A phishing campaign targets Windows users with emails posing as purchase orders that prompt opening malicious attachments. The attack chain starts with a phishing email delivering a malicious JavaScript file. The JavaScript decrypts and executes a PowerShell script. The PowerShell script uses process hollowing to inject a .NET downloader module into a trusted Windows process, MsBuild.exe. The downloader module communicates with a remote command-and-control server to fetch and execute additional plugin modules. This enables the attacker to adapt post-compromise behavior. The campaign is evasive and difficult for signature-based defenses because it uses several encryption layers, fileless execution, and process hollowing tactics.
"This campaign demonstrates a sophisticated multi-stage attack chain that begins with a phishing email delivering a malicious JavaScript file. The JavaScript decrypts and executes a PowerShell script that uses process hollowing to inject a .NET downloader module into a trusted Windows process (MsBuild.exe). The downloader module communicates with a remote C2 server to fetch and execute additional plugin modules, allowing the attacker to adapt the malware's post-compromise behavior."
"While this campaign ultimately executes on Windows, the broader lesson extends well beyond the endpoint. Attackers increasingly rely on social engineering and multi-stage attack chains that begin wherever users are most active, and increasingly, that starts on mobile devices through email, messaging platforms, and collaboration tools."
"What makes these attacks effective is not just the malware itself, but the ability to move users from initial engagement to compromise while avoiding detection across devices and environments. Organizations should think beyond traditional endpoint visibility and ensure they can identify suspicious activity early, correlate signals across mobile devices, applications, and endpoints, and rapidly determine whether an alert represents a real incident."
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]