In response to a question for extra particulars, Proofpoint mentioned the message “leveraged the trusted relationship between the compromised sender and the targets through the use of a business-to-business gross sales lure”, together with an order type and a backgrounder on the corporate. The message additionally included URLs that apparently led to [.]com; they appeared as if they went to a respectable INDIC Electronics dwelling web page. As a substitute they went to a phony area referred to as “indicelectronics[.]web” that contained a zipper archive that appeared to incorporate an XLS (Excel spreadsheet]) and two PDF recordsdata.
That may have fooled even suspicious electronic mail recipients, and presumably some defensive software program. Nonetheless, the supposed XLS was actually a LNK file utilizing a double extension (filename[.]xls[.]lnk), and the PDF recordsdata have been each polyglots. One was appended with HTA [an HTML application], whereas the opposite had a zipper archive appended.
The LNK file launched cmd[.]exe, the report mentioned, after which used mshta[.]exe to execute the PDF/HTA polyglot file. The mshta[.]exe course of goes although the file, previous the PDF portion, till it finds the HTA header, and executes the content material from there. The HTA script serves as an orchestrator, and it incorporates directions for cmd[.]exe to carve out the executable and the URL file from the second PDF. Finally an executable seems for the Sosano backdoor hidden within the zip file.
