The attack chain starts with malicious emails that appear to be harmless document attachments (Word and Excel files) and that take advantage of the CVE-2017-11882 vulnerability, a Microsoft Office Equation Editor vulnerability that was addressed in 2017 and is frequently exploited. Since the emails originate from reputable domains, there is less likelihood that they will be stopped when they are sent from compromised SMTP servers.

Upon viewing the file, the exploit will download a Visual Basic Script (VBS) from the legitimate paste-upon-opening-file service if an older version of Microsoft Office is installed. After that, this script is run to retrieve a JPG image file with a base-64 encoded payload within. The final payload, which is concealed inside a text file and is an executable with reverse base64 encoding, is downloaded using the PowerShell code included in the script included in the image. Cybersecurity experts have noticed multiple iterations of the attack chain, resulting in a wide range of malware families, such as:

• Agent Tesla: Spyware that records keystrokes, grabs information from the system clipboard, takes screenshots, and exfiltrates other private data. It also acts as a keylogger and credential thief.
• FormBook: An infostealer virus that gathers login credentials from several online browsers, records screen grabs, tracks and logs keystrokes, and can download and run files based on commands.
• Remcos: Malware that enables an attacker to take control of a compromised system remotely. It does this by executing commands, intercepting keystrokes, and activating the webcam and microphone for monitoring purposes.
• LokiBot: An info-stealer that targets information relating to numerous frequently used applications, including usernames, passwords, and other associated data.
• Guloader: A downloader used to spread secondary payloads that are usually compressed to avoid being detected by antivirus software.
• Snake Keylogger: A type of malware that records keystrokes, gathers information from the system clipboard, takes screenshots, and retrieves login credentials from web browsers.
• XWorm: A Remote Access Trojan (RAT) that allows the hacker to take remote control of the compromised system.

Malicious scripts and final payloads are frequently kept in reputable cloud services, such as Google Drive, using their positive reputation to avoid being detected by antivirus software. To make the traffic appear normal, stolen data is transmitted to legal FTP servers that have been infiltrated and are utilized as command-and-control (C2) infrastructure. Over 320 attacks were found by researchers, with the majority occurring in Latin American nations, while the attacks have a global reach.