The article starts:
For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta.
Should I be surprised at the fact that its Russia? They seem to get away with most of anything these days, so it shouldn’t surprise me.
The article continues:
Described as “sophisticated,” the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems.
Well, let’s see how sophistocated they are, seeing that if I were HR departments, I’d be looking only in certain places for resumes and the like.
The article says:
It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails.
They believe that targets are directed to download ISO image files that appear as resumes and are hosted on cloud storage services, such as Dropbox.
One malicious ISO analyzed contained four files: a Windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, an image, and a .ICO file.
I give the artickle credit since we may not know how it gets started, but then it says that it eventually wants you to download an ISO file which in this case is where the problem starts.
First of all, if I were in the HR department, I wouldn’t just be downloading ISO files, or would I? I mean, anyone can be fooled to download files these days, I continue to talk about the story where I was bitten, so I’m not about to say that I’ve never done it. But then again, I know that an ISO file is mainly an image file of an operating system or even a program.
Continuing, the article says:
The shortcut launches PowerShell and executes the script, which extracts data hidden in the image file using steganography and executes it in system memory.
The code also downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) to load using the DLL sideloading technique.
So its got a script that launches through powershell, then sideloads DLL files as well as makes Defender and other Antivirus tools not work. You can read more about that within the article.
The text coming from Chat GPT through Jaws Picture smart says:
The image shows a segment of text that appears to be from a programming or debugging environment, possibly a disassembler or a code analysis tool. The text follows a repeated pattern where each line begins with an identifier that looks like “sub_140004B20” followed by a number in parentheses (such as “(v355)”, “(v356)”). After this, there is a string enclosed in double quotes which seems to be the name of an executable file (.exe) or a service name.
The text lists various executables and service names, mostly related to system or security software. Some of the names visible in the list are:
– “servicehost.exe”
– “mcshield.exe”
– “mcupdatemgr.exe”
– “qcshm.exe”
– “modulecoreservice.exe”
– “pfservice.exe”
– “mcafwtk.exe”
– “mfemms.exe”
– “mfevtps.exe”
– “mccsservicehost.exe”
– “launch.exe”
– “delegate.exe”
– “mcdireg.exe”
– “mcpvtray.exe”
– “mcinstrutrack.exe”
– “mcicnt.exe”
– “protectedmoduleshost.exe”
– “mmsshhost.exe”
– “mfeavsvc.exe”
– “symantec”
– “symcorpu”
– “symefasi”
– “sysinternal”
– “sysmon”
– “tanium”
– “tda.exe”
– “tdawork”
– “tpython”
– “mcapexe.exe”
– “vectra”The pattern seems to assign or associate these service or executable names with certain subroutines or variables indicated by the v-number identifiers. The naming suggests that these executables might be related to antivirus, system monitoring, or security services.
Some of the names, based on the executable should be familiar to some, but as discussed, it wants to kill these files so it can basicly own the computer.
If you want to read the entire article, read New ‘BlackSanta’ EDR killer spotted targeting HR departments as this could in theory come to us, and you definitely don’t want to get hit with it.
Small businesses like mine could get it, and you could too. Just because you’re on the Internet, some people may do work without actually owning a domain, so it could in theory happen.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.