BlackSanta EDR Killer Targets HR Teams
BlackSanta EDR Killer Targets HR Teams in a long-running cyber campaign. Researchers discovered the activity after months of investigation. However, the attackers remained hidden for over a year.
The campaign focuses on human resources departments. These teams often handle resumes and personal data. Therefore, attackers exploit this workflow to deliver malware. Researchers believe the threat actor speaks Russian. The operation combines social engineering and stealthy malware techniques. As a result, victims unknowingly install dangerous tools.
Phishing Lures Used in HR Attacks
The attack likely begins with spear-phishing emails. These emails target HR staff reviewing job applications. For example, the message may contain a resume download link.
Victims are directed to download ISO image files. However, the files actually contain hidden malware. The files often appear legitimate at first glance. Researchers say attackers host these files on cloud storage services. Therefore, the links appear safe and bypass basic filters. As a result, many users trust the download.
Hidden Malware Inside Resume Files
One analyzed ISO file contained several suspicious components. These included a Windows shortcut file disguised as a PDF. It also contained a PowerShell script and an image file.
When the victim opens the fake PDF shortcut, PowerShell runs automatically. The script extracts hidden data from the image file. Therefore, the malware loads directly into memory. This method uses steganography to hide code inside images. As a result, security tools struggle to detect the threat. The attack continues silently in the background.
DLL Sideloading Expands the Attack
After the initial execution, the malware downloads another package. This archive contains a legitimate document viewer program. However, it also includes a malicious DLL file.
The malware uses a technique called DLL sideloading. Therefore, the trusted application loads the malicious file automatically. This trick helps the malware bypass security defenses.
The malware then performs system fingerprinting. For example, it collects details about the operating system and hardware. It sends this information to a command server.
Evasion Techniques to Avoid Detection
The malware runs several environment checks before continuing. For instance, it searches for virtual machines and debugging tools. If it detects them, it stops running.
However, if the environment appears safe, the malware continues. It weakens security settings on the host system. For example, it modifies antivirus configurations. It also performs disk-write tests and other checks. These steps ensure that the malware runs properly. Therefore, attackers maintain reliable access to the system.
BlackSanta Disables Security Tools
A key payload in the campaign is the BlackSanta EDR killer. This module disables endpoint security systems. Therefore, attackers can deploy additional malware easily.
BlackSanta modifies system settings to reduce security monitoring. It also suppresses system notifications. As a result, users receive fewer alerts about suspicious activity. The tool scans running processes on the system. Then it compares them with a list of security tools. If a match appears, the malware terminates those processes.
Kernel-Level Control Through Drivers
The campaign also downloads external drivers. These drivers provide deeper system access. Therefore, attackers can bypass protections more easily. One driver allows kernel memory monitoring and manipulation. Another driver unlocks files and processes. Together, they provide powerful control over the system.
Researchers say the attacker uses strong operational security. The infection chain adapts to each environment. Therefore, the campaign remained hidden for a long time.
How to Prevent BlackSanta Malware Attacks
Organizations should train HR staff to verify resume attachments carefully. For example, employees should avoid downloading ISO files from unknown sources. However, user awareness alone is not enough.
Companies should deploy advanced threat detection and monitoring tools. These systems detect unusual PowerShell activity and suspicious process behavior. In addition, regular vulnerability assessments help identify weak endpoints. Therefore, organizations can block stealthy malware campaigns before they spread.
Sleep well, we got you covered.
