An ongoing phishing campaign targets French-speaking corporate environments using fake resumes that lead to the introduction of cryptocurrency miners and information thieves.
“The campaign uses highly obfuscated VBScript files disguised as resumes/CV documents, delivered through phishing emails,” Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared with The Hacker News.
“Once executed, the malware deploys a versatile toolkit that combines credential theft, data exfiltration, and mining of Monero cryptocurrency for maximum monetization.”
This activity has been codenamed “FAUX#ELEVATE” by the cybersecurity firm. This campaign is notable for its exploitation of legitimate services and infrastructure, including Dropbox for staging payloads and a WordPress site in Morocco to host command and control (C2) configurations and emails.[.]ru SMTP infrastructure for extracting stolen browser credentials and desktop files.
This is an example of a persistent attack that raises the bar on how attackers can trick defense mechanisms and sneak into targeted systems without attracting too much attention.
The first dropper file is a Visual Basic Script (VBScript) that, when opened, displays a fake French error message, making the message recipient think the file is corrupted. However, what happens behind the scenes is that the highly obfuscated script runs a series of checks to evade the sandbox, enters a persistent User Account Control (UAC) loop, and asks the user to run the script with administrator privileges.
In particular, of the 224,471 lines in the script, only 266 lines contain actual executable code. The rest of the script is filled with junk comments containing random English sentences, increasing the file size to 9.7 MB.
“Malware also uses domain join gates using WMI [Windows Management Instrumentation]”Ensure that the payload is only delivered on enterprise machines and completely excludes standalone home systems,” the researchers said.
Once the dropper gains administrative privileges, it immediately covers its tracks by disabling security controls, configuring Microsoft Defender exclusion paths for all primary drive letters (C through I), disabling UAC through Windows registry changes, and deleting itself.
The dropper is also responsible for retrieving two separate password-protected 7-Zip archives hosted on Dropbox.
gmail2.7z (contains various executables for stealing data and mining cryptocurrencies) gmail_ma.7z (contains utilities for persistence and cleanup)
Among the tools used to facilitate credential theft is a component that leverages the ChromElevator project to bypass App-Bound Encryption (ABE) protection and extract sensitive data from Chromium-based browsers. Other tools include:
mozilla.vbs, VBScript malware to steal Mozilla Firefox profiles and credentials Wall.vbs, VBScript payload for desktop file extraction mservice.exe, XMRig cryptocurrency miner launched after acquiring mining settings from compromised Moroccan WordPress site WinRing0x64.sys, genuine Windows kernel driver used to unlock CPU Full mining potential RuntimeHost.exe, Windows Persistent Trojan component that modifies firewall rules and periodically communicates with C2 servers
Only browser data is extracted using two separate emails[.]The ru sender accounts (‘olga.aitsaid@mail.ru’ and ‘3pw5nd9neeyn@mail.ru’) share the same password via SMTP with another email address operated by the threat actor (‘vladimirprolitovitch@duck.com’).
Once the credential theft and exfiltration activity is complete, the attack chain begins an aggressive cleanup of all dropped tools to minimize its forensic footprint, leaving behind only miners and Trojans.
“The FAUX#ELEVATE campaign demonstrates a well-orchestrated, multi-stage attack campaign that combines several notable techniques into a single infection chain,” Securonix said.
“What makes this campaign particularly dangerous to enterprise security teams is its speed of execution, with the complete infection chain from initial VBS execution to credential exfiltration completed in approximately 25 seconds, and selective targeting of domain-joined machines to ensure that all compromised hosts provide the most value through enterprise credential theft and persistent resource hijacking.”
Source link
