Photo credit: www.csoonline.com
In addressing a recent inquiry, Proofpoint revealed that a fraudulent message took advantage of an established relationship between a compromised sender and their targets. This communication employed a business-to-business sales strategy, featuring a seemingly legitimate order form and company background information. The email included links that appeared to direct recipients to the official INDIC Electronics website, but they actually redirected users to a counterfeit domain named “indicelectronics[.]net.” This fraudulent site hosted a zip archive that claimed to contain an Excel spreadsheet and two PDF documents.
This deceptive tactic was sophisticated enough to potentially mislead even those with a critical view of unsolicited emails, as well as some cybersecurity defenses. While the file named with an XLS extension was presented as a spreadsheet, it was actually a LNK file with a double extension format (filename[.]xls[.]lnk). Additionally, the PDF files served as polyglots; one included an HTA (HTML Application) component, while the other was appended with a zip archive.
According to the report, the LNK file initiated cmd[.]exe, which subsequently triggered mshta[.]exe to process the PDF/HTA polyglot file. The mshta[.]exe tool navigates through the file, disregarding the PDF segment until it locates the HTA signature, leading it to execute the embedded script. This HTA script functions as a controller, instructing cmd[.]exe to extract the executable and the URL file from the second PDF. Ultimately, this executable is programmed to seek out the Sosano backdoor concealed within the zip archive.
Source
www.csoonline.com