Medium
Attackers are launching thematic email campaigns using COVID fear to lure people into clicking malicious documents. APT27 has launched a similar campaign. The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”. Opening up the .lnk file there are two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload. Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file. Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once ”deobfuscated” and beautified the command line looks like (9sOXN6Ltf0afe7.js payload beautified). The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain. |
Hostname
MD5
SHA-256
URL