A new cyberattack campaign is underway using tax invoice themed emails with a malicious attachment named Tax Invoice_21920047-2.bat, which utilizes a multi-stage approach to deploy the WhiteSnake malware stealer.Â
The dropper file has the following hashes: MD5: f5e560563821bae0d5491a87cbc0e4eb, SHA1: cef937741b8e7df616df371c4424a1e363e5c3ae, and SHA256: c234ce22d4e0a606ba5af027d6af8b42ee5c2497f7399d7ea682237ce12ada76.
A malicious zip file disguised as a tax invoice email targets Windows machines. The dropper script, a batch file, retrieves obfuscated data sets containing a PowerShell script, execution commands, and the malware payload.Â
The script decodes the data sets, including the split and encoded PowerShell code, which uses reflection to call a function from the decoded and decompressed malware payload. The first payload function executes without arguments, while the second takes an empty string array.
The PowerShell script extracts a Base64-Stealer-encoded and AES-encoded payload from a batch file, then replaces characters in the decoded payload for additional obfuscation before decryption with a hardcoded key and initialization vector.
This process with transformation helps bypass static analysis, where the script then executes two payloads sequentially: Payload1.exe (bypassing AMSI) and Payload2.exe (likely a WhiteSnake loader), both.NET assemblies.
Stage 3 utilizes AMSI patching to disable antivirus scanning, while stage 4, the WhiteSnake loader, leverages resource encryption and in-memory execution to launch a decrypted payload (WhiteSnake) using the AES algorithm with a specified key and initialization vector.
Since the dropper is loaded via PowerShell, both the WhiteSnake loader and final payload run within the PowerShell process, avoiding separate process creation.
WhiteSnake Stealer is a customizable information stealer designed to evade detection and steal sensitive data. It uses anti-VM techniques and in-memory execution to bypass traditional security measures, and stolen data can be exfiltrated via a command-and-control server or Telegram.Â
The malware offers a remote access feature for bot control and extensive configuration options for targeting specific browsers, logging keystrokes, and capturing webcam/audio, which can potentially steal cryptocurrency through clipboard monitoring.
The analyzed malware stealer employs anti-analysis techniques to avoid detection, as it first checks for a mutex named “lcy9igxycx” to prevent multiple instances and terminates itself if found. To evade sandboxes, it searches for strings related to virtual machines in the operating system model and manufacturer data.
If a match is found, the malware likely exits. For persistence, it creates a scheduled task named “[whitesnake]” to execute itself from a hidden directory every minute. Alternatively, it sets up self-destruction by deleting its own executable.
WhiteSnake Stealer is malware that steals information from victims’ machines and allows attackers to target specific applications or data by using custom XML commands. These commands can steal browser data, files, registry keys, process information, Wi-Fi credentials, and more.
According to Cyber Armor, the stolen information is then encrypted and sent back to the attacker’s server through a C2 URL or a Telegram bot, who can choose to encrypt the stolen data with an additional layer of RSA encryption for further protection.Â
.webp?w=1200&resize=1200,0&ssl=1&description=A new cyberattack campaign is underway using tax invoice themed emails with a malicious attachment named Tax Invoice_21920047-2.bat.){kind=link}