Warning Against Phishing Emails Prompting Execution of Commands via Paste

June 6, 2024, 8:05 a.m.

Description

This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exercising caution with files from unknown sources.

External References

https://asec.ahnlab.com/en/66300/
https://otx.alienvault.com/pulse/666162acc519496e8fdc8a0b
Tags
phishing
powershell
darkgate
malicious
2024-06-06
emails
commands

Date

  • Created: June 6, 2024, 7:18 a.m.
  • Published: June 6, 2024, 7:18 a.m.
  • Modified: June 6, 2024, 8:05 a.m.

Indicators

  • www.rockcreekdds.com
  • https://linktoxic34.com/wp-content/themes/twentytwentytwo/dark.hta
  • https://www.rockcreekdds.com/wp-content/1.hta
  • https://jenniferwelsh.com/header.png
  • http://mylittlecabbage.net/xcdttafq
  • http://mylittlecabbage.net/qhsddxna
  • http://flexiblemaria.com/umkglnks
  • http://flexiblemaria.com/iinkqrwu
  • http://dogmupdate.com/yoomzhda
  • http://dogmupdate.com/rdyjyany
  • mylittlecabbage.net
  • linktoxic34.com
  • jenniferwelsh.com
  • flexiblemaria.com
  • dogmupdate.com
Download all indicators here!

Attack Patterns

  • DarkGate
  • T1136.002
  • T1053.005
  • T1574.002
  • T1059.005
  • T1059.001
  • T1547.001
  • T1027.005
  • T1204.002
  • T1105
  • T1219
  • T1140
  • T1027
  • T1078