""The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News. In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader."
"CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner. It's worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder."
Phishing emails impersonating the National Police of Ukraine contain malicious SVG attachments that trigger the download of a password-protected ZIP archive containing a CHM file. The CHM file, when executed, launches a chain of events that deploy CountLoader. CountLoader acts as a distribution stage and drops Amatera Stealer (a variant of ACRStealer) and PureMiner, a stealthy .NET cryptocurrency miner. Amatera Stealer and PureMiner are executed filelessly via .NET Ahead-of-Time compilation with process hollowing or loaded directly into memory using PythonMemoryModul. CountLoader has also been observed dropping Cobalt Strike, AdaptixC2, and PureHVNC RAT. PureMiner and PureHVNC RAT belong to a PureCoder malware suite that includes PureCrypter, PureRAT, PureLogs, BlueLoader, and PureClipper.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]