The zip attachment of the "PURCHASE ORDER" email contains a bat file. This runs a PS, which infects the machine with malware. The stolen data is exfiltrated via SMTP.
Cyber Security, Microsoft patches the Windows 10 “SMBGhost”
Microsoft patches the Windows 10 “SMBGhost” vulnerability. The CVE-2020-0796 affected the Server Message Block 3.1.1 (SMBv3). It could enable remote and arbitrary code execution, potentially taking control of the system
Microsoft has released out-of-band security updates to address a remote code execution vulnerability (CVE-2020-0796) in Server Message Block 3.1.1 (SMBv3). It has been announced by US CISA cyber security experts. The flaw, dubbed “SMBGhost”, affected Windows 10. If successfully exploited by an attacker, could enable remote and arbitrary code execution and potentially take control of the system. Moreover, it was “wormable.” This means that an attacker could move from victim to victim a similar way that the EternalBlue SMB exploit enabled WannaCry to spread so quickly. Microsoft las week released a bunch of updates to patch security vulnerabilities in various products. A total of 115 flaws has been fixed, but not the CVE-2020-0796.
How the SMBGhost could have been exploited to gain the control of a machine
Microsoft also confirmed the Windows 10’s SMBGhost vulnerability in a cyber security advisory. In the report, the company stated that “is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it. We will update this advisory when updates are available”. Now the security update patches definitely the flaw.