- Russian hackers target human resources departments with BlackSanta malware
- Infection chain uses phishing emails and malicious ISO files
- BlackSanta disables EDR tools to enable deeper engagement
Russian hackers have been attacking the Human Resources (HR) departments of several organizations around the world with a never-before-seen malware called BlackSanta.
The campaign was detected by cybersecurity researchers Aryaka, who said the attacks have been occurring for at least a year and include a fairly sophisticated infection chain.
Most likely, it starts with a phishing email that purports to share resumes of potential employees, including a link to a Dropbox folder containing an ISO image. These files are clones of optical discs and were quite popular in the early 2000s until USB sticks became more affordable. Nowadays, however, they can be seen as a major red flag as they are rarely used outside of scams.
Article continues below.
EDR killer
Still, those who don’t spot the hack, download the ISO, and extract it will get several files, including a shortcut file and a PowerShell script. The script downloads a malicious DLL file and a legitimate PDF reader, which is used to load the DLL.
The DLL then first scans the system to see if it is running in a sandbox environment or a virtual machine. If it deems the machine worthy of further infection, it downloads additional payloads, including BlackSanta.
This malware is described as an “EDR killer,” meaning it terminates endpoint detection and response tools before allowing further payloads to be deployed.
It is also capable of doing different things, depending on the type of EDR solution found on the target device. For example, you can suppress Windows notifications so that they continue running even when the operating system tries to alert the user about the attack in progress.
Aryaka says the attackers were seen in the wild, but did not say how many organizations were attacked or how many were victims. He also did not discuss the identity of the attackers, but judging by the MO, they do not appear to be any of the more popular state-sponsored groups.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
