A sophisticated phishing campaign named MULTI#STORM has emerged, targeting individuals in India and the United States. The campaign employs JavaScript files to deliver remote access trojans (RATs) onto compromised systems.
According to researchers from Securonix, the attack begins with an email containing an embedded link, leading to a password-protected ZIP file named ‘REQUEST.zip’ hosted on Microsoft OneDrive. The provided password for the archive is ‘12345’. Upon extraction, a heavily obfuscated JavaScript file called ‘REQUEST.js’ is revealed. When the victim double-clicks this file, two PowerShell commands are executed, initiating the infection process.
The first payload retrieved from OneDrive is a decoy PDF document that is displayed to the victim, diverting their attention. Simultaneously, a Python-based executable runs surreptitiously in the background. This binary acts as a dropper, unpacking and executing the main payload, a Base64-encoded string named ‘Storm.exe’. To establish persistence, the dropper modifies the Windows Registry.
The dropper also decodes a second ZIP file named ‘files.zip’, which contains four files specifically designed to bypass User Account Control (UAC) and escalate privileges by creating mock trusted directories. Notably, one of the files, ‘check.bat’, shares similarities with another loader called DBatLoader, despite being written in a different programming language. Another file, ‘KDECO.bat’, executes a PowerShell command to instruct Microsoft Defender to exclude the ‘C:\Users’ directory from antivirus scans.
The culmination of the attack involves the deployment of Warzone RAT (also known as Ave Maria), a commercially available malware priced at $38 per month. Warzone RAT possesses an extensive array of features for harvesting sensitive data and downloading additional malware, such as Quasar RAT.
The researchers from Securonix emphasised the importance of remaining vigilant, particularly in response to phishing emails that attempt to create a sense of urgency. They noted that his particular campaign required the user to directly execute a JavaScript file, suggesting that shortcut files or files with double extensions would likely have a higher success rate.
Users are advised to exercise caution when interacting with email attachments or clicking on suspicious links.
“It’s important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is stressed,” the researchers cautioned.
In the News: MageCart attack targets iOttie’s online store