A new phishing campaign is actively targeting organizations, leveraging a deceptive “Executive Award” theme to deliver the potent Stealerium malware. This sophisticated, two-stage attack meticulously combines social engineering tactics with advanced malware delivery, posing a significant threat to businesses and their sensitive data. The campaign highlights a concerning trend where cybercriminals are increasingly integrating credential theft with malware infections into a single, coordinated operation.
The attack commences with a convincingly designed HTML phishing page, identified as “Virtual-Gift-Card-Claim.html.” This page is crafted to impersonate legitimate corporate award notifications. Unsuspecting employees who interact with this fraudulent page believe they are merely verifying their account credentials to claim an award. However, their login information is immediately exfiltrated to a Telegram command-and-control (C2) server, under the direct control of the attackers. This initial credential harvesting is the crucial first step in the multi-stage infection chain.
Following the successful harvest of login credentials, the campaign pivots to malware deployment. Security analysts from SpiderLabs, after meticulously analyzing the campaign’s infrastructure and attack vectors, identified the malicious payload. In the second stage of the attack, a malicious Scalable Vector Graphics (SVG) file, named “account-verification-form.svg,” is delivered to the victim’s system. This SVG file acts as the trigger for a complex PowerShell script.
Understanding the Infection Mechanism and PowerShell Execution
The PowerShell script operates using the ClickFix exploit chain, a known technique that cunningly abuses established Windows messaging systems to execute hidden commands without raising immediate suspicion. This exploitation of legitimate Windows features is central to the attack’s effectiveness, allowing for minimal visibility during the execution phase. The underlying PowerShell code is designed to silently download and install the Stealerium information stealer onto the compromised computer, bypassing user knowledge and consent.
Stealerium poses a substantial risk due to its silent operation, designed to stealthily extract a wide range of sensitive information from infected systems. The malware communicates with its designated command-and-control servers, located at the IP address 31.57.147.77 on port 6464. Furthermore, Stealerium employs multiple download endpoints, enabling attackers to dynamically retrieve additional components and receive further commands. This adaptable architecture allows threat actors to modify their attack strategy in real-time, responding to system conditions and any existing security measures implemented by the target organization.
The strength of this attack lies in its ability to weaponize the very tools designed to secure systems. When the malicious SVG file is opened, the embedded PowerShell commands are initiated with a reduced likelihood of triggering standard security alerts. The ClickFix chain specifically leverages legitimate Windows messaging protocols to initiate code execution, circumventing typical security monitoring. After establishment, Stealerium proceeds to download and install essential components, including its core DLL file, batch scripts, and command executables. The malware then focuses on establishing persistence, ensuring it remains active across system restarts and continues its data exfiltration activities.
Organizations are strongly advised to closely monitor for any anomalous PowerShell activity, suspicious executions of SVG files, and unusual network connections directed towards the identified C2 infrastructure at 31.57.147.77:6464. Endpoint detection and response (EDR) systems should be configured to flag attempts to execute PowerShell commands originating from non-standard or unexpected sources. Network monitoring tools should be employed to block access to known malicious IP addresses and actively watch for DNS requests associated with this prevalent campaign. End-users are urged to maintain heightened vigilance regarding unsolicited emails that purport to offer executive recognition or awards, as these continue to be highly effective social engineering vectors.
The continued evolution of such phishing and malware delivery campaigns necessitates robust, multi-layered security strategies. Organizations should prioritize ongoing security awareness training for their employees and ensure that all endpoint and network security solutions are up-to-date and properly configured. The future of these attacks likely involves further sophistication in social engineering and evasion techniques, making proactive threat intelligence and rapid incident response critical for effective defense.