U.S.- and India-based organizations have been targeted by the new MULTI#STORM phishing campaign that involved a multi-stage attack chain concluding with the deployment of Warzone RAT, also known as Ave Maria, Quasar RAT, and various other remote access trojan backdoors, The Hacker News reports.
Phishing emails sent by attackers include a link redirecting to a password-protected ZIP file on OneDrive, which when extracted would show an obfuscated JavaScript file, according to a Securonix report. Double-clicking the file would trigger two PowerShell commands that would retrieve and execute payloads, eventually resulting in the delivery of Warzone RAT, which could then retrieve Quasar RAT and other payloads.
"It's important to remain extra vigilant when it comes to phishing emails, especially when a sense of urgency is stressed. This particular lure was generally unremarkable as it would require the user to execute a JavaScript file directly. Shortcut files, or files using double extensions would likely have a higher success rate," said researchers.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds