However, the newly discovered malware employs dual injection techniques to circumvent these defenses, allowing cybercriminals to extract sensitive credentials.
The attack begins with a deceptive file distribution method. The malware is embedded within a ZIP file disguised as a PDF document.
When opened, it executes a malicious LNK shortcut file that creates a scheduled task, running every 15 minutes. Another component of the attack is an XML project file, which is designed to appear as a PNG image, further tricking users into engaging with the malicious content.
To execute its payload, the malware exploits MSBuild.exe, a legitimate Microsoft development tool. This enables it to run directly in system memory without creating detectable files on the disk, making it much harder for traditional security solutions to identify and stop the attack. The use of fileless execution techniques ensures that the malware operates stealthily while maintaining persistence on an infected system.
A key aspect of this attack is its dual injection approach. The malware employs both Process Injection and Reflective DLL Injection to execute malicious code within legitimate system processes. This method allows it to blend in with normal activity while avoiding detection. By targeting Chrome’s security framework, the malware can extract encrypted login data, cookies, and other sensitive browser-stored information.
The malware also leverages the Telegram Web API for command and control communications. This connection enables threat actors to issue remote commands, modify bot configurations, and control infected systems with minimal interference. The dynamic bot ID switching feature adds an additional layer of stealth, ensuring continued access even if parts of the attack infrastructure are disrupted.
Cyble researchers noted that the malware appears to be specifically targeting organizations in Vietnam, particularly those in the telemarketing and sales industries.
However, the method it uses could be adapted for broader campaigns, posing a risk to businesses and individuals globally. The initial infection method remains unclear, but it likely involves phishing emails or malicious downloads.
To mitigate the risk of such attacks, Cyble recommends implementing strict email attachment filtering, restricting the execution of unverified files, and enhancing user awareness about phishing threats.
Organizations should also deploy advanced security solutions capable of detecting fileless malware attacks. The research highlights the evolving nature of cyber threats and the need for proactive cybersecurity measures to safeguard sensitive data.
