Thanks to the commitment ofAhnLab Security Emergency Response Centerknown to most as ASECit was possible to identify a new campaign malware which uses a file .EXE harmful to target specific victims, already identified by cybercriminals.
To push users towards executing the file, it is subjected to techniques social engineering referring to false leaks of personal data. Posing as a fake cyber investigation team, hackers exploit users’ fear to push them into immediate action.
The EXE file, passed off as Word documentonce started it performs the function of backdoor, executing obfuscated commands provided by cybercriminals in XML format. As is easy to imagine, its activation leaves ample room for maneuver on the local computer by those who manage this campaign.
According to a report from Cyber Security News, executing the file results in the creation of .data files in the folder %Programdata%. These are immediately blurred, making them very difficult to spot.
A Word document regarding false data leaks activates a dangerous backdoor
Beyond a completely legitimate doc file, 20231126_9680259278.doc, the files to be installed on the victim’s computer are:
- Lomd02.png;
- Operator.jse;
- WindowsHotfixUpdate.jse;
- WindowsHotfixUpdate.ps1.
All these files turn out to be script jse harmful apart from the last one, namely WindowsHotfixUpdate.ps1, which is one script PowerShell.
Due to the obfuscation of these scripts, it is difficult for detection tools to detect malware until it is already fully active and very difficult to stop.
Precisely for this reason it is strongly recommended, as in many other similar cases, to adopt an effective preventive tactic. Specifically, avoid opening email attachments that they do not come from more than reliable sources, is certainly an excellent way to avoid this type of malicious agent.
Likewise, keep the operating system and adopt a antivirus at a high level can, at least partially, prevent potential disasters.