Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Unicorn: New Spy Scripts Steal Data from Russian Companies

Sept. 20, 2024, 11:41 a.m.

Description

A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn.

Date

Published: Sept. 20, 2024, 11:21 a.m.

Created: Sept. 20, 2024, 11:21 a.m.

Modified: Sept. 20, 2024, 11:41 a.m.

Indicators

https://support.petition-change.org/unicorn

https://yandex-drive.petition-change.org/file_preview/commecrial_list.pdf

Attack Patterns

Trojan-Spy.VBS.Unicorn

T1552.001

T1053.005

T1059.005

T1074

T1547.001

T1005

T1204

T1041

T1566

Additional Informations

Energy

Manufacturing

Russian Federation