A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT.
The campaign leverages social engineering to distribute
compressed archives, which contain multiple
decoy documents and a
malicious Windows shortcut (LNK) with Russian-language filenames.
The LNK file uses a
double extension ("Задание_для_бухгалтера_02отдела.txt.lnk") to give the impression that it's a text file.
When executed, it runs a
PowerShell command to retrieve the next-stage
PowerShell script hosted on a GitHub repository ("github[.]com/Mafin111/MafinREP111"), which then serves as a first-stage loader to establish a foothold, readies the system to hide evidence of malicious activity, and hands off control flow to subsequent stages.
"The script first suppresses visible execution by programmatically
hiding the PowerShell console window," Fortinet said. "This removes any immediate visual indicators that a script is running. It then
generates a decoy text document in the user's local application data directory.
Once written to disk, the decoy document is automatically opened."
Once the document is displayed to the victim to keep up the ruse, the script sends a message to the attacker using the
Telegram Bot API, informing the operator that the first stage has been successfully executed.
A deliberately-introduced 444 second delay later, the PowerShell script runs a
Visual Basic Script ("SCRRC4ryuk.vbe") hosted at the same repository location.
This offers two crucial
advantages in that it keeps the loader lightweight and allows the threat actors to
update or replace the payload's functionality on the fly without having to introduce any changes to the attack chain itself.
The Visual Basic Script is highly obfuscated and acts as the controller that assembles the next-stage payload directly in memory, thereby
avoiding leaving any artifacts on disk. The final-stage script checks if it's running with elevated privileges, and, if not,
repeatedly displays a User Account Control (UAC) prompt to force the victim to grant it the necessary permissions.
The script
pauses for 3,000 milliseconds between attempts.
In the next phase, the malware initiates a series of actions to suppress visibility, neutralize endpoint protection mechanisms, conduct reconnaissance, inhibit recovery, and ultimately deploy the main payloads -
- Configure Microsoft Defender exclusions to prevent the program from scanning ProgramData, Program Files, Desktop, Downloads, and the system temporary directory
- Use PowerShell to turn off additional Defender protection components
- Deploy defendnot to register a fake antivirus product with the Windows Security Center interface and cause Microsoft Defender to disable itself to avoid potential conflicts
- Conduct environment reconnaissance and surveillance via screenshot capture by means of a dedicated .NET module downloaded from the GitHub repository that takes a screengrab every 30 seconds, save it as a PNG image, and exfiltrates the data using a Telegram bot
- Disable Windows administrative and diagnostic tools by tampering with the Registry-based policy controls
- Implement a file association hijacking mechanism such that opening files with certain predefined extensions causes a message to be displayed to the victim, instructing them to contact the threat actor via Telegram
One of the final payloads deployed after successfully disarming security controls and recovery mechanisms is
Amnesia RAT ("svchost.scr"), which is retrieved from Dropbox and is capable of broad data theft and remote control.
The second payload delivered by the script is a
ransomware that's derived from the Hakuna Matata ransomware family.
"
This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities".
"By systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms, the attacker disables endpoint defenses before deploying persistent surveillance tooling and destructive payloads."
A multi-stage phishing campaign targeting Russia abuses GitHub and Dropbox to disable Microsoft Defender and deploy Amnesia RAT and ransomware.
thehackernews.com
