logo

Ongoing Phishing and Malware Campaigns in December 2024

Cyber attackers never stop inventing new ways to compromise their targets. That's why organizations must stay updated on the latest threats.

Here's a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you.

Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems

The analyst team at ANY.RUN recently shared their analysis of an ongoing zero-day attack. It has been active since at least August and still remains unaddressed by most detection software to this day.

The attack involves the use of intentionally corrupted Word documents and ZIP archives with malicious files inside.

VirusTotal shows 0 detections for one of the corrupted files

Due to corruption, security systems cannot properly identify the type of these files and run analysis on them, which results in zero threat detections.

Once these files are delivered to a system and opened with their native applications (Word for docx and WinRAR for zip) they get restored, presenting the victim with malicious contents.

The ANY.RUN sandbox is one of the few tools that detect this threat. It allows users to manually open corrupted malicious files inside a fully interactive cloud VM with their corresponding apps and restore them. This enables you to see what kind of payload the file contains.

Check out this sandbox session featuring a corrupted Word document. After recovery, we can see that there is a QR code with an embedded phishing link.

The sandbox automatically identifies malicious activity and notifies you about this.

Try ANY.RUN's Interactive Sandbox to see how it can speed up and improve your malware analysis.

Get a 14-day trial to test all of its advanced features for free →

Fileless Malware Attack via PowerShell Script Distributes Quasar RAT

Another notable recent attack involves the use of a fileless loader called Psloramyra, which drops Quasar RAT onto infected devices.

This sandbox session shows how, after taking initial foothold on the system, Psloramyra loader employs a LoLBaS (Living off the Land Binaries and Scripts) technique to launch a PowerShell script.

The script loads a malicious payload dynamically into memory, identifies and utilizes the Execute method from the loaded .NET assembly, and finally injects Quasar into a legitimate process like RegSvcs.exe.

The malware functions entirely within the system's memory, ensuring it leaves no traces on the physical disk. To maintain its presence, it creates a scheduled task that runs every two minutes.

Abuse of Azure Blob Storage in Phishing Attacks

Cybercriminals are now hosting phishing pages on Azure's cloud storage solution, leveraging the *.blob[.]core[.]windows[.]net subdomain.

Attackers use a script to fetch information about the victim's software, such as the OS and browser, which is on the page to make it appear more trustworthy. See example.

The objective of the attack is to trick the victim into entering their login credentials into a fake form, which are then collected and exfiltrated.

Emmenhtal Loader Uses Scripts to Deliver Lumma, Amadey, and Other Malware

Emmenhtal is an emerging threat that has been involved in several campaigns over the past year. In one of the latest attacks, criminals utilize scripts to facilitate the execution chain that involves the following steps:

  • LNK file initiates Forfiles
  • Forfiles locates HelpPane
  • PowerShell launches Mshta with the AES-encrypted first-stage payload
  • Mshta decrypts and executes the downloaded payload
  • PowerShell runs an AES-encrypted command to decrypt Emmenhtal

The Emmenhtal loader, which is the final PowerShell script, executes a payload — often Updater.exe — by using a binary file with a generated name as an argument.

This leads to infection by malware families like Lumma, Amadey, Hijackloader, or Arechclient2.

Analyze Latest Cyber Attacks with ANY.RUN

Equip yourself with ANY.RUN's Interactive Sandbox for advanced malware and phishing analysis. The cloud-based service provides you with a safe and fully-functional VM environment, letting you freely engage with malicious files and URLs you submit.

It also automatically detects malicious behavior in real time across network and system activities.

  • Identify threats in < 40 seconds
  • Save resources on setup and maintenance
  • Log and examine all malicious activities
  • Work in private mode with your team

Get a 14-day free trial of ANY.RUN to test all the features it offers →


Free security scan for your website