- Russian hackers target HR departments with BlackSanta malware
- Infection chain uses phishing emails and malicious ISO files
- BlackSanta Disables EDR Tools to Allow Deeper Compromise
Russian hackers have targeted human resources (HR) departments at various organizations around the world with a never-before-seen malware called BlackSanta.
The campaign was spotted by cybersecurity researcher Aryaka, who said the attacks had been going on for at least a year and included a rather sophisticated infection chain.
It most likely starts with a phishing email claiming to share CVs of potential employees, including a link to a Dropbox folder containing an ISO image. These files are clones of optical discs and were quite popular in the early 2000s until USB drives became more affordable. These days, however, they can be considered a major red flag because they are rarely used outside of scams.
Article continues below
BDU Killer
However, those who don’t spot the trick, download the ISO and extract it will get several files, including a shortcut file and a PowerShell script. The script downloads a malicious DLL file and a legitimate PDF reader, which is used to load the DLL.
The DLL then first scans the system to see if it is running in a sandbox environment or in a virtual machine. If it deems the machine worthy of further infection, it downloads additional payloads, including BlackSanta.
This malware is described as an “EDR killer,” meaning it terminates endpoint detection and response tools before allowing other payloads to be deployed.
It is also capable of different things, depending on the type of EDR solution found on the target device. For example, it can suppress Windows notifications to continue running even if the operating system tries to alert the user of the ongoing attack.
Aryaka says the attackers were spotted in the wild, but did not specify how many organizations were attacked, or how many were actually victims. He also did not discuss the identity of the attackers, but judging by the Defense Ministry, they do not appear to be one of the more popular state-sponsored groups.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
