Malicious job offers from fashion and beauty brands Bershka, John Hardy, Fragrance Du Bois, and Dear Klairs have been used to deploy the PureHVNC remote access trojan as part of a multi-stage phishing campaign last year, GBHackers News reports.
While the Initial attack vector leveraged in the attack remains uncertain, infections commenced with the execution of a document-spoofing LNK file, which when executed, eventually led to a multi-stage operation that included the downloading of a massive malware-laced MP4 file and the running of other scripts for "phom.exe" retrieval and execution, according to Netskope Threat Labs researchers. Such scripts have been ensuring persistence and injecting a .NET payload, resulting in the execution of the PureHVNC RAT, with the malicious activity concealed by the fraudulent job offer, said the report. Integration of string replacement within scripts and the exploitation of mshta.exe for remote file execution were noted by researchers to indicate PureHVNC RAT's efforts to evade detection.
While the Initial attack vector leveraged in the attack remains uncertain, infections commenced with the execution of a document-spoofing LNK file, which when executed, eventually led to a multi-stage operation that included the downloading of a massive malware-laced MP4 file and the running of other scripts for "phom.exe" retrieval and execution, according to Netskope Threat Labs researchers. Such scripts have been ensuring persistence and injecting a .NET payload, resulting in the execution of the PureHVNC RAT, with the malicious activity concealed by the fraudulent job offer, said the report. Integration of string replacement within scripts and the exploitation of mshta.exe for remote file execution were noted by researchers to indicate PureHVNC RAT's efforts to evade detection.
