The first payload retrieved from OneDrive is a decoy PDF document that is displayed to the victim, diverting their attention. Simultaneously, a Python-based executable runs surreptitiously in the background. This binary acts as a dropper, unpacking and executing the main payload, a Base64-encoded string named ‘Storm.exe’. To establish persistence, the dropper modifies the Windows Registry.
The dropper also decodes a second ZIP file named ‘files.zip’, which contains four files specifically designed to bypass User Account Control (UAC) and escalate privileges by creating mock trusted directories. Notably, one of the files, ‘check.bat’, shares similarities with another loader called DBatLoader, despite being written in a different programming language. Another file, ‘KDECO.bat’, executes a PowerShell command to instruct Microsoft Defender to exclude the ‘C:\Users’ directory from antivirus scans.
The culmination of the attack involves the deployment of Warzone RAT (also known as Ave Maria), a commercially available malware priced at $38 per month. Warzone RAT possesses an extensive array of features for harvesting sensitive data and downloading additional malware, such as Quasar RAT.
Users are advised to exercise caution when interacting with email attachments or clicking on suspicious links.
“It’s important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is stressed,” the researchers cautioned.
In the News: MageCart attack targets iOttie’s online store