A recent phishing campaign targeting Windows systems has been identified as a sophisticated and multi-stage attack that deploys a payload of malware, posing a significant threat to organizations. The campaign utilizes various evasion techniques, such as Python obfuscation, shellcode generation, and loading, to deliver malicious attachments to unsuspecting victims.
The attack, disguised as a customer service request, begins with a phishing email containing an HTML attachment that executes a malicious LNK file disguised as a PDF from a remote file share. The LNK file runs a batch script using ‘conhost.exe’ as a parent process, combining social engineering and process injection techniques to compromise the target system. The obfuscated batch file employs character substitution and encoding manipulation to disguise its malicious intent, launching a decoy PDF and downloading malicious scripts.
The attack employs a multi-layered Python-based shellcode loader that utilizes RC4 encryption and ctypes for shellcode execution. Subsequent stages involve a donut shellcode generator to create a first-stage payload with AMSI/WLDP bypass capability, followed by a laZzzy-based injector that injects shellcode into notepad.exe using Early Bird APC Queue. The PureHVNC malware, a .NET-based RAT, uses AES encryption and Gzip compression to obfuscate its payload, establishing communication with a C2 server and collecting system information.
The malware uses PowerShell and Win32 APIs for persistence and stealth, downloading additional plugins from the C2 server. The PluginRemoteDesktop DLL provides remote desktop control over an infected system, while the PluginExecuting module can execute arbitrary files and update itself under C2 control. By leveraging process hollowing for code injection, the malware executes malicious payloads within existing processes.
According to FortiGuard Labs, the malware includes multiple indicators of compromise (IOCs), including C2 domains and file hashes. These IOCs likely belong to a malicious actor operating a command-and-control infrastructure using multiple domains and distributing various malware payloads.
In conclusion, the phishing campaign targeting Windows systems is a complex and dangerous threat that combines various evasion techniques and malware payloads to gain remote system control. Organizations should remain vigilant and ensure their security measures are up to date to protect against such sophisticated attacks.