An unknown threat actor have been specifically targeting German companies and citizens for several months with advanced phishing-style attacks. As already reported at the end of last year in our blog, these attacks begin by deceiving a user into executing a JavaScript file, which in turn contacts an attacker-controlled address to download additional payloads.
Since our last blog post, the malware’s developer changed their initial script structure in order to better evade antivirus software. As of the time of this report the malicious file is blacklisted by only 3 engines:
The final stage of the malware is virtually unchanged, except the new C2 addresses which seem to be compromised legitimate websites:
The final stage of threat, as observed by Minerva Labs, is a PowerShell script that loads .NET code in-memory from the registry, exactly like the last version of the malware. Yet another update is the use of process hollowing of the legitimate windows process “”C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe””.
Minerva prevents these target attacks using our Memory Injection Prevention module:
IOCs:
Hashes:
2cacf23f15d3aa135ba85e96c646c807ea38b25f3660d2c272a2c95dfdf34b06 (JavaScript file)
DNS:
https://www.esist[.]org/search.php?dqzpgxtewtbsjgyt=07456396380719193278146
https://www.dischner-kartsport[.]de/search.php?dqzpgxtewtbsjgyt=786008201713476278146
https://www.ehiac[.]com/search.php?dqzpgxtewtbsjgyt=6781971714743289278146