Key takeaways
  • Cyble Research and Intelligence Labs (CRIL) has identified a malicious campaign likely targeting business professionals across the United States.
  • The campaign employs a malicious LNK file, masquerading as a PDF with encoded data. This file is decoded by leveraging certutil.exe, which then delivers the next-stage payload: an HTA file.
  • The HTML Application (HTA) file contains VBScript that extracts and executes a lure document and a malicious DLL file, both embedded within the HTA file.
  • The DLL file acts as a Loader, decrypting the subsequent payload and shellcode, which are responsible for executing the Ursnif core component.
  • The Threat Actor (TA) behind this campaign uses a multi-stage operation that executes entirely in memory, effectively evading detection by security products.
  • The final payload file (DLL) is identified as Ursnif malware, capable of establishing a connection with the C&C server and downloading additional modules to steal sensitive information from the victim’s machine.
  • MajorHavoc@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    24 minutes ago

    Damn. This is interesting.

    I was pretty sure there wasn’t any further market for my VBscript skills. Turns out I’ve been turning down breaking bad money?

    The mirror universe evil version of me must not talk about his work much. I would die of embarrassment. I’m almost impossible to embarrass, but I draw the line at VBScript.