A sophisticated attack campaign employing obfuscation and a unique user account control (UAC) bypass has been identified by Cyble, delivering commodity loaders that infect systems with remote access trojans (RATs) and infostealers. The campaign specifically targets the manufacturing and government sectors in Europe and the Middle East, with a focus on Italy, Finland, and Saudi Arabia, The Cyber Express reported.This campaign utilizes a commodity loader that shares common features with other attack campaigns, suggesting a unified malware delivery framework used by multiple high-capability threat actors. The loader employs steganography to hide payloads within image files, string reversal and Base64 encoding for obfuscation, and abuses legitimate .NET framework executables for process hollowing. Infection vectors include weaponized Office documents, malicious SVG files, and LNK shortcuts, alongside a novel UAC bypass technique that tricks users into granting elevated privileges. The loaders have been observed delivering various RATs and infostealers, indicating the loader may be shared or sold across different threat actor groups.The consistent use of a shared loader architecture and tradecraft across multiple threat actors highlights a potent and evolving threat to targeted nations and industries. The campaign's advanced techniques, including hybrid assembly and reflective loading, underscore the need for robust, multi-layered security strategies and continuous monitoring to detect and mitigate such sophisticated threats.Source: The Cyber Express
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




