EXECUTIVE SUMMARY
A highly multi-stage intrusion campaign is underway, originating from a weaponized PowerShell payload disguised as a legitimate JPEG image file. The attack primarily targets enterprises in the Asia-Pacific and European regions, with a focus on exploiting user trust and bypassing conventional file-extension validation mechanisms. The attacker's primary goal is to establish covert and persistent remote access, facilitating data theft, lateral movement, and potential ransomware deployment.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly multi-stage intrusion campaign is underway, originating from a weaponized PowerShell payload disguised as a legitimate JPEG image file. The attack primarily targets enterprises in the Asia-Pacific and European regions, with a focus on exploiting user trust and bypassing conventional file-extension validation mechanisms. The attacker's primary goal is to establish covert and persistent remote access, facilitating data theft, lateral movement, and potential ransomware deployment.[emaillocker id="1283"]
The malware infects systems through a social engineering-based delivery mechanism, distributing a malicious PowerShell payload disguised as a legitimate JPEG image file. Upon execution, the payload creates a staging environment under C:\Systems, downloads additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher binary through Microsoft's legitimate .NET compiler (csc.exe). The attack chain incorporates advanced tradecraft techniques, including AMSI bypass, in-memory execution, reflective .NET operations, LOLBin abuse, dynamic payload compilation, registry-based privilege escalation, anti-forensics behavior, and encrypted command-and-control communications.
The deployed framework provides extensive post-compromise functionality, including credential harvesting, hidden desktop interaction, remote command execution, surveillance, file transfer, and persistent service orchestration. This threat is significant for organisations due to its ability to evade conventional detection mechanisms, blend malicious activity with trusted enterprise software, and maintain long-term operational access within compromised environments. The attack chain's complexity, stealth-focused persistence methods, and reliance on advanced tradecraft techniques make it challenging for organisations to detect and recover from. To mitigate this threat, organisations should implement strict governance and monitoring controls around enterprise RMM and remote administration platforms, enforce organisation-wide application allowlisting, block or closely monitor execution of commonly abused LOLBins, and deploy detection rules for suspicious PowerShell behaviour.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1127 | Compile After Delivery | – |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Lateral Movement | T1021 | Remote Services | – |
| Collection | T1113 | Screen Capture | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
| Impact | T1486 | Data Encrypted for Impact | – |
REFERENCES:
The reports contain further technical details:
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
https://cybersecuritynews.com/hackers-use-weaponized-jpeg-file/