In April of this year, the FBI published an advisory on attacks targeting government, law enforcement, and non-profit organizations. Attackers download scripts onto victims’ devices, delivering several types of malware all at once. The main aim is to utilize company resources for mining, steal data using keyloggers, and gain backdoor access to systems.
According to our telemetry data, we have detected numerous scripts, executables, and associated links under this campaign since late 2022. We were still finding new versions at the time of writing, so the threat to B2B is still live. Enterprise resources and data remain at risk.
Investigating the indicators of compromise identified in the April report, we discovered in our telemetry for August of this year some previously unpublished malicious scripts that attempt to manipulate Windows Defender (0BEFB96279DA248F6D49169E047EE7AB — runxm1.cmd and 769BC25454799805E83612F0F896E03F — start.cmd). Indirect evidence suggests that the scripts penetrate the target infrastructure mainly as a result of exploiting vulnerabilities on servers and workstations.
First, the script start.cmd attempts to disable protection through the registry:
Disabling Windows Defender in start.cmd
If this succeeds, the script runxm1.cmd tries to add several files to exc ..
Support the originator by clicking the read the rest link below.
