An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers.
“The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails,” Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared with The Hacker News.
“Once executed, the malware deploys a multi-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization.”
The activity has been codenamed FAUX#ELEVATE by the cybersecurity company. The campaign is noteworthy for the abuse of legitimate services and infrastructure, such as Dropbox for staging payloads, Moroccan WordPress sites for hosting command-and-control (C2) configuration, and mail[.]ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files.
This is an example of a living-off-the-land-style attack that raises the bar on how attackers can trick defense mechanisms and sneak their way into the target’s system without attracting much attention.
The initial dropper file is a Visual Basic Script (VBScript) that, upon opening, displays a bogus French-language error message, fooling message recipients into thinking that the file is corrupted. However, what happens behind the scenes is that the heavily obfuscated script runs a series of checks to evade sandboxes and enters into a persistent User Account Control (UAC) loop that prompts users to run it with administrator privileges.
Notably, out of the script’s 224,471 lines, only 266 lines contain actual executable code. The rest of the script is filled with junk comments featuring random English sentences, inflating the size of the file to 9.7MB.
“The malware also uses a domain-join gate using WMI [Windows Management Instrumentation], ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely,” the researchers said.
As soon as the dropper obtains administrative privileges, it wastes no time disabling security controls and covering up its tracks by configuring Microsoft Defender exclusion paths for all primary drive letters (from C to I), disabling UAC via a Windows Registry change, and deleting itself.
The dropper is also responsible for fetching two separate password-protected 7-Zip archives hosted on Dropbox –
- gmail2.7z, which contains various executables to steal data and mine cryptocurrency
- gmail_ma.7z, which contains utilities for persistence and cleanup
Among the tools used to facilitate credential theft is a component that leverages the ChromElevator project to extract sensitive data from Chromium-based browsers by getting around app-bound encryption (ABE) protections. Some of the other tools include –
- mozilla.vbs, a VBScript malware for stealing Mozilla Firefox profile and credentials
- walls.vbs, a VBScript payload for desktop file exfiltration
- mservice.exe, an XMRig cryptocurrency miner that’s launched after retrieving the mining configuration from a compromised Moroccan WordPress site
- WinRing0x64.sys, a legitimate Windows kernel driver that’s used to unlock the CPU’s full mining potential
- RuntimeHost.exe, a persistent Trojan component that modifies Windows Firewall rules and periodically communicates with a C2 server
The sole browser data is exfiltrated using two separate mail[.]ru sender accounts (“olga.aitsaid@mail.ru” and “3pw5nd9neeyn@mail.ru”) that share the same password over SMTP to another email address operated by the threat actor (“vladimirprolitovitch@duck.com”).
Once credential theft and exfiltration activities are complete, the attack chain initiates an aggressive cleanup of all dropped tools in a bid to minimize forensic footprint, leaving behind only the miner and trojan behind.
“The FAUX#ELEVATE campaign demonstrates a well-organized, multi-stage attack operation that combines several noteworthy techniques into a single infection chain,” Securonix said.
“What makes this campaign particularly dangerous for enterprise security teams is the speed of execution, the full infection chain completes in approximately 25 seconds from initial VBS execution to credential exfiltration, and the selective targeting of domain-joined machines, which ensures that every compromised host provides maximum value through corporate credential theft and persistent resource hijacking.”
