From Document to Script: Insides of Campaign

May 17, 2024, 10:03 a.m.

Tags
obfuscation
phishing
darkgate
campaign
cybercrime
malicious
payload
2024-05-17
autoit
java
External References
Description

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt script that establishes connections with remote servers, likely for malicious purposes. The campaign employs sophisticated techniques and historical URL patterns associated with threat actors.

Date

Published: May 17, 2024, 9:38 a.m.

Created: May 17, 2024, 9:38 a.m.

Modified: May 17, 2024, 10:03 a.m.

Indicators

http://smbeckwithlaw.com/1.zip

http://amishwoods.com/jwa4v

http://amikamobile.com/ayu4d

http://affixio.com/emh0c

http://affiliatebash.com/myu0f

http://afcmanager.net/jxk6m

http://afarm.net/uvz2q

http://aerospaceavenue.com/cnz8g

http://adztrk.com/ixi7r

http://adventsales.co.uk/iuw8a

Download all indicators here!

Attack Patterns

DarkGate

Darkgate

T1497

T1105

T1071

T1055

T1036

T1204

T1027

T1566

T1059