[[{“value”:”
A sophisticated new spear-phishing campaign has emerged, deploying the notorious VIP keylogger through carefully crafted email attachments that masquerade as legitimate payment receipts.
This latest iteration represents a significant evolution in the malware’s delivery mechanism, showcasing the threat actors’ adaptability and technical sophistication in bypassing modern security measures.
The VIP keylogger, previously documented for its advanced data theft capabilities, has resurfaced with enhanced steganographic techniques and improved evasion tactics.
This malware strain specifically targets web browsers including Chrome, Microsoft Edge, and Mozilla Firefox, systematically harvesting user credentials, monitoring clipboard activity, and logging keystrokes to capture sensitive information.
The current campaign demonstrates a marked departure from earlier versions by incorporating an AutoIt-based injector system that significantly complicates detection and analysis efforts.
Seqrite researchers identified this campaign through monitoring suspicious email traffic patterns and analyzing malicious attachments that appeared to be innocuous document files.
The threat actors have refined their social engineering approach, using convincing financial document themes to lure victims into executing the malicious payload.
This latest variant shows increased sophistication in its multi-stage deployment process and memory-resident execution techniques.
.webp)
The attack initiates when victims receive spear-phishing emails containing a ZIP archive named “payment receipt_USD 86,780.00.pdf.pdf.z.”
This seemingly legitimate financial document actually conceals a malicious executable file disguised as “payment receipt_USD 86,780.00 pdf.exe.”
The double extension technique effectively deceives users into believing they are opening a standard PDF document rather than an executable file.
Advanced Infection Mechanism and Payload Deployment
Upon execution, the malware demonstrates remarkable technical complexity through its multi-layered infection process.
The AutoIt script embedded within the initial executable immediately drops two encrypted files named “leucoryx” and “aveness” into the system’s temporary directory.
These files serve distinct purposes in the infection chain, with leucoryx containing decryption keys while aveness houses the encrypted payload data.
The malware employs a custom XOR decryption function identified as “KHIXTKVLO” to decrypt the payload directly in memory, avoiding disk-based detection mechanisms.
This technique involves reading the encrypted content from leucoryx, applying the XOR decryption algorithm, and storing the resulting data in allocated memory structures.
The decrypted payload is then injected into RegSvcs.exe using process hollowing techniques, allowing the VIP keylogger to execute within a legitimate Windows process and evade behavioral detection systems.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post New Spear Phishing Attack Delivers VIP Keylogger via EMAIL Attachment appeared first on Cyber Security News.
“}]]
Read More 
Cyber Security News