1. Forum
  2. FidoNet
  3. INTERNET

  • New Malware Attack is a Work of Art

    From August Abolins@2:221/1.58 to All on Sat May 30 16:42:00 2020
    ==================================================================<
    ** Original area : "/grc/security"
    ** Original message from : jeff@jeffroot.us (Jeff Root)
    ** Original message to :
    ** Original date/time : 30 May 20, 15:19 >==================================================================<

    This is truly a thing of beauty.

    If only they'd chosen niceness, instead of evil.

    https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/

    Whoever is behind this, is truly an artist.

    Jeff

    ==================================================================<
    Excerpt from the article: >==================================================================<

    The attacks begin with emails that are customized for each target..

    For the exploit to trigger, the language in the email must match the localization of the target's operating system..

    Recipients who click on a request to urgently enable the document's active content will see no indication anything is amiss. Behind the scenes,
    however, a macro executes a Powershell script. The reason it stays hidden:
    the command parameters:

    ExecutionPolicy ByPass-to override organization policies
    WindowStyle Hidden. This hides the PowerShell window
    NoProfile, which executes the script with no end-user configuration.

    Triple-encoded steganography, anyone?

    The PowerShell script reaches out to either imgur.com or imgbox.com and downloads an image that has malicious code hidden inside the pixels
    through a technique called steganography. The data is encoded by the
    Base64 algorithm, encrypted with an RSA key, and then Base64-encoded
    again.

    In a clever move, the script contains an intentional error in its
    code. The resulting error message that's returned-which is different for
    each language pack installed on the OS-is the decryption key.

    The decrypted and decoded data is used as a second PowerShell script that,
    in turn, unpacks and decodes another blob of Base64-encoded data. With
    that, a third obfuscated PowerShell script executes Mimikatz malware
    that's designed to steal Windows account credentials used to access
    various network resources. In the event stolen credentials include those
    for the all-powerful Windows Active Directory, attackers have access to virtually every node on the network.

    ==================================================================<

    --- OpenXP 5.0.44
    * Origin: (2:221/1.58)