"A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar. This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution."
"The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components. Persistence is achieved by means of a scheduled task and Windows startup script named world.vbs, before the final payload is deployed on the compromised host."
"Once launched, it connects to an external server at 79.110.49[.]15 for command-and-control (C2) communications, allowing it to exfiltrate data and deploy additional payloads."
Attackers are distributing malicious gaming utilities through browsers and chat platforms to compromise users. The attack uses a downloader that stages a portable Java runtime and executes a malicious JAR file, employing PowerShell and living-off-the-land binaries like cmstp.exe for stealthy execution. The malware establishes persistence via scheduled tasks and a Windows startup script named world.vbs, while evading detection by deleting the initial downloader and configuring Microsoft Defender exclusions. Once deployed, the multi-purpose RAT connects to command-and-control servers for data exfiltration and additional payload deployment. Defense measures include auditing Defender exclusions, removing malicious tasks, isolating affected endpoints, and resetting credentials.
#remote-access-trojan-rat #malware-distribution #evasion-techniques #persistence-mechanisms #cybersecurity-threats
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]