These targeted companies were from the industrial sector, particularly companies focused on manufacturing to investment firms and internet companies. Namely,
"an electrical equipment manufacturer in Romania;a Kuwaiti construction services and engineering company;
a Korean internet company;
a Korean investment firm;
a British building supply manufacturer;
a Korean medical news publication;
Korean telecommunications and electrical cable manufacturer;
a Swiss publishing equipment manufacturer;
a Japanese courier and transportation company."
( as reported by bleeping computer in their blog)
Two Infection Chains
The hackers used two infection chains to infect the computers by using phishing emails to deploy payloads but with a small difference.
The first chain had ZIP, UDF, and IMG attachments carrying NSIS (Nullsoft Scriptable Install System) installers.The second chain had XLS and RTF docs that downloaded the payload from a remote server to the user's machine.
"We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks," Sophos reports.
NSIS installers hid the dropped malware by spamming and dropping junk files like images, source code files, shell scripts, and Python binaries.
"During the a ..
Support the originator by clicking the read the rest link below.
){kind=link}