Unicorn: New Spy Scripts Steal Data from Russian Companies

Sept. 20, 2024, 11:41 a.m.

Description

A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn.

External References

https://securelist.ru/unicorn-data-stealing-scripts/110606/
https://otx.alienvault.com/pulse/66ed5abf499297019eb40ad1
Tags
data theft
2024-09-20
unicorn

Date

  • Created: Sept. 20, 2024, 11:21 a.m.
  • Published: Sept. 20, 2024, 11:21 a.m.
  • Modified: Sept. 20, 2024, 11:41 a.m.

Indicators

  • https://support.petition-change.org/unicorn
  • https://yandex-drive.petition-change.org/file_preview/commecrial_list.pdf
Download all indicators here!

Attack Patterns

  • Trojan-Spy.VBS.Unicorn

Additional Informations

  • Energy
  • Manufacturing
  • Russian Federation