect the malicious activity.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]