In a sophisticated phishing attack uncovered in July 2024, cybercriminals employed an advanced malware delivery method that bypassed traditional security measures, leading to the deployment of the 0bj3ctivity Stealer — delivered via an encrypted JavaScript file hidden in a seemingly harmless Discord link, exploited advanced obfuscation and anti-detection techniques, risking sensitive user data.
The attack began with a seemingly innocent click on a Discord Content Delivery Network (CDN) link, which led the victim to download a malicious JavaScript file named ‘Enquiry-Dubai.js.’ This file contained embedded instructions to retrieve and execute additional malicious payloads, including the Ande Loader and the 0bj3ctivity Stealer.
Researchers found that the JavaScript file was engineered to conceal its true intent through sophisticated encryption. It included an AES-encrypted PowerShell script, which, once decrypted, sought out specific markers within a base64-encoded segment hidden in a file named ‘new-image.jpg.’
The script then decoded this segment into a byte array loaded directly into memory as a .NET payload.
“The downloaded payload is responsible for retrieving the stealer from the server (hxxps://whatismyipaddressnow[.]co/API/FETCH/filter.php?countryid=14&token=FEzEd9JbsoLF) and executing it in memory,” explained researchers. “The payload also checks if it is being debugged via the “get_IsAttached” method, and if it is, the process exits.”
The .NET payload, identified as the Ande Loader, ensured the malware’s persistence and continued execution. It created registry runkeys to maintain its foothold on the compromised system and downloaded additional payloads from a remote server. One of the critical tasks it performed was process injection via Process Hollowing into ‘AddInProcess32.exe’ process, allowing the malware to blend into legitimate system activities.
The downloaded malicious files ultimately activated the 0bj3ctivity Stealer, a malware program previously examined by cybersecurity experts. This particular stealer is notorious for its capability to extract confidential data from an array of web browsers such as Chrome, Opera, Blisk, Brave, 360Browser, Xvast, Comodo Dragon, CoolNovo, Torch Browser, Iridium, 7star, Amigo, CentBrowser, Chedot, CocCoc, Elements, Epic Privacy Browser, Kometa, Orbitum, Sputnik, uCozMedia, Vivaldi, Sleipnir 6, Citrio, Coowon, Liebao, QIP Surf, and Edge, and communication applications.
Additionally, the malware specialises in harvesting credit card details by utilising pattern-matching techniques to identify and collect information associated with various card providers.
A notable aspect of this malware is its communication with command-and-control (C2) servers. If the stealer cannot send the harvested data to its designated Telegram bot, it will attempt to transmit it to alternative C2 servers or an SMTP server.
The data is organised into various categories, such as browser cookies, history, and saved passwords, before being sent to the attacker.
Researchers observed that the 0bj3ctivity Stealer has several anti-detection mechanisms, including checks for virtualisation and debugging environments. It scans for specific DLL files and system properties typically associated with virtual machines or sandbox environments. If any of these indicators are detected, the malware terminates itself and deletes its presence from the host machine, further complicating forensic analysis.
Additionally, the stealer checks whether the infected system is a virtual private server (VPS) or cloud-hosted machine by querying public-IP-relate APIs. This ensures that the malware operates primarily in environments where it can extract valuable data from end-users.
Researchers have urged organisations to implement robust threat detection mechanisms and engage in continuous threat research.N
In the News: Earth Baku’s next target is Italy, Germany, UAE, and Qatar