![]() winpickr.exe – a malicious file under C:\Windows\System32 folder.npp.8.1.7.Installer.圆4.exe – the original Notepad installation file under C:\Users\Username\AppData\Local\Temp\ folder.When executed, the malicious file creates a new folder named “WindowsData“ under C:\ProgramData\Microsoft and drops three different files on the infected station: To make the malicious file more trustable to the victim, the threat actor adds an Original Notepad icon: In the first stage, the victim downloads a “Notepad ” setup file and executes it. Accordingly, when downloaded from an unofficial URL, the common tool can be exploited– as in this case. This attack method is highly efficient since the malware ‘hides’ itself inside a legitimate tool that is commonly found within organizations. Nonetheless, a tweet from blackorbird caught our eye. Here, a StrongPity APT hides its three-stage attack behind a Notepad installation. ![]() In 2016, StrongPity was detected by Kaspersky in a campaign that targeted specific users in Belgium and Italy who were interested in Truecrypt and Winrar software. These APT groups’ campaigns are not commonly seen but different research groups have detected several StrongPity campaigns over the years. The group is also referred to as APT-C-41 and PROMETHIUM. The StrongPity actor group has been around since 2012 and employs the same tactics, namely adding backdoors to legitimate software used by specific users, a technique also known as water holing. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |