Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A malicious CHM file targeting Poland was discovered, containing an infection chain that drops and executes a C++ downloader. The CHM file displays a decoy image while executing obfuscated JavaScript to extract and run a DLL. The downloader retrieves a payload from a domain associated with previous Belarus-linked threat activities. The payload is encrypted and appended to an image file. The infection process involves multiple stages, including the use of LOLbins and the creation of a scheduled task for persistence. This campaign shows similarities to activities attributed to threat actors like FrostyNeighbor and UNC1151, known for targeting Eastern European countries.
OPENCTI LABELS :
downloader,steganography,scheduled-task
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland