Operation RusticWeb Using PowerShell Commands to filtrate Doc

Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb.
The PowerShell's capabilities make it an attractive tool for gaining:-.
Cybersecurity researchers at SEQRITE Labs recently identified operation RusticWeb, in which they found threat actors using PowerShell commands to exfiltrate confidential documents.
The operation RusticWeb tracks overlapping tactics with Pakistan-linked APT groups like-.
While threat actors shift from compiled languages to the following languages for cross-compatibility and evasive tactics:-.
Golang malware examples include Windows-based Warp with Telegram bot C2 and Linux-based Ares RAT stager payload. Rust-based payloads in Operation RusticWeb use malicious shortcuts and a fake AWES domain for data exfiltration.
Spear-phishing targets victims with an archive file named 'IPR 2023-24,' triggering PowerShell to download scripts from rb[.
PowerShell script sets up paths for payload downloads and uploads.
The decoy PDF file extraction triggers Rust-compiled EXE payload execution.
New December payloads target Kailash Satyarthi Children's Foundation, indicating a focus on Indian government officials associated with children's foundations or societies.
In a December infection chain, maldocs were used with PowerShell scripts for enumeration and exfiltration, omitting Rust-based payloads.
Two fake domains and encrypted PowerShell scripts were involved.
Phishing maldoc initiates infection with a VBA macro containing obfuscated encrypted PowerShell commands.
Similar maldocs use modified PS commands, converting numbers to 'PoWeRSHEll' upon document opening.
PowerShell command decryption employs techniques akin to Emotet, with slight variations.
Obfuscation uses Invoke-Obfuscation techniques to mask the IEX command trigger.
Decrypted PowerShell commands download decoy files and next-stage script from domains, executing them in Downloads and Documents directories.
In the first scenario, the downloads occur from 'parichay.
In,' and in the second scenario, the fake domain mimics 'parichay.
New phishing hits the Indian government, stealing secrets via Rust payloads, encrypted PowerShell, and OshiUpload. Fake domains mimic government entities in the RusticWeb attack, possibly tied to the APT threat linked to Pakistan.


This Cyber News was published on gbhackers.com. Publication date: Sat, 23 Dec 2023 10:13:05 +0000


Cyber News related to Operation RusticWeb Using PowerShell Commands to filtrate Doc

Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
1 year ago Gbhackers.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
11 months ago Bleepingcomputer.com
The law enforcement operations targeting cybercrime in 2023 - In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful ...
1 year ago Bleepingcomputer.com
Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands - A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and ...
2 months ago Cybersecuritynews.com
Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
2 years ago Heimdalsecurity.com
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
2 months ago Bleepingcomputer.com
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
1 month ago Cybersecuritynews.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
1 year ago Bleepingcomputer.com LockBit Noescape
CVE-2017-3635 - Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via ...
5 years ago
Hamas-Linked APT Wields New SysJoker Backdoor Against Israel - Attackers linked to the Palestinian militant group Hamas are using a revamped version of the SysJoker multi-platform backdoor to attack targets in Israel as the current conflict between the two continues despite a current pause in the fighting. An ...
1 year ago Darkreading.com
SQL Brute Force leads to Bluesky Ransomware - In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware. While other reports point to malware ...
1 year ago Thedfirreport.com CVE-2023-27350 BianLian
Chihuahua Stealer Leverages Google Drive Document to Steal Browser Login Credentials - A newly discovered .NET-based infostealer dubbed “Chihuahua Stealer” has emerged as a significant threat, exploiting Google Drive documents to deliver malicious PowerShell scripts and steal sensitive data. Organizations are advised to ...
2 weeks ago Cybersecuritynews.com
Variants of RussianSupported Gamaredons Malware Aimed at Ukrainian Government Agencies - The State Cyber Protection Centre of Ukraine has identified the Russian state-sponsored threat actor known as Gamaredon for its cyber attacks on public authorities and critical information infrastructure in the country. This advanced persistent ...
2 years ago Thehackernews.com Turla
Iranian Hackers Use New C2 Tool 'DarkBeatC2' in Recent Operation - MuddyWater, an Iranian threat actor, has used a novel command-and-control infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. In a ...
1 year ago Cysecurity.news MuddyWater
Russian hackers attack Western military mission using malicious drive - The Russian state-backed hacking group Gamaredon (aka “Shuckworm”) has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. Symantec threat researchers say the ...
1 month ago Bleepingcomputer.com
MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel - Iranian nation-state actors have been observed using a previously undocumented command-and-control framework called MuddyC2Go as part of attacks targeting Israel. "The framework's web component is written in the Go programming language," Deep ...
1 year ago Thehackernews.com MuddyWater
Agent Tesla Malware Employs Multi-Stage Attacks Using PowerShell Scripts - Security researchers have identified a sophisticated malware campaign utilizing Agent Tesla variants delivered through elaborate multi-stage attack sequences. Broadcom researchers noted that these Agent Tesla variants employ particularly ...
1 month ago Cybersecuritynews.com
Attackers Using Weaponized CAPTCHA’s to Execute PowerShell Commands & Install Malware - A growing attack trend since the second half of 2024 involves threat actors using fake CAPTCHA challenges to trick users into executing malicious PowerShell commands and infecting their systems with dangerous malware. When users interact with these ...
2 months ago Cybersecuritynews.com
North Korean Hackers Weaponizing ZIP Files To Execute Malicious PowerShell Scripts - The LNK file contains embedded code that executes PowerShell commands to extract multiple components: a decoy HWPX document (a Korean document format), executable data files, and a batch script. While the security analyst, Mohamed Ezat from ZW01f ...
2 months ago Cybersecuritynews.com APT3 APT37
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
1 year ago Gbhackers.com
Ukraine Military Targeted With Russian APT PowerShell Attack - A sophisticated Russian advanced persistent threat has launched a targeted PowerShell attack campaign against the Ukrainian military. The attack is most likely perpetrated by malicious threat actors related to Shuckworm, a group with a history of ...
1 year ago Darkreading.com
Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow - This analysis highlights the evolution of modern malware distribution techniques, blending sophisticated obfuscation with targeted delivery mechanisms to maximize infection success while minimizing detection. This loader operates through a ...
1 month ago Cybersecuritynews.com
LummaStealer’s FakeCAPTCHA Steals Browser Credentials Via Weaponized Microsoft Word Files - Cyber Security News - This deceptive chain utilizes the Net.WebClient PowerShell function to pull remote payloads while hiding execution through parameters like “-hidden” and “bypass” to create concealed PowerShell windows. Security professionals ...
4 weeks ago Cybersecuritynews.com CVE-2023-44221