Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks
Securonix has uncovered a sophisticated multi-stage malware delivery framework that uses compromised websites and social engineering to infect users with information stealers.
Dubbed Veil#Drop, the framework combines JavaScript launchers and PowerShell download cradles for the deployment and execution of malware hosted on Blogspot, Google’s trusted infrastructure.
The infection chain begins with a JavaScript file posing as a document, designed to launch PowerShell code and evade execution policies. The PowerShell retrieves additional payloads from attacker-controlled Blogspot pages.
The Blogspot-hosted payload displays a decoy document, terminates specific processes, and decrypts embedded content. The decoded code generates additional Blogspot URLs and executes subsequent payloads directly in memory.
“A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs that are reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms,” Securonix explains.
The sophisticated infection chain also contains several fallback mechanisms, abusing trusted...
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE