A large-scale campaign that combines fileless techniques and Lua-based loaders with low detection rates to deploy various malware families. These attack campaigns involve the threat actor impersonating well-known companies by creating a sense of urgency through phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file. The execution flow begins by verifying two conditions: the absence of the next-stage files and whether a specific variable is set to 'YESSSSSSSS.' If both conditions are met, the script copies itself to the folder and establishes persistence via a Scheduled Task.
It then extracts hardcoded, encoded data and processes it through a series of steps before saving the resulting data to a specified file path. The dropped.ttf file is actually a disguised Lua script that employs a three-step method for parsing the encoded payload: reversing a hardcoded string, applying replacement rules, and decoding from Base64. The script then applies a custom ROT cipher using the formula 94 – {first_byte} - 128 to ensure the output consists of printable ASCII characters.[/subscribe_to_unlock_form]
A large-scale campaign that combines fileless techniques and Lua-based loaders with low detection rates to deploy various malware families. These attack campaigns involve the threat actor impersonating well-known companies by creating a sense of urgency through phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file. The execution flow begins by verifying two conditions: the absence of the next-stage files and whether a specific variable is set to 'YESSSSSSSS.' If both conditions are met, the script copies itself to the folder and establishes persistence via a Scheduled Task.
It then extracts hardcoded, encoded data and processes it through a series of steps before saving the resulting data to a specified file path. The dropped.ttf file is actually a disguised Lua script that employs a three-step method for parsing the encoded payload: reversing a hardcoded string, applying replacement rules, and decoding from Base64. The script then applies a custom ROT cipher using the formula 94 – {first_byte} - 128 to ensure the output consists of printable ASCII characters.[emaillocker id="1283"]
The threat actor's goal is to deploy various malware families, including Agent Tesla, Remcos, XWorm, and Best Private LOGGER, by establishing persistence via a Scheduled Task. The campaign has been successful in evading detection due to its multi-layered obfuscation techniques. The financial institutions targeted are at high risk of data theft or follow-on attacks. Defenders should be aware of the threat actor's tactics, techniques, and procedures (TTPs), including their use of Lua-based loaders and fileless techniques. They should also be prepared for the possibility of lateral movement and remote control following initial compromise.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defence Evasion | T1027 | Obfuscated Files or Information | - |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Exfiltration | E1020 | Automated Exfiltration |
| Discovery | E1083 | File and Directory Discovery |
| Command & Control | B0030 | C2 Communication |
| Defense Evasion | B0029 | Polymorphic Code |
The following reports contain further technical details:
[/emaillocker]