Russian hackers target HR departments with vicious new 'BlackSanta' malware

Russian hackers have been targeting Human Resources (HR) departments at various organizations around the world with a never-before seen piece of malware called BlackSanta.

The campaign was spotted by cybersecurity researchers Aryaka, who said the attacks have been going on for at least a year, and include a rather sophisticated infection chain.

It most likely starts with a phishing email pretending to share resumes for potential employees, including a link to a Dropbox folder holding an ISO image. These files are clones of optical discs and were rather popular in the early 2000’s until thumb drives became more affordable. These days, however, they can be seen as a major red flag since they are rarely used outside of scams.

EDR killer

Still, those who don’t spot the ruse, download the ISO and extract it, will get multiple files, including a shortcut file, and a PowerShell script. The script downloads a malicious DLL file and a legitimate PDF reader, which is used to side-load the DLL.

The DLL then first scans the system to see if it’s running in a sandbox environment, or a virtual machine. If it deems the machine worthy of further infection, it downloads additional payloads, among which is BlackSanta.

This piece of malware is described as an “EDR killer” - meaning it terminates endpoint detection and response tools before allowing further payloads to be deployed.

It is also capable of different things, depending on the type of EDR solution found on the target device. For example, it can suppress Windows notifications to continue running even as the OS tries to alert the user about the ongoing attack.

Aryaka says the attackers were spotted in the wild, but did not say how many organizations were attacked, or how many actually fell victim. It also did not discuss the identity of the attackers, but judging by the MO, it doesn’t seem to be any of the more popular, state-sponsored groups.

Via BleepingComputer