PowerShell Based Outlook Email Stealer
The cybersecurity landscape has seen a significant rise in the distribution of infostealers, a type of malware designed to steal sensitive information such as passwords, login credentials, and personal data. According to a recent study by Uptycs, incidents involving infostealers have more than doubled in Q1 2023, posing a serious threat to organizations worldwide.
Infostealers are typically delivered to compromised systems via phishing emails containing malicious attachments or links. One recent example involves the use of an HTA (HTML Application) file delivered via phishing. The HTA file, when executed using the mshta.exe executable, communicates with amazonaws[.]com and executes a PowerShell script with the -ExecutionPolicy Bypass parameter.
During the installation phase, the activity is quite noisy, providing numerous detection opportunities. For instance, mshta.exe communicates with amazonaws[.]com, and the PowerShell script contains interesting strings such as InvokeCommand.ExpandString('$env:APPDATA\Microsoft.Outlook'), indicating an attempt to access Outlook data.
This example highlights the evolving tactics used by cybercriminals to deliver and execute malicious payloads. Organizations must remain vigilant and adopt proactive security measures to detect and mitigate these threats effectively.
IOCs Malicious File(s) md5 f92ffc46f466f3e0da09900bdade3642 a99a12157d4d773bd19d872daeb2cb34
Malicous domains(s) hxxps://auth.rastreiobjeto[.]com/MList/gravadados.php?lista= hxxps://g7n88w.s3.us-east-1.amazonaws[.]com/leiame.txt