Security News > 2023 > June > MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.
The multi-stage attack chain commences when an email recipient clicks the embedded link pointing to a password-protected ZIP file hosted on Microsoft OneDrive with the password "12345."
Extracting the archive file reveals a heavily obfuscated JavaScript file that, when double clicked, activates the infection by executing two PowerShell commands that are responsible for retrieving two separate payloads from OneDrive and executing them.
The first of the two files is a decoy PDF document that's displayed to the victim while the second file, a Python-based executable, is stealthily run in the background.
Among the files is a batch file that Securonix said shares several commonalities with another loader called DBatLoader despite the difference in the programming language used.
A second file named "KDECO.bat" executes a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule to skip the "C:Users" directory.
News URL
https://thehackernews.com/2023/06/multistorm-campaign-targets-india-and.html
Related news
- Chinese hackers use Visual Studio Code tunnels for remote access (source)
- Remote Access Checklist (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)