Now the main payload here is the actual Masslogger variant that fetches user credentials from several sources, such as browsers and instant messaging apps, impacting both personal and business users. jpg,” the researchers said in the report, for instance, "D9.jpg". “The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension. Now, the researchers say the CHM “is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process.” Every stage in the process is “obfuscated” to escape detection “using single signatures.” The second stage is essentially creating a PowerShell script that deciphers the code into a downloader, which downloads the main PowerShell loader to host malware files. r00 extension, which imitates the characteristics of a RAR file, only to bypass any detection programs that filter out attachments on the basis of file extensions. In the words of Cisco Talos researchers, “infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business.” This email has a RAR file with an unusual file extension.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |