CyberSecurityBoard
Sponsor Register Login

Operation RusticWeb Using PowerShell Commands to filtrate Doc

Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb.
The PowerShell's capabilities make it an attractive tool for gaining:-.
Cybersecurity researchers at SEQRITE Labs recently identified operation RusticWeb, in which they found threat actors using PowerShell commands to exfiltrate confidential documents.
The operation RusticWeb tracks overlapping tactics with Pakistan-linked APT groups like-.
While threat actors shift from compiled languages to the following languages for cross-compatibility and evasive tactics:-.
Golang malware examples include Windows-based Warp with Telegram bot C2 and Linux-based Ares RAT stager payload. Rust-based payloads in Operation RusticWeb use malicious shortcuts and a fake AWES domain for data exfiltration.
Spear-phishing targets victims with an archive file named 'IPR 2023-24,' triggering PowerShell to download scripts from rb[.
PowerShell script sets up paths for payload downloads and uploads.
The decoy PDF file extraction triggers Rust-compiled EXE payload execution.
New December payloads target Kailash Satyarthi Children's Foundation, indicating a focus on Indian government officials associated with children's foundations or societies.
In a December infection chain, maldocs were used with PowerShell scripts for enumeration and exfiltration, omitting Rust-based payloads.
Two fake domains and encrypted PowerShell scripts were involved.
Phishing maldoc initiates infection with a VBA macro containing obfuscated encrypted PowerShell commands.
Similar maldocs use modified PS commands, converting numbers to 'PoWeRSHEll' upon document opening.
PowerShell command decryption employs techniques akin to Emotet, with slight variations.
Obfuscation uses Invoke-Obfuscation techniques to mask the IEX command trigger.
Decrypted PowerShell commands download decoy files and next-stage script from domains, executing them in Downloads and Documents directories.
In the first scenario, the downloads occur from 'parichay.
In,' and in the second scenario, the fake domain mimics 'parichay.
New phishing hits the Indian government, stealing secrets via Rust payloads, encrypted PowerShell, and OshiUpload. Fake domains mimic government entities in the RusticWeb attack, possibly tied to the APT threat linked to Pakistan.


This Cyber News was published on gbhackers.com. Publication date: Sat, 23 Dec 2023 10:13:05 +0000


Cyber News related to Operation RusticWeb Using PowerShell Commands to filtrate Doc

Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
11 months ago Gbhackers.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
9 months ago Securityboulevard.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
5 months ago Bleepingcomputer.com
The law enforcement operations targeting cybercrime in 2023 - In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful ...
11 months ago Bleepingcomputer.com
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
1 year ago Heimdalsecurity.com
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel - Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting. An ...
1 year ago Darkreading.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
1 year ago Bleepingcomputer.com
Variants of RussianSupported Gamaredons Malware Aimed at Ukrainian Government Agencies - The State Cyber Protection Centre of Ukraine has identified the Russian state-sponsored threat actor known as Gamaredon for its cyber attacks on public authorities and critical information infrastructure in the country. This advanced persistent ...
1 year ago Thehackernews.com
Iranian Hackers Use New C2 Tool 'DarkBeatC2' in Recent Operation - MuddyWater, an Iranian threat actor, has used a novel command-and-control infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. In a ...
8 months ago Cysecurity.news
CVE-2017-3635 - Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via ...
5 years ago
MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel - Iranian nation-state actors have been observed using a previously undocumented command-and-control framework called MuddyC2Go as part of attacks targeting Israel. "The framework's web component is written in the Go programming language," Deep ...
1 year ago Thehackernews.com
Ukraine Military Targeted With Russian APT PowerShell Attack - A sophisticated Russian advanced persistent threat has launched a targeted PowerShell attack campaign against the Ukrainian military. The attack is most likely perpetrated by malicious threat actors related to Shuckworm, a group with a history of ...
10 months ago Darkreading.com
Iranian Hackers Attack Telecom Companies Using Custom Tools - The telecommunications companies in Egypt, Sudan, and Tanzania have been the target of the Iranian espionage group Seedworm, which is known as Muddywater. The attack took place in November 2023, and the attackers used a range of tools, including the ...
1 year ago Cybersecuritynews.com
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
11 months ago Gbhackers.com
CVE-2018-8256 - A remote code execution vulnerability exists when PowerShell improperly handles specially crafted files, aka "Microsoft PowerShell Remote Code Execution Vulnerability." This affects Windows RT 8.1, PowerShell Core 6.0, ...
3 years ago
'Ov3r Stealer' Malware Spreads Through Facebook to Steal Crates of Info - The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according ...
10 months ago Darkreading.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
9 months ago Darkreading.com
StripedFly malware framework infects 1 million Windows, Linux hosts - A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the ...
1 year ago Bleepingcomputer.com
Microsoft shares script to update Windows 10 WinRE with BitLocker fixes - Microsoft has released a PowerShell script to automate updating the Windows Recovery Environment partition in order to fix CVE-2024-20666, a vulnerability that allowed for BitLocker encryption bypass. This security issue was resolved in the KB5034441 ...
11 months ago Bleepingcomputer.com
CVE-2018-8327 - A remote code execution vulnerability exists in PowerShell Editor Services, aka "PowerShell Editor Services Remote Code Execution Vulnerability." This affects PowerShell Editor, PowerShell Extension. ...
3 years ago
CVE-2018-8415 - A tampering vulnerability exists in PowerShell that could allow an attacker to execute unlogged code, aka "Microsoft PowerShell Tampering Vulnerability." This affects Windows 7, PowerShell Core 6.1, Windows Server 2012 R2, Windows RT 8.1, ...
6 years ago
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability - These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware. Historically, LockBit 3.0 affiliates have conducted attacks ...
1 year ago Cisa.gov
'Operation Endgame' Hits Malware Delivery Platforms - Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. A frame from one of three ...
6 months ago Krebsonsecurity.com
ALPHV ransomware site outage rumored to be caused by law enforcement - A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours. The ALPHV negotiation and data leak sites suddenly became unavailable yesterday and continue to remain down today. ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)