The behavior is similar to the Behavior IOCs as the previous campaign in this report and can be found in Appendix A. This method tries to fool AV software because the executable belongs to Microsoft, however what actually executes in the memory is Agent Tesla. It executes the binary C:\Windows\Microsoft.NET\Framework\v9\RegSvcs.exe and injects its malicious code into it. This variant is very similar to the previous one except it doesn’t perform the initial delayed execution but instead tries to avoid detection in a different manner, by using a code injection technique known as Process Hollowing. The file is shared in relations to “delay in the shipment due to the Coronavirus disease”. Filename: IMF-Pandemic Relief and unemployment compensation Form.exe.The stolen information is then transmitted to a C2 server on port 567, probably to appear as legitimate SMPT traffic.īehavior IOCs are in the appendix A. Then it tries to steal as many passwords and configuration files from installed software on the host system. net and on initial execution does nothing for 60 seconds, this is most probably to evade sandboxes that dynamically detonate the file. It can be extended with modules that take screenshots, open the webcam and evade detection from AV software. The malware is sold as an attack kit on the internet and is aimed at stealing personal information such passwords from web browsers, mail clients and FTP software. Our 360-degree threat prevention services allow us to protect any collaboration channel – email, cloud storage, CRM app, or even your in-house built app – and prevent any content-based attack. Perception Point is perfectly poised to intercept these attacks. Static engines are limited in their capabilities to find unseen-before attacks. Strive to scan all content dynamically.Striping out “active content” is irrelevant for exe files which should be examined without any tampering of the file or URL. Remember that CDRs and its likes cannot provide proper detection for most collaboration channels.Enforce robust policies and make sure they are aligned across all channels.
0 Comments
Leave a Reply. |