MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans

2023-06-22 16:58

A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.

The multi-stage attack chain commences when an email recipient clicks the embedded link pointing to a password-protected ZIP file hosted on Microsoft OneDrive with the password "12345."

Extracting the archive file reveals a heavily obfuscated JavaScript file that, when double clicked, activates the infection by executing two PowerShell commands that are responsible for retrieving two separate payloads from OneDrive and executing them.

The first of the two files is a decoy PDF document that's displayed to the victim while the second file, a Python-based executable, is stealthily run in the background.

Among the files is a batch file that Securonix said shares several commonalities with another loader called DBatLoader despite the difference in the programming language used.

A second file named "KDECO.bat" executes a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule to skip the "C:Users" directory.

News URL

https://thehackernews.com/2023/06/multistorm-campaign-targets-india-and.html

#india #multi #remote #remoteaccess #trojan

News URL

Related news