A sophisticated Russian-speaking threat actor has been targeting human resource departments for over a year using a multi-stage infection chain to deploy a new EDR killer dubbed 'BlackSanta.' The campaign utilizes spear-phishing emails that direct targets to download malicious ISO files hosted on cloud services like Dropbox, which are disguised as legitimate job applicant resumes.
The infection process employs advanced evasion techniques including steganography, DLL sideloading, and process hollowing to maintain stealth. Once active, the BlackSanta module weakens host security by modifying Windows Defender settings and leveraging the 'Bring Your Own Vulnerable Driver' (BYOVD) technique. By utilizing vulnerable drivers such as RogueKiller and IObitUnlocker, the malware achieves kernel-level access to terminate security processes and bypass file locks.
Top comments (0)