The article discusses the discovery of multiple cyberattack campaigns targeting job applicants at Food Corporations of India, using a variant of ransomware named Xelera. The attack begins with a malicious document aimed at enticing applicants, which ultimately installs a PyInstaller executable that also utilizes Discord for command and control. The ransomware performs various malicious tasks, including data exfiltration and credential theft. Affected: Job seekers, Food Corporation of India, computer systems
Keypoints :
- Seqrite Labs APT-Team identified campaigns with malicious job descriptions targeting job applicants at Food Corporations of India (FCI).
- The ransomware variant involved is known as Xelera, written in Python and deployed via a PyInstaller executable.
- The initial infection is spread through spear-phishing emails containing malicious documents.
- The attack involves a multi-stage infection chain: initial document, PyInstaller executable, and Python scripts.
- The Discord bot enables advanced features for controlling infected machines, such as stealing browser credentials and executing harmful commands.
- Xelera ransomware executes several destructive functions including data deletion and MBR corruption.
- The campaign has resulted in a significant number of transactions using the specified cryptocurrency wallet linked to the ransomware.
- Various indicators of compromise (IOCs) including file hashes, URLs, and email addresses are provided for threat detection.
MITRE Techniques :
- T1566.001 β Phishing: Spear phishing Attachment β The attack begins with a malicious document attachment sent to targeted job seekers.
- T1204.002 β User Execution: Malicious File β The execution of the malware occurs when the user opens the malicious document.
- T1059.006 β Python β The malware utilizes Python scripting for its operations.
- T1547.001 β Registry Run Keys / Startup Folder β The malware attempts to establish persistence by using registry run keys.
- T1562.001 β Impair Defenses: Disable or Modify Tools β The malware contains functionality to evade security tools.
- T1555.003 β Credentials from Web Browser β The ransomware is designed to extract sensitive information from web browsers.
- T1033 β System Owner/User Discovery β The malware may gather information about system users.
- T1217 β Browser Information Discovery β The malware retrieves browsing data.
- T1010 β Application Window Discovery β The ransomware can identify open applications on the victimβs computer.
- T1083 β File and Directory Discovery β The malware can scan for files and directories in the system.
- T1016 β System Network Configuration Discovery β The malware detects network configuration on the infected machine.
- T1560.002 β Archive via Library β Data collection processes occur to gather and archive sensitive information.
- T1056.001 β Keylogging β The malware is capable of capturing keystrokes from the infected system.
- T1113 β Screen Capture β The Discord bot can take screenshots of the victimβs screen.
- T1102.002 β Bidirectional Communication β The malware utilizes Discord for command and control operations.
- T1531 β Account Access Removal β The ransomware may disable user accounts.
- T1486 β Data Encrypted for Impact β The main impact involves data encryption by the ransomware.
- T1657 β Financial Theft β Ransom payments are requested via a cryptocurrency wallet.
- T1491.001 β Internal Defacement β The malware causes damage to the victimβs system interface and functionality.
- T1561.001 β System Shutdown / Reboot β Ransomware includes functionalities to shut down or restart the system.
Indicator of Compromise :
- [Filename] FCEI-job-notification.doc
- [SHA-256] ff06ce3fd6fe994aeaa0edc5162989d08f34440e9cacbc9e49e5db8ef98a74e3
- [Filename] mainscript.exe (jobnotification2025.exe)
- [SHA-256] 519401c998fe5d6eb143415f7c17ad5f8e5ef5ebae57ac91e9fa89a0bfcf0c7f
- [URL] hxxps[:]//github[.]com/Sam-cpu999/stuff/raw/main/MEMZ[.]exe
Full Story: https://www.seqrite.com/blog/xelera-ransomware-fake-fci-job-offers/