New York: Researchers at the cyber intelligence platform
Cypherma have uncovered a highly dangerous cyberattack targeting Windows
systems via fake JPEG images.
In this campaign, dubbed ‘Operation Silent Canvas’,
attackers take complete and silent control over users’ computers by running
secret PowerShell scripts under the guise of harmless-looking images.
The attack begins when a user receives a file that looks
like a normal image, sysupdate.jpeg. It appears to be a JPEG image, but in
reality it contains a dangerous PowerShell script that silently enters the
system and paves the way for downloading more malware.
Interestingly, this malware does not save its dangerous
commands directly in files, but generates them on its own while running so that
antivirus and security systems cannot catch it. It then downloads a second
hidden payload called access.jpeg and executes it directly into memory.
More dangerously, a custom launcher called uds.exe is also
created on the infected computer using Microsoft Corporation's own .NET
compiler, csc.exe.
As soon as the launcher is activated, the malware hijacks
the registry key associated with the ms-settings protocol and creates a hidden
desktop environment, which continues all the malicious activities in the
background, hidden from the user's eyes.
Along with this, a persistent Windows service called OneDrive
Servers is created, allowing the malware to remain silently active even after the computer is restarted, maintaining the attacker's control.
Post a Comment