# Simulated Environment: The Latest Tactic in Malware Attacks

# is a new phishing attack that uses simulated environments to bypass security measures and establish a persistent backdoor. By leveraging and , hackers can gain secret access to steal data and control systems.

A sophisticated phishing campaign, "#", has been discovered, leveraging a unique method to infiltrate systems and establish persistent backdoors. This creative attack method involves deploying simulated environments within compromised endpoints, specifically .

# The campaign employs a multi-stage attack method to compromise target systems and establish a persistent backdoor. The initial infection vector typically involves phishing emails containing malicious files and shortcut files (named . and .). The malicious attachments are often disguised as legitimate documents (such as surveys or software updates) to trick users into executing them.

(Shortcut) File Analysis: Command and Process Details Content Bait Image Disguised as Server Error

After the instance execution, this shortcut file downloads a large archive containing the components necessary for the simulation environment. The simulation environment deployment downloads an archive that includes a custom distribution (such as) and virtualization tools.

The batch file "." displays a server error message, indicating an issue with the server-side investigation link. The script executes processes and command lines to initiate a simulated environment, creating a covert environment for the attacker's activities. The process executes an image hosted by , which is displayed in the user's default browser. This allows the attacker to further disguise the activity as legitimate system behavior, thereby avoiding detection.

In the simulated environment, the attacker installed a pre-configured client. This is a tunneling tool that can establish covert communication channels with a remote command and control (&) server. Through the tunneling tool, the attacker can create secure tunnels using and protocols. The tool is configured with specific settings, such as the target & server address, port number, and encryption parameters, allowing it to automatically connect to the attacker's infrastructure.

The client executes in a simulated environment, activating the backdoor whenever the system starts or restarts. This secure encrypted connection enables the attacker to transmit data and commands between the compromised system and the attacker's infrastructure. This secure connection allows the attacker to execute arbitrary commands, download malware, steal sensitive data, manipulate system settings, exfiltrate sensitive data, deploy persistence mechanisms, modify registry settings, create scheduled tasks, install software, and propagate to other network systems.

By disguising malicious activities within legitimate virtualization tools, attackers can bypass traditional security measures and establish covert footholds. Additionally, using tunneling tools allows attackers to maintain persistent access and execute further malicious actions.

# The event highlights the evolving tactics of cybercriminals, including the simulation of environments and the abuse of legitimate software. This approach allows attackers to gain persistent access to compromised systems, underscoring the importance of vigilance against suspicious emails.