Threat Overview
The campaign masquerades as a French résumé, delivering a massive VBScript payload that pretends to be corrupted. The email lure references legitimate services such as Dropbox and mail.ru, creating a veneer of authenticity. Analysts should treat any unsolicited resume attachment as a high‑risk artifact.
Initial triage reveals a 97 MB file where only 266 lines perform functional work, the rest being filler. This size inflation is engineered to exceed typical sandbox memory limits and to cause timeout conditions. The discrepancy between file size and code density is a red flag for obfuscation payload.
Obfuscation and Size Inflation Tactics
The script embeds random English sentences within comment blocks, inflating the source to 97 MB. Each comment line is padded with nonsense words that serve no operational purpose. This technique raises the entropy of the file, confusing signature pattern matching.
By dispersing the actual malicious logic across 266 lines, the authors create a thin functional core surrounded by massive inert data. The inert sections are deliberately crafted to defeat static analysis tools that impose line‑count thresholds. The result is a script that appears benign to heuristic engines while retaining full capability analysis.
Credential Harvesting Vectors
The payload leverages the mail.ru SMTP relay to exfiltrate harvested browser cookies and saved passwords. It constructs a SMTP message that embeds credential blobs, then dispatches it to a remote mailru server under the guise of a legitimate email. This channel bypasses typical network egress filters that block unknown ports.
In addition to SMTP, the dropper invokes WMI queries to enumerate stored Chrome and Edge profiles, extracting password databases and cookie stores. The collected artifacts are compressed with 7z before transmission, obscuring content signatures. Such multi‑stage extraction complicates incident response timelines.
Persistence Mechanisms and UAC Loop
Execution triggers a persistent User Account Control loop that repeatedly requests elevated rights until the victim consents. The loop manipulates the ShellExecute API to re‑invoke the script with admin privileges, effectively locking the user in a consent cycle. Each iteration logs a timestamp to the registry, providing a foothold for later re‑execution.
Before launching the mining component, the code performs a domain‑join check via WMI to confirm the host belongs to an enterprise Active Directory. This WMI query filters out home machines, reducing noise in the attackers telemetry. The conditional branch ensures the payload only runs on targeted assets, conserving resources.
Defensive Countermeasures
Blue teams should institute strict execution policies that block VBScript from email attachments regardless of file extension. Deploying a file‑integrity monitor that flags sudden jumps in size beyond typical document thresholds can surface similar threats. Correlating SMTP outbound traffic with unusual mailru outbound domains adds an extra verification layer.
Endpoint detection must include a rule that identifies the specific ShellExecute pattern used to spawn a UAC prompt in a loop. Isolation of WMI calls that query Domain membership can be sandboxed to prevent false positives. Regularly rotating credentials for cloud storage services like Dropbox reduces the attack surface for staged cloud payloads.