The STAC5777 attack chain was more involved, with more hacking of the keyboard and commands. During the first phase, the attacker used the browser to download two .dat files, which he combined into an archive called pack.zip.
The archive contained many files, including a legitimate executable called OneDriveStandaloneUpdater.exe, two .dll files from the OpenSSL Toolkit project, an anonymous winhttp.dll, and a file called settingsbackup.dat. The archive and files are extracted to a folder called OneDriveUpdate under the Windows AppData directory.
The malware was able to steal system information and record locks
The winhttp.dll file was a backdoor that was automatically sideloaded by OneDrive. The file was able to collect system information, including configuration information, current user name, and record keystrokes. The researchers also believe it was intended to overwrite settingbackup.dat and make it a secondary upload, but they were unable to analyze this file.
Source link