- Russian hackers target HR departments with BlackSanta malware
- The infection chain uses phishing emails and malicious ISO files
- BlackSanta disables EDR tools to enable deeper compromise
Russian hackers have been targeting Human Resources (HR) departments in various organizations around the world with a never-before-seen piece of malware called BlackSanta.
The campaign was discovered by cybersecurity researchers Aryaka, who said the attacks have been going on for at least a year and include a fairly sophisticated infection chain.
It most likely starts with a phishing email purporting to share resumes of potential employees, including a link to a Dropbox folder with an ISO image. These files are clones of optical discs and were quite popular in the early 2000s until thumb drives became more affordable. These days, however, they can be seen as a huge red flag as they are rarely used outside of scams.
The article continues below
EDR killer
Still, those who don’t spot the list, downloading the ISO and extracting it will get more files, including a shortcut file and a PowerShell script. The script downloads a malicious DLL file and a legitimate PDF reader, which is used to sideload the DLL.
The DLL then first scans the system to see if it is running in a sandboxed environment or a virtual machine. If it deems the machine worthy of further infection, it downloads additional payloads, including BlackSanta.
This piece of malware is described as an “EDR killer” – meaning it terminates endpoint detection and response tools before allowing additional payloads to be deployed.
It is also capable of different things depending on the type of EDR solution present on the target device. For example, it can suppress Windows notifications to continue running even if the operating system tries to warn the user about the ongoing attack.
Aryaka says the attackers were seen in the wild, but did not say how many organizations were attacked or how many were actually killed. It also did not discuss the identity of the attackers, but judging by the MO, it does not appear to be any of the more popular, state-sponsored groups.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
