This report investigates a highly sophisticated multi-stage malware attack utilizing obfuscation, steganography, and covert communication techniques to evade detection and compromise systems. The attack involves the execution of an obfuscated JavaScript file that downloads malicious payloads and deploys Stealer malware to collect sensitive data. Affected: organizations, individuals, cyber security sector
Keypoints :
- The attack employs a multi-stage process beginning with an obfuscated JavaScript file.
- Payload delivery involves using trusted open-source services to evade detection.
- Steganographic techniques are used to hide malicious executables in seemingly harmless files.
- Powershell is integrated for sophisticated operations and to evade detection.
- The malware establishes communication with a Telegram bot for data exfiltration.
- Computational techniques employed include heavy obfuscation and reflective loading.
- The attack utilizes older technologies such as ActiveX and WSH Shell to facilitate actions.
- Exfiltrated data includes credentials, browsing data, and sensitive system information.
- Infrastructure abuse occurs through trusted services like jilas.net for command and control.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Leveraging Telegram bot for data exfiltration.
- T1218.011 – Signed Binary Proxy Execution: Use of obfuscated scripts to execute commands.
- T1047 – Windows Management Instrumentation: Utilizing WMI for bypassing security measures.
- T1064 – Scripting: Deployment of an obfuscated JavaScript and PowerShell scripts.
- T1221 – Template Injection: Inserting malicious code through images and text files using steganography.
Indicator of Compromise :
- [SHA-256] 944c7070cb77d937c9bae8c30a367b1c15b2f8951329cdb64d4b02a5e145ea44
- [URL] http://jilas[.]net/files/222.txt
- [URL] http://jilas[.]net/otherlink.ext
- [MD5] acedc7bdca0d19b982bcf030c73599ed
Full Story: https://www.cyfirma.com/research/javascript-to-command-and-control-c2-server-malware/