"The attack chain involves the use of Viber as an initial intrusion vector to distribute malicious ZIP archives containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents to trick recipients into opening them. The LNK files are designed to serve as a decoy document to the victim to lower their suspicion, while silently executing Hijack Loader in the background by fetching a second ZIP archive ("smoothieks.zip") from a remote server by means of a PowerShell script."
"The attack reconstructs and deploys Hijack Loader in memory through a multi-stage process that employs techniques like DLL side-loading and module stomping to evade detection by security tools. The loader then scans the environment for installed security software, such as those related to Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, by calculating the CRC32 hash of the corresponding program."
UAC-0184 targets Ukrainian military and government entities using Viber to deliver malicious ZIP archives containing LNK files masquerading as Word and Excel documents. The LNK files present decoy documents while executing a PowerShell script that downloads 'smoothieks.zip' and reconstructs Hijack Loader in memory. The multi-stage loader uses DLL side-loading and module stomping to evade detection, scans for installed security products by computing CRC32 hashes, and establishes persistence via scheduled tasks. Previously observed tactics include war-themed phishing lures and delivery via Signal and Telegram, with Hijack Loader enabling subsequent Remcos RAT deployments.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]