The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishing link that redirects them to a Firebase app-hosted URL.
What's notable about the infection is that the real redirect URL is stored in the page in encrypted form and is accessible only after the victim solves a CAPTCHA verification check, ultimately leading to the download of a ZIP archive.
"Solving the puzzle executes a [JavaScript] function that decrypts it with a hard-coded key and redirects the user to the decrypted link," Seethapathy said.
"Attackers are leaning on these custom CAPTCHA gates more and more, hoping to slip past defenses that already flag phishing sites protected by Cloudflare Turnstile or Google reCAPTCHA."
Present within the archive is a Visual Basic Script (VBScript) that's responsible for retrieving a next-stage VBScript from an external server and launching it via "wscript.exe." This second-stage VBScript downloader then fetches another payload from the same server, renames it to "trm.zip," and extracts two MSI files from it: NetBird and OpenSSH.
The last phase involves installing the two programs on the infected host, creating a hidden local account, enabling remote desktop access, and persisting NetBird via scheduled tasks such that it automatically launches on system reboot. The malware also removes any NetBird desktop shortcuts to ensure that the compromise is not detected by the victim.
"This attack isn't your typical phishing scam," Seethapathy said. "It's well-crafted, targeted, subtle, and designed to slip past technology and people. It is a multi-stage attack where the adversary uses social engineering and defense evasion techniques to create and maintain persistent access to the victim system."
Plug-and-play phishing kits like Haozi drive global scams, bypass MFA, and lower attacker skill bar.
thehackernews.com
