Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta.
New ‘BlackSanta’ EDR killer spotted targeting HR departments
Described as “sophisticated,” the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems.
It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails.
They believe that targets are directed to download ISO image files that appear as resumes and are hosted on cloud storage services, such as Dropbox.
One malicious ISO analyzed contained four files: a Windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, an image, and a .ICO file.
The shortcut launches PowerShell and executes the script, which extracts data hidden in the image file using steganography and executes it in system memory.
The code also downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) to load using the DLL sideloading technique.
The malware performs system fingerprinting and sends the information to the command-and-control (C2) server, and then performs extensive environment checks to stop execution if sandboxes, virtual machines, or debugging tools are detected.
It also modifies Windows Defender settings to weaken security at the host, performs disk-write tests, and then downloads additional payloads from the C2, which are executed via process hollowing, inside legitimate processes.
BlackSanta EDR killer
A key component delivered in the campaign is an executable identified as the BlackSanta EDR killer, a module that silences endpoint security solutions before deploying malicious payloads.
BlackSanta adds Microsoft Defender exclusions for ‘.dls’ and ‘.sys’ files, and modifies a Registry value to reduce telemetry and automatic sample submission to Microsoft security cloud endpoints.
