Yoroi specialist Marco Ramilli described a multi-stage attack aimed at Italian organizations. In the framework of a malicious campaign, cybercriminals send emails in Italian with a bootloader disguised as an order form (ordine_065. Js).

This bootloader loads and executes a PE file containing a number of components, the main of which are the three modules - Anti Module, Service and RunPe. The IP address of the resource (31. 148. 99. 254), from which the file is downloaded, presumably belongs to a company located in Ukraine, specializing in providing cloud services.

As the researcher found out, the Anti Module component is responsible for using various techniques of evasion detection. It checks for being in a virtual machine and when a tool is found SanBoxie, Fiddler and Wireshark changes its own behavior. The second module tries to deactivate various Windows functions, for example, User Account Control, Command Interpreter, Task Scheduler and.

Finally, the RunPe module decrypts and executes an additional payload.

The expert does not indicate which malware is involved or what it is intended for. According to him, interesting is the fact that attackers use different methods to mask the source of the attack. For example, in the code there are lines both in Russian and hieroglyphs, but their presence does not mean that the attack is a joint operation of hackers from Russia and China. A more detailed technical analysis is presented in the researcher's blog.