HQ/EMEAFind out how we can help your business
Last year, a sophisticated cybercriminal campaign was launched by threat actors to execute a highly targeted threat attack that deploys the newly discovered DownEx malware.
Researchers have yet to learn additional details about the malware during its appearance last year. However, they claimed they could collect information about DownEx during its cyberespionage campaign against Afghanistan.
A recent threat analysis showed that the level of sophistication displayed by the malware could indicate that it is a product of an advanced persistent threat group. The researchers quickly adopt this detail to link the new malware to the Russian state-sponsored Fancy Bear threat group.
The DownEx malware operators used politically inclined lures to bait their targeted individuals.
Based on reports, the DownEx malware campaign starts with spear-phishing messages utilising diplomat-themed baits such as a file called ‘! to embassy kazakh 2022[.]exe’ to deceive targets.
The phishing message includes malicious executable files that pose as an MS Word document. The campaign tricks users into downloading two additional files once the executable archive spreads on the victim’s systems. This campaign will then enable the attackers to execute the DownEx malware for their final stage. The attackers also launch a Python-based backdoor to establish communication.
DownEx is a C++ malware that does not portray similar codes to previously known malware strains. However, the attack strategy used by the Fancy Bear group provides a clue since it is like the cracked version of MS Office 2016.
Additionally, the researchers observed a VBScript-based version of the malware of DownEx used in a fileless malware campaign. The malware developers designed DownEx to harvest confidential and financial information from files with specific extensions. The attackers exfiltrate these files via a password-protected zip archive once they collect the data.
An updated list of IoCs regarding the DownEx malware is publicly available to aid security experts and organisations. These IOCs could help researchers detect malicious activities during the early stages of the attack.
Organisations should employ advanced malware detection mechanisms and email filtering features to spot, block, and respond to threats at the initial stage of the DownEx campaign.
