- Cyble Research and Intelligence Labs (CRIL) identified a campaign targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, as indicated by the lure document uncovered during the investigation.
- The campaign involves a ZIP archive containing an LNK file that mimics a legitimate PDF registration form for deception.
- When the LNK file is opened, it executes commands to drop a lure PDF and an executable in the startup folder, establishing persistence.
- Upon system reboot, the executable downloads additional content and executes it directly in memory, effectively evading detection by the security products.
- The first-stage loader triggers a second-stage loader, which downloads, decodes, and compiles C# code in memory, avoiding the creation of traceable files on disk.
- Once the compiled code is executed, the malware exfiltrates sensitive data back to the attacker’s server via web requests designed to blend in with normal traffic, making detection more difficult.
No comments yet!