WindowsCodecs.dll<\/code> (hidden file).<\/li>\n<\/ul>\n\n\n\nIf the victim runs the file fake image file, which is a harmless calculator, the DLL file is side-loaded to run the batch file.<\/p>\n\n\n\n
The BAT script launches the Microsoft Edge browser and loads a base64-encoded page content to download another batch script from webhook.site. Meanwhile, the browser shows photos of a woman in a swimsuit with links to her genuine social media accounts, aiming to appear credible and lower the recipient’s guard. The downloaded file, initially saved as .jpg, is converted to .cmd and executed.<\/p>\n\n\n\n
Finally, the code retrieves the final-stage script that gathers information about the compromised host and sends it back.<\/gwmw><\/gwmw><\/p>\n\n\n\n
“This script constitutes the main loop of the program. In the loop for \/l %n in ()<\/code> it first waits for 5 minutes, and then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to webhook.site<\/code> and executes it. This time, the file with the extension .css<\/code> is downloaded, then its extension is changed to .cmd<\/code> and launched.” continues the report. “The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.”<\/em><\/gwmw><\/p>\n\n\n