Phishing attacks continue to evolve, with attackers now distributing malicious HTML files disguised as legitimate email attachments. These HTML files contain code designed to exploit users by tricking them into running the malicious code themselves. Leveraging social engineering tactics, these phishing campaigns use email subjects that evoke a sense of urgency, such as fee processing or operation instruction reviews, to entice users to open the attachments.
Upon opening the malicious attachment, users are presented with a deceptive message that visually resembles a Microsoft Word document. The message typically includes a button labeled “How to Fix” or a similar call to action, which serves as the social engineering lure for the unsuspecting user. Clicking this button triggers the intended exploit, leading to potentially harmful activities such as malware downloads or sensitive data exfiltration.
In one recent phishing campaign, when users clicked on the “How to Fix” button, a malicious JavaScript file was downloaded. This file encoded a PowerShell command using Base64 and instructed users to either use a keyboard shortcut or manually run the command in PowerShell. By following these instructions, the JavaScript decoded the Base64-encoded command, placed it in the clipboard, and executed the PowerShell command, posing a significant threat to the user’s system.
The malicious email attachment then triggered a series of events, including the download of a PowerShell script from a Command and Control server, which wiped the clipboard and executed another PowerShell command also retrieved from the server. This multi-stage infection process involved downloading an HTA file and executing an embedded Autoit executable within a ZIP file, utilizing compiled Autoit scripts to complete the infection chain.
According to ASEC, DarkGate malware utilizes AutoIt scripts to bypass detection mechanisms and establish persistence. These scripts are often obfuscated to evade detection and download the main payload. Due to the multi-stage nature of DarkGate’s infection process, traditional signature-based detection methods may prove ineffective in identifying and mitigating the threat.
To protect against DarkGate and similar threats, users are advised to exercise caution when handling files from untrusted sources, particularly email attachments and URLs. These files may contain malicious scripts, trojans, and potential execution of harmful PowerShell code, posing a serious risk to the user’s system security.
The system detected multiple threats associated with the phishing campaign, including phishing emails, malicious scripts, trojans, and potential execution of malicious PowerShell code. Downloaded files from suspicious URLs further indicate the potential for a phishing or malware attack, underscoring the importance of vigilance and cybersecurity awareness.
As phishing attacks become increasingly sophisticated, it is essential for users to remain vigilant and take proactive measures to protect themselves against evolving threats. By staying informed about the latest cybersecurity trends and practicing safe browsing habits, users can mitigate the risk of falling victim to phishing scams and malware attacks.