Kinetic Potential Blog

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell.

The activity has been codenamed ZipLine by Check Point Research.

"Instead of sending unsolicited phishing emails, attackers initiate contact through a company's public 'Contact Us' form, tricking employees into starting the conversation," the company said in a statement shared with The Hacker News. "What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware."

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.

The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up.

"The payload isn't hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger."

The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.

CrowdStrike warns of a spike in attacks aimed at infecting macOS users with a variant of the infamous Atomic macOS Stealer (AMOS) information stealer.

Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent help websites and trick them into installing the malware.

The campaign, CrowdStrike says, targeted users who were searching for solutions to common macOS issues, and relied on promoting fraudulent advertisements for websites where victims were instructed to execute a malicious command on their systems.

The command would fetch a Bash script from a remote server, to capture the victim’s password and download an executable from another remote location.