MULTI#STORM: new phishing attack targets India and the United States

A recent phishing campaign, identified as MULTI#STORM, has launched a targeted attack on India and the United States. Using JavaScript files, the attack aims to introduce remote access Trojans into compromised systems. Securonix researchers, including Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, noted that the attack culminates in the victim machine being infected with several unique Remote Access Trojans (RATs), such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the chain of infection.

How the attack works: initiation and development of the chain of infection

The attack is triggered when an email recipient clicks on the embedded link pointing to a password-protected ZIP file ("REQUEST.zip") hosted on Microsoft OneDrive with the password "12345". Inside the compressed file, there is a highly obfuscated JavaScript file ("REQUEST.js") which, once opened, starts the infection by running two PowerShell commands in charge of fetching two distinct payloads from OneDrive and executing them. The first file is a diversionary PDF document, shown to the victim, while the second file, a Python-based executable, is launched in the background without the user noticing.

Consequences of the attack: execution and effects of the malware

The executable acts as a "dropper", extracting and executing the main payload contained within it as Base64 encoded strings ("Storm.exe"), but not before establishing persistence by modifying the Windows Registry. A second ZIP file ("files.zip") is also decrypted from the binary and contains four different files, each of which is designed to bypass User Account Control (UAC) and escalate privileges by creating fake trusted directories. Among the files, there is a batch file ("check.bat") which, according to Securonix, has several similarities with another loader called DBatLoader, despite the difference in the programming language used.

Precautions and preventive measures: suggestions from research

A second file called "KDECO.bat" runs a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule to ignore the "C:\Users" directory. The attack culminates in the deployment of Warzone RAT (also known as Ave Maria), a piece of malware that is available for sale for $38 per month and comes with a wide range of features to collect sensitive data and download additional malware such as Quasar RAT. The researchers emphasized the importance of maintaining high vigilance regarding phishing emails, especially when the urgency is insisted upon. "This particular decoy was generally underwhelming as it would require the user to execute a JavaScript file directly. Shortcut files, or files using double extensions, would likely have a higher success rate."