Description
A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 20, 2024, 11:21 a.m. | Sept. 20, 2024, 11:21 a.m. | Sept. 20, 2024, 11:41 a.m. |
Indicators
https://support.petition-change.org/unicorn
https://yandex-drive.petition-change.org/file_preview/commecrial_list.pdf
Attack Patterns
Trojan-Spy.VBS.Unicorn
T1552.001
T1053.005
T1059.005
T1074
T1547.001
T1005
T1204
T1041
T1566
Additional Informations
Energy
Manufacturing
Russian Federation