In response to a question for extra particulars, Proofpoint stated the message “leveraged the trusted relationship between the compromised sender and the targets by utilizing a business-to-business gross sales lure”, together with an order type and a backgrounder on the corporate. The message additionally included URLs that apparently led to [.]com; they appeared as if they went to a official INDIC Electronics residence web page. As a substitute they went to a phony area referred to as “indicelectronics[.]internet” that contained a zipper archive that appeared to incorporate an XLS (Excel spreadsheet]) and two PDF information.
That may have fooled even suspicious electronic mail recipients, and probably some defensive software program. Nevertheless, the supposed XLS was actually a LNK file utilizing a double extension (filename[.]xls[.]lnk), and the PDF information had been each polyglots. One was appended with HTA [an HTML application], whereas the opposite had a zipper archive appended.
The LNK file launched cmd[.]exe, the report stated, after which used mshta[.]exe to execute the PDF/HTA polyglot file. The mshta[.]exe course of goes although the file, previous the PDF portion, till it finds the HTA header, and executes the content material from there. The HTA script serves as an orchestrator, and it incorporates directions for cmd[.]exe to carve out the executable and the URL file from the second PDF. In the end an executable appears for the Sosano backdoor hidden within the zip file.
