Since our last blog post, the malware’s developer changed their initial script structure in order to better evade antivirus software. As of the time of this report the malicious file is blacklisted by only 3 engines:
The final stage of the malware is virtually unchanged, except the new C2 addresses which seem to be compromised legitimate websites:
The final stage of threat, as observed by Minerva Labs, is a PowerShell script that loads .NET code in-memory from the registry, exactly like the last version of the malware. Yet another update is the use of process hollowing of the legitimate windows process "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe".
Minerva prevents these target attacks using our Memory Injection Prevention module: