"The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components - A legitimate open-source PDF reader application A malicious DLL that's sideloaded by the PDF reader A portable executable (PE) of the Python interpreter A RAR file that likely serves as a decoy"
"In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk."
The campaign targets high-value individuals via LinkedIn private messages and tricks recipients into running a malicious WinRAR self-extracting archive (SFX). The archive unpacks a legitimate open-source PDF reader, a malicious DLL, a portable Python executable, and a decoy RAR file. Launching the PDF triggers DLL sideloading, which drops the Python interpreter and creates a Windows Registry Run key for persistence. The interpreter decodes and executes Base64-encoded open-source shellcode directly in memory to minimize disk artifacts. The final payload attempts external communication to provide persistent remote access and exfiltrate sensitive data.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]