"BlackSanta, a dedicated BYOVD-based component, disables antivirus and EDR protections at the kernel level, clearing the path for credential harvesting, system reconnaissance, and eventual data exfiltration with minimal resistance."
"This campaign targets hiring because HR is accustomed to, and routinely opens, attachments - an apparent resume found in the ISO appears to be legitimate and already on site."
"In this sample, the ISO contains four innocuous looking files. A security analyst might be instantly suspicious of a 3kb PDF file and the presence of a PowerShell script, but HR might simply not notice."
A campaign attributed to Russian-speaking threat actors distributes malicious ISO files through cloud storage services like Dropbox using social engineering tactics. The attack specifically targets HR departments by disguising malware as legitimate resume files. Once the ISO is mounted, opening files triggers a malware chain that includes BlackSanta, a BYOVD-based component designed to disable antivirus and EDR protections at the kernel level. This disabling allows attackers to harvest credentials, conduct system reconnaissance, and exfiltrate data with minimal resistance. HR departments are targeted because they routinely open attachments and are less likely to question unexpected resume files. The malicious ISO contains seemingly innocuous files, including a link file disguised as a PDF that launches command execution sequences.
#malware-distribution #social-engineering #iso-file-attack #hr-targeting #endpoint-protection-bypass
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]