Malware News Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto miners and Infostealers Targeting Enterprise Environments

[Khushal]

Content source

https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/

tldr:​

Securonix threat researchers have been tracking an ongoing campaign targeting French-speaking corporate environments through fake resumes. The campaign uses highly obfuscated VBScript file disguised as resume/CV documents, delivered through phishing emails. Once executed, the malware deploys a mutli-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization.

What makes this campaign notable is the dropper’s extreme approach to evasion. Of its 224,471 lines, only 266 lines (0.12%) are actual executable code, the remainder consists entirely of junk VBS comments sourced from real English sentences. The malware also uses a domain-join gate using WMI, ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely. The campaign uses Dropbox for payload hosting, compromised Moroccan WordPress sites for C2 configuration, and mail.ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files.

The use of legitimate tools and trusted services throughout the infection chain, including 7-Zip for archive extraction, Dropbox for payload hosting, and the use of ChromElevator for credential theft, demonstrates a deliberate Living-off-the-Land strategy that makes detection significantly more challenging.

Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto miners and Infostealers Targeting Enterprise Environments

Securonix Threat Research: FAUX#ELEVATE is a fast-moving phishing campaign using fake resumes and obfuscated VBScript to steal credentials, exfiltrate data, and deploy crypto miners in enterprise environments.

www.securonix.com

 

[Bot]

This is a good example of a campaign built for stealth, filtering, and profit rather than broad indiscriminate delivery.

A few points stand out technically from that report:

• The obfuscation is extreme, but not pointless. Padding a VBScript to more than 224,000 lines with mostly junk comments is a simple way to frustrate static analysis, waste analyst time, and potentially break weaker tooling. It does not make the malware “advanced” by itself, but it is effective operationally.
• The domain-join check is especially notable. Using WMI to verify the machine is joined to a domain before continuing suggests the operators want higher-value corporate victims and want to avoid detonating fully on home systems, researcher sandboxes, or casual test machines.
• The monetization is layered. They are not relying on one payload. Credential theft, file exfiltration, and Monero mining together mean the attacker can still profit even if one part of the chain underperforms.
• Living-off-the-Land elements reduce suspicion. Using legitimate or widely seen tools and services such as Dropbox and 7-Zip can blend activity into normal enterprise traffic. That does not make those services malicious, but it does make detection more dependent on context and behavior.
• Targeting French-speaking business environments through fake resumes is socially credible. HR and recruiting workflows are naturally exposed to unsolicited attachments, so fake CV lures remain effective because they fit expected business activity.

Why defenders should care

This kind of campaign is difficult to catch with a single control because it mixes:

• Phishing
• Script-based execution
• Environment awareness
• Legitimate hosting/services
• Post-infection modular tooling

That usually means prevention has to be layered as well:

• Email security: Block or heavily inspect script-based attachments and archive chains.
• Script controls: Restrict or monitor VBScript execution where it is not needed.
• Endpoint visibility: Watch for unusual WMI queries, 7-Zip spawning from user-writable locations, browser credential access, and unexpected miner behavior.
• Network monitoring: Pay attention to unusual Dropbox access patterns, outbound SMTP use that does not match your normal mail flow, and connections to newly observed or compromised sites.
• User awareness: HR and recruiting teams should treat resume attachments as high-risk content unless opened through protected workflows.

One caution on interpretation

I would avoid treating “uses Dropbox” or “uses WordPress sites” as useful standalone indicators. Those services are legitimate and heavily used. The stronger signals are the sequence of behavior and the process chain, not the brand names involved.

Bottom line

The campaign is notable less because of any single novel trick and more because it combines targeted filtering, heavy obfuscation, legitimate services, and multiple monetization paths into one practical enterprise-focused chain. For defenders, behavior-based detection and restricting unnecessary script execution are likely more valuable here than relying only on signatures.

 

[Divergent]

Executive Summary
The FAUX#ELEVATE campaign is a highly obfuscated, multi-stage operation targeting French-speaking corporate environments via resume-themed phishing emails. The initial VBScript dropper is explicitly designed to infect only domain-joined machines, deploying a suite of tools including the XMRig cryptominer, ChromElevator credential stealers, and a persistent Remote Access Trojan (RAT). Standalone or home systems that fail the domain check are bypassed, experiencing only an aggressive User Account Control (UAC) prompt loop rather than the full payload chain.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1566.001
Phishing: Spearphishing Attachment (French CV-themed VBS dropper named nouveau_curriculum_vitae.vbs).

T1082
System Information Discovery (WMI Win32_ComputerSystem.PartOfDomain check).

T1548.002
Abuse Elevation Control: Bypass UAC (Modifies EnableLUA registry key).

T1562.001
Impair Defenses: Disable/Modify Tools (Defender exclusions via PowerShell).

T1555.003
Credentials from Password Stores: Browsers (ChromElevator module bypasses Chromium App-Bound Encryption).

T1496
Resource Hijacking (XMRig Monero mining using the WinRing0x64.sys driver).

CVE Profile
N/A [CISA KEV Status: Inactive].
The attack telemetry relies entirely on social engineering and native Windows administration abuse rather than specific software vulnerabilities.

Telemetry

Hashes
nouveau_curriculum_vitae.vbs: f33586a516e58b2f349dfd7743702f43f5e0ece769ed46088d3400d1b0f0b10b.

RuntimeHost.exe
853d8001c173520a7f459be73ac6bb7f0363db3beb7632f0a6059fb88b288b6a.

IPs/Domains
46.105.76[.]166 (C2)
217.64.148[.]121 (C2)
eufr18-166.workdns[.]com (C2 DDNS)
smtp.mail[.]ru (Exfiltration endpoint via port 465)

Registry Keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA (modified to value 0 to disable UAC).

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (persistence for Microsoft Media Service).

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for potential enterprise-wide credential compromise.

Command
Notify internal stakeholders that French-speaking HR and recruitment staff are actively targeted by CV lures.

DETECT (DE) – Monitoring & Analysis

Command
Hunt for wscript[.]exe spawning powershell[.]exe with command line arguments containing Add-MpPreference -ExclusionPath.

Command
Monitor outbound traffic to smtp.mail.ru on port 465 originating from scripting engines or unusual processes.

Command
Alert on explorer[.]exe establishing network connections to ports 7077 or 62046.

RESPOND (RS) – Mitigation & Containment

Command
Block access to known C2 domains including eufr18-166.workdns.com and known mining pools at pool.supportxmr[.]com.

Command
Isolate any endpoint where nouveau_curriculum_vitae[.]vbs executed successfully and obtained administrative privileges.

RECOVER (RC) – Restoration & Trust

Command
Force a mandatory password reset for all user accounts exposed on compromised endpoints, prioritizing browser-saved credentials.

Command
Revert unauthorized registry modifications to EnableLUA and remove malicious scheduled tasks named MicrosoftUpdateService.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command:
onfigure email gateways to block incoming .vbs attachments.

Command
Enforce strict AppLocker or Windows Defender Application Control (WDAC) policies to prevent unauthorized script execution from C:\Users\Public\WindowsUpdate\.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Forcefully restart the machine if encountering a persistent User Account Control (UAC) loop. The Environmental Reality Check confirms that the primary payload bypasses standalone home computers, meaning the emergency threat level is significantly downgraded.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G) if any administrative prompts were accepted during the UAC loop.

Priority 3: Persistence

Command
Check Scheduled Tasks for MicrosoftUpdateService and inspect Registry Run keys for z_MicrosoftEdgeAutoLaunch_2EDFBF or Microsoft Media Service.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Enforce UAC, restrict script execution).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Securonix Threat Research