The STAC5777 assault chain was extra concerned, with extra hands-on-keyboard hacking and instructions. Throughout the first stage, the attacker used the browser to obtain two .dat recordsdata, which they then mixed into an archive referred to as pack.zip.
The archive contained a number of recordsdata, together with a reliable executable referred to as OneDriveStandaloneUpdater.exe, two .dll recordsdata from the OpenSSL Toolkit mission, an unknown winhttp.dll,and a file referred to as settingsbackup.dat. The archive and recordsdata have been unpacked in a folder referred to as OneDriveUpdate underneath the Home windows AppData listing.
Malware was able to stealing system data and recording keystrokes
The winhttp.dll file was a backdoor that was robotically sideloaded by the reliable OneDrive executable. The file was able to gathering system info, together with configuration particulars, the title of the present consumer, and recording keystrokes. The researchers additionally consider it was meant to decrypt the settingsbackup.dat and execute it as a second-stage payload, however they didn’t handle to research this file.
