After establishing a reference to the focused researcher, the menace actors despatched a malicious file that included not less than one zero-day in a extensively used software program package deal Google avoided naming within the notification.
As soon as the exploitation is profitable, the shellcode performs a collection of anti-virtual machine checks to ship collected info and screenshots again to an attacker-controlled C2 area.
The assault has a secondary an infection vector
Aside from the zero-day exploits, the menace actors additionally plant a standalone Home windows instrument they developed to obtain debugging symbols, and important program metadata from Microsoft, Google, Mozilla, and Citrix image servers.
“On the floor, this instrument seems to be a helpful utility for rapidly and simply downloading image info from quite a few completely different sources,” TAG stated. “The supply code for this instrument was first revealed on GitHub on September 30, 2022, with a number of updates being launched since.”
Image servers present further details about a binary that may be useful when debugging software program points or whereas conducting vulnerability analysis. The instrument additionally has the power to obtain and execute arbitrary code from an attacker-controlled area, TAG added.