🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #Remcos.
⚠️ The observed JS contains multiple self-invoking functions that loop arrays of strings and numbers in a while(!![]) loop until a calculated checksum matches a predefined value. This #obfuscation technique forces static analyzers to parse through the array content instead of returning the required string directly.

🎯 #ANYRUN’s Script Tracer enables easy analysis of heavily obfuscated scripts by logging their execution in real time, with no need for manual deobfuscation.

🔗 Execution chain:
#Wscript (JavaScript) ➡️ PowerShell ➡️ MSBuild (Remcos 🚨)

👨‍💻 See analysis session: https://app.any.run/tasks/eaef10ea-3567-4284-b87e-a3a0aedc5f83/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_drops_remcos&utm_term=110625&utm_content=linktoservice

This script invokes #PowerShell using ActiveXObject("http://WScript.Shell") with parameters and executes the following:
🔹 Creates a http://System.Net.WebClient object
🔹 Specifies the URL to download the binary
🔹 Downloads the binary data and passes it to #MSBuild

⚠️ As a result, the script downloads and executes the Remcos #malware module.

👨‍💻 Observe obfuscated loaders, explore execution flows, and extract behavioral indicators in real time. Improve your security operations with #ANYRUN Sandbox.

🚨 New #Stegocampaign abuses obfuscated registry to execute payload
The attack is carried out through users following instructions, such as downloading a REG file that adds a #malicious script to Autorun. While exploiting Autorun has been rarely used recently, we found a sample actively using this method.

🔗 Execution chain:
PDF ➡️ Phish link ➡️ REG file adds a script to Autorun ➡️ OS reboot ➡️ CMD ➡️ PowerShell ➡️ #Wscript ➡️ Stegocampaign payload (DLL) extraction ➡️ Malware extraction and injection into AddInProcess32 ➡️ XWorm

⚠️ Victims receive a phishing PDF containing a link to download a .REG file. By opening it, users unknowingly modify the registry with a #script that fetches a VBS file from the web and adds it to Autorun.

Upon system reboot, the #VBS file launches #PowerShell, triggering an execution chain that ultimately infects the operating system with #malware.

👾 Then, #ReverseLoader downloads #XWorm, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process.

❗️ This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect.
This puts organizations at risk by allowing attackers to evade detection, potentially leading to data breaches and access to sensitive data. #ANYRUN Sandbox offers full control over the VM, which allows you to interact with malware and manipulate its behavior.

👨‍💻 See analysis with a reboot:
https://app.any.run/tasks/068db7e4-6ff2-439a-bee8-06efa7abfabc/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🚀 #ANYRUN's interactive VMs let users manually execute each step of the entire attack chain, even without a system reboot:
https://app.any.run/tasks/f9f07ae8-343f-4ea5-9499-a18f7c8534ef/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🔍 Use this TI Lookup search query to find similar samples to enrich your company's detection systems:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_content=linktoti&utm_term=190225#%7B%22query%22:%22domainName:%5C%22filemail.com$%5C%22%22,%22dateRange%22:180%7D

Analyze and investigate the latest malware and phishing threats with #ANYRUN 🛡️

#cybersecurity #infosec