From Document to Script: Insides of Campaign

May 17, 2024, 10:03 a.m.

Description

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt script that establishes connections with remote servers, likely for malicious purposes. The campaign employs sophisticated techniques and historical URL patterns associated with threat actors.

External References

https://www.forcepoint.com/blog/x-labs/phishing-script-inside-darkgate-campaign
https://otx.alienvault.com/pulse/6647259d5004fb78920067eb
Tags
obfuscation
phishing
darkgate
campaign
cybercrime
malicious
payload
2024-05-17
autoit
java

Date

  • Created: May 17, 2024, 9:38 a.m.
  • Published: May 17, 2024, 9:38 a.m.
  • Modified: May 17, 2024, 10:03 a.m.

Indicators

  • http://smbeckwithlaw.com/1.zip
  • http://amishwoods.com/jwa4v
  • http://amikamobile.com/ayu4d
  • http://affixio.com/emh0c
  • http://affiliatebash.com/myu0f
  • http://afcmanager.net/jxk6m
  • http://afarm.net/uvz2q
  • http://aerospaceavenue.com/cnz8g
  • http://adztrk.com/ixi7r
  • http://adventsales.co.uk/iuw8a
  • kindupdates.com
Download all indicators here!

Attack Patterns

  • DarkGate
  • Darkgate
  • T1497
  • T1105
  • T1071
  • T1055
  • T1036
  • T1204
  • T1027
  • T1566
  • T1059