DangerousPassword Campaign: A Multi-Faceted Approach Exploiting Cryptocurrency Exchanges

Malicious CHM files from LinkedIn

• The malware delivery involves a compressed RAR file containing a CHM file. 
• Upon execution, the CHM file downloads and runs an external MSI file.
• This MSI file deploys a PowerShell script, which, in turn, downloads and executes another MSI file (Administrator-a214051.msi). 
• The second MSI file collects information from infected hosts and transmits it via an HTTP POST request in Base64 encoded format. 

Leveraging OneNote files

• Within the OneNote file, a malicious MSI file is present, which installs and executes a DLL on the affected system. 
• Additionally, the malware possesses the capability to detect specific antivirus software and adapt its actions accordingly. 
• This includes employing techniques such as process hooking to NTDLL to avoid monitoring, modifying data in curl commands, and altering the method used to launch downloaded malware. 
• These measures enhance the malware's ability to evade detection and compromise targeted systems.

Using virtual hard disk files

• Within the VHD file, there are typically three components: a decoy PDF, the main malware in the form of a DLL file, and an executable (EXE) file used to initiate the DLL. 
• The functionality of the DLL file is similar to the malware found in OneNote files, operating with malicious intent.

Targeting macOS

• The AppleScript (main.scpt file) downloads and executes an unauthorized application using the curl command.
• Once executed, the unauthorized application displays a window and employs XOR decoding to read the contents of files. 
• It also connects to a C2 server and downloads a file based on the decoded instructions. 
• This downloaded file is then executed on the compromised system.

The bottom line