The STAC5777 assault chain was extra concerned, with extra hands-on-keyboard hacking and instructions. Through the first stage, the attacker used the browser to obtain two .dat recordsdata, which they then mixed into an archive known as pack.zip.
The archive contained a number of recordsdata, together with a respectable executable known as OneDriveStandaloneUpdater.exe, two .dll recordsdata from the OpenSSL Toolkit venture, an unknown winhttp.dll,and a file known as settingsbackup.dat. The archive and recordsdata had been unpacked in a folder known as OneDriveUpdate below the Home windows AppData listing.
Malware was able to stealing system data and recording keystrokes
The winhttp.dll file was a backdoor that was mechanically sideloaded by the respectable OneDrive executable. The file was able to gathering system info, together with configuration particulars, the title of the present person, and recording keystrokes. The researchers additionally consider it was meant to decrypt the settingsbackup.dat and execute it as a second-stage payload, however they didn’t handle to research this file.
