CarderPlanet
Professional
Attackers use instructions for drones to distribute malware.
A new report from Securonix Threat Labs details the mechanism of the StarkVortex cyber attack. Attackers use an original tactic, using instructions on how to control drones as bait to spread the MerlinAgent malware.
The attack starts with sending out emails that invite you to study the free drone management guide. The decoy file is a Microsoft Help file (CHM file) called "UAV Training Information for the Military". This file format (.chm) is usually used to provide instructions and recommendations for working with the software.
The attack unfolds as the user opens this document: a malicious block of JavaScript code embedded in the HTML page is activated by running obfuscated PowerShell code. The code, in turn, communicates with the remote command and control server (C2), initiating the loading of obfuscated binary data.
The binary file is then subjected to an XOR obfuscation process and decoded, creating a beacon payload for the MerlinAgent malware. From the moment a connection is established with the C2 server, attackers gain full control over the victim host.
The attack chain, despite its apparent simplicity, is characterized by complex methods of technical implementation and obfuscation, which makes it difficult to detect.
The researchers noted: "The files and documents used in the attack successfully bypass the security mechanisms, and the malicious .chm file was not detected by any of the antivirus scanners. Usually, getting Microsoft help files over the Internet is suspicious. However, the attackers have so cleverly designed the trap documents that they can be perceived by the victim as ordinary manuals or reference materials."
After successful infection, attackers can gain full control over the victim's system.
A new report from Securonix Threat Labs details the mechanism of the StarkVortex cyber attack. Attackers use an original tactic, using instructions on how to control drones as bait to spread the MerlinAgent malware.
The attack starts with sending out emails that invite you to study the free drone management guide. The decoy file is a Microsoft Help file (CHM file) called "UAV Training Information for the Military". This file format (.chm) is usually used to provide instructions and recommendations for working with the software.
The attack unfolds as the user opens this document: a malicious block of JavaScript code embedded in the HTML page is activated by running obfuscated PowerShell code. The code, in turn, communicates with the remote command and control server (C2), initiating the loading of obfuscated binary data.
The binary file is then subjected to an XOR obfuscation process and decoded, creating a beacon payload for the MerlinAgent malware. From the moment a connection is established with the C2 server, attackers gain full control over the victim host.
The attack chain, despite its apparent simplicity, is characterized by complex methods of technical implementation and obfuscation, which makes it difficult to detect.
The researchers noted: "The files and documents used in the attack successfully bypass the security mechanisms, and the malicious .chm file was not detected by any of the antivirus scanners. Usually, getting Microsoft help files over the Internet is suspicious. However, the attackers have so cleverly designed the trap documents that they can be perceived by the victim as ordinary manuals or reference materials."
After successful infection, attackers can gain full control over the victim's system.
