The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Kaseya patches the VSA zero-day vulnerabilities used by REvil. Bleeping Computer: The cybercrime ransomware gang probably exploited one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120
Kaseya released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers. It has been reported by Bleeping Computer cybersecurity experts. The company, following a disclosure of seven flaws in April, implemented patches for most of them on their VSA SaaS service but had not completed the patches for the on-premise version of VSA. So the cybercrime group, exploited them to to launch a massive attack on July 2nd against approximately 60 MSPs using on-premise VSA servers and 1,500 business customers. It is unclear which ones were used, but it is believed to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120.