Since July 2022, the government computer emergency response team of Ukraine CERT-UA has been recording the facts of the mass mailing of e-mails with the subject "Final payment" and an attachment of the same name in the form of a TGZ archive. The archive contains an EXE file classified as the RelicRace .NET downloader, designed to download (mostly from OneDrive), decode and run the RelicSource malicious .NET program in memory.
REFERENCE: https://cert.gov.ua/article/955924
TAGS: stealers, Formbook, Snake Keylogger, RelicRace, RelicSource, malware, mass mailing, .NET, OneDrive
ATT&CK IDS: T1056 - Input Capture, T1127 - Trusted Developer Utilities Proxy Execution, T1204.002 - Malicious File, T1566.001 - Spearphishing Attachment, T1192 - Spearphishing Link, T1007 - System Service Discovery
Read More:
Comments