""The campaign relies on a combination of social engineering and living-off-the-land techniques. It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system.""
""The use of legitimate tools and trusted platforms is a deadly combination, as it allows threat actors to blend in normal network activity and increase the likelihood of success of their attacks.""
""Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses. It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated.""
A campaign has emerged that utilizes WhatsApp to distribute malicious Visual Basic Script (VBS) files, initiating a multi-stage infection chain. Attackers employ social engineering and living-off-the-land techniques, using renamed Windows utilities to blend into normal system activity. They retrieve payloads from trusted cloud services and install malicious Microsoft Installer (MSI) packages. The process begins with the execution of VBS files, leading to the creation of hidden folders and the installation of renamed legitimate utilities. Attackers aim to establish persistence and escalate privileges by tampering with User Account Control settings.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]