To answer the question for further information, witnessing a message “and strengthens the reliable relationship between the reduced sender and the principles of business sales”, including the Backgronder form in the company. The message also included URLs that appear in the inside [.]com; They look like they went to a legal home page of electronic electronics. Instead they went to a Phony domain called “References[.]The Net “consisting of zip history seems to include XLLs (Excel Spreedsheet Springsheet]and two PDF files.
That would have decreased the suspicious email recipients, and maybe a software to protect them. However, XLs are supposed to be that it actually has a LNK file really using a double extension (file name[.]Xls[.]LNK), and PDF files were polyglots. One was identified with sta [an HTML application]While the other has a zip archive installed.
LNK file delayed CMD[.]Exe, the report said, then used the Trip[.]EXE to make a PDF / sta polyglot file. MSHTA[.]The EXE process goes despite the file, which last part of the PDF, until the Sta header, and release the content from there. ATRA SCRIPT works as an orchestrator, and contains CMD orders[.]Exvey to Making URL file from the second PDF. Eventually it appeared that Sosano Backdoor was hidden in the zip file.
Source link