""Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates," Trend Micro researchers Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, and Emmanuel Panopio said."
"Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. "This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web," Trend Micro said."
Water Saci shifted to a sophisticated, multi-format infection chain using HTA files and malicious PDFs to propagate a worm that deploys a banking trojan via WhatsApp. HTA files execute a Visual Basic Script that runs PowerShell to retrieve next-stage payloads from a remote server, including an MSI installer and a Python propagation script. The campaign moved from PowerShell to a Python-based variant offering broader browser compatibility, object-oriented structure, enhanced error handling, and faster automation. PDF lures prompt victims to update Adobe Reader via embedded links. The MSI installer serves as a conduit for delivering the banking trojan.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]