Full Report
Cyber attackers never stop inventing new ways to compromise their targets. That's why organizations must stay updated on the latest threats. Here's a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you. Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems The analyst
Analysis Summary
# Incident Report: Ongoing Phishing and Malware Campaigns (December 2024)
## Executive Summary
Multiple concurrent cyber threats were actively observed in December 2024, including the exploitation of zero-day vulnerabilities via corrupted document files, fileless malware distribution utilizing PowerShell and Quasar RAT, and sophisticated phishing campaigns hosted on Azure Blob Storage. The primary impact involves credential theft and the deployment of various loader and RAT malware families, with detection remaining a significant challenge for many standard security systems.
## Incident Details
- Discovery Date: Continuous reporting throughout December 2024 (analysis shared Dec 10, 2024)
- Incident Date: Zero-day attack active since at least August 2024.
- Affected Organization: Various organizations targeted by phishing and malware campaigns (not specified).
- Sector: General Cybersecurity Landscape / All sectors.
- Geography: Global (Implied by widespread threat reporting).
## Timeline of Events
### Initial Access
- Date/Time: Active since at least August 2024 (Zero-day vulnerability). Early December 2024 (Phishing/Malware campaigns active).
- Vector:
1. **Zero-day Attack:** Intentionally corrupted Microsoft Word (.docx) and ZIP archives containing malicious files.
2. **Phishing:** Social engineering leveraging URLs hosted on `*.blob[.]core[.]windows[.]net`.
3. **Malware Loader:** LNK files initiating execution chains (e.g., Emmenhtal Loader).
- Details: Corrupted files evade detection until opened by native applications (Word/WinRAR), restoring malicious contents. Phishing pages gather credentials.
### Lateral Movement
- **Fileless Malware:** Successful execution of Psloramyra loader via PowerShell, which utilizes LoLBaS techniques to load the Quasar RAT dynamically into legitimate processes like `RegSvcs.exe`.
### Data Exfiltration/Impact
- **Credential Theft:** Phishing attacks successfully collect user login credentials.
- **Malware Payload Delivery:** Infection by malware families including Lumma, Amadey, Hijackloader, and Arechclient2, facilitated by loaders like Emmenhtal.
- **Remote Access:** Quasar RAT deployed, providing persistent remote access.
### Detection & Response
- **Detection:** Standard security systems often failed to detect the zero-day corrupted files (0 detections on VirusTotal for one sample). ANY.RUN sandbox was cited as one of the few tools capable of identifying the threat by manually restoring the files.
- **Response Actions:** Not explicitly detailed for organizations, but analysis platforms like ANY.RUN suggest proactive analysis tools are necessary for threat identification.
## Attack Methodology
- **Initial Access:** Corrupted zero-day files (DOCX/ZIP), LNK files, Phishing pages.
- **Persistence:** Scheduled task created by the fileless malware running every two minutes.
- **Privilege Escalation:** Not explicitly detailed, but implied via malware execution chains.
- **Defense Evasion:** Zero-day corruption technique designed to bypass static analysis/sandboxing; fileless execution via memory injection to avoid disk traces.
- **Credential Access:** Phishing forms on Azure Blob Storage hosting.
- **Discovery:** Attackers using scripts to fetch victim software information (OS, browser) for reconnaissance/customization on phishing pages.
- **Lateral Movement:** Use of fileless techniques and system binaries (LoLBaS).
- **Collection:** Gathering of user credentials via fake forms; potential data harvesting by RATs.
- **Exfiltration:** Credential leakage from phishing forms; unknown exfiltration methods utilized by deployed RATs/malware.
- **Impact:** System compromise via RAT installation; credential compromise.
## Impact Assessment
- Financial: Unknown, but associated costs with incident response and potential business disruption from malware.
- Data Breach: User credentials stolen via phishing. Specific volume/type unknown.
- Operational: Potential business disruption due to malware deployment (e.g., Lumma, Amadey) and loss of control via RAT.
- Reputational: Threat to organizational trust due to successful phishing and advanced malware tactics.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Phishing destinations hosted on `*.blob[.]core[.]windows[.]net`.
- **File Indicators:**
- Intentionally corrupted Word documents (.docx).
- Intentionally corrupted ZIP archives.
- Payload derived from Emmenhtal Loader execution chain (e.g., Updater.exe).
- **Behavioral Indicators:**
- Restoration of file contents upon opening with native applications.
- Dynamic loading and injection of .NET assemblies into legitimate processes (e.g., `RegSvcs.exe`).
- Creation of scheduled tasks set to run every two minutes.
## Response Actions
- **Containment:** (Implied) Isolating infected hosts; blocking access to known C2s (if identified).
- **Eradication:** (Implied) Removing fileless malware artifacts and scheduled tasks; patching vulnerabilities exploited by zero-day if known.
- **Recovery:** (Implied) Resetting compromised credentials; restoring systems from clean backups post-eradication.
## Lessons Learned
- Standard static scanning and basic sandbox analysis are insufficient against intentionally corrupted file formats that rely on native application restoration.
- Adversaries are effectively leveraging trusted cloud services (Azure Blob Storage) for hosting phishing infrastructure.
- Fileless techniques remain a high-risk method for achieving stealthy persistence and payload delivery.
## Recommendations
- Implement advanced behavioral analysis tools capable of executing and interacting with potentially malicious files using native applications in isolated environments.
- Enhance network monitoring for connections originating from legitimate cloud storage subdomains that are unusual or attempting credential harvesting.
- Deploy robust endpoint detection and response (EDR) focused on detecting in-memory injection, anomalous PowerShell usage (LoLBaS), and unauthorized scheduled task creation.