A multi-layer phishing operation that targets users in Russia across multiple stages using schemes isn't an uncommon tactic in this arena of internet-based crime. A recent example is a campaign uncovered by security researchers on the Fortinet FortiGuard Labs that incorporates numerous social engineering techniques and malware hosted on publicly available cloud storage sites (e.g., Dropbox). The campaign begins with an email message that contains a link or attachment that appears to be standard office documents (such as reports on company accounts or employee status updates).
When potential victims receive these emails, their immediate attention is drawn to the documents. However, the included malicious scripts execute silently as victims focus on innocuous-looking document files.
Some unique components of this campaign are that it utilizes cloud service providers as part of its infrastructure, which provide additional layers of security for their operation. For example, Github serves as the host site for the scripts used as part of the campaign, while Dropbox is used to deliver the final malware to infected computers. By separating the operations, the attackers can more readily switch components out without disrupting the entire operation.
The infection usually begins with a ZIP archive containing decoy documents and a malicious Windows shortcut (LNK). The file uses a double extension and Russian-language naming to masquerade as a harmless text file. When clicked, it launches a hidden PowerShell command that pulls the next-stage loader from GitHub.
After the initial phase, the malware developers will continue to prioritize the concealment of their activities and disabling the victim's defenses. To do so, they will hide all PowerShell windows, create fake documents to distract users from their actual actions, and send notifications through Telegram to inform of a successful payload execution. Once an adequate period has passed, they will deploy highly-encoded Visual Basic scripts to create the payloads in memory and will leave very few traces on the hard drive of the infected computer.
One of the major strategies used during this operation was the misuse of defendnot, a program that tricks Windows into believing that another Antivirus product has been installed. By doing so, the attackers tricked Microsoft Defender into shutting down, thereby allowing them to use the compromised systems for spying and stealing the personal data of the victims.
With the removal of Microsoft Defender's protective shields, the attackers were able to install the Amnesia RAT, which provided complete remote access and control over the infected systems. The malware is capable of stealing browser-specific data, credentials, cryptocurrency wallets, taking screenshots, capturing video and audio feeds using the webcam and microphone of the infected device, and transmitting all data back to the hackers through the use of Telegram. Additionally, the attackers deployed ransomware that encrypted all of the important files of their victims and also stole the contents of their clipboard to redirect their cryptocurrency transactions.
The method used in this attack does not rely on identifying software vulnerabilities, but instead abuses the inherent features and settings of the Microsoft Windows operating system, and relies on the trust of the user in order to perpetrate this type of attack. Modern attacks are less about identifying and utilizing vulnerabilities than they are about deceiving and manipulating their victims into trusting the attacker.
Source: The Hacker News