Cyberattack: Stealthy Fileless Attack Targets Attendees of Upcoming US-Taiwan Defense Industry Event - eviltoast

Archived version

  • Cyble Research and Intelligence Labs (CRIL) identified a campaign targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, as indicated by the lure document uncovered during the investigation.
  • The campaign involves a ZIP archive containing an LNK file that mimics a legitimate PDF registration form for deception.
  • When the LNK file is opened, it executes commands to drop a lure PDF and an executable in the startup folder, establishing persistence.
  • Upon system reboot, the executable downloads additional content and executes it directly in memory, effectively evading detection by the security products.
  • The first-stage loader triggers a second-stage loader, which downloads, decodes, and compiles C# code in memory, avoiding the creation of traceable files on disk.
  • Once the compiled code is executed, the malware exfiltrates sensitive data back to the attacker’s server via web requests designed to blend in with normal traffic, making detection more difficult.