Deceptive Bytes’ research team detected in recent days a wave of attacks on European organizations, while the attacks are not that sophisticated, they employ social engineering to make users run a WSF script file from a zip file that would compromise the system and download a second stage payload using a PowerShell script running via a shortcut file, to mask the origin of the execution.
An example of a WSF payload
As seen, the shortcut’s target executable is PowerShell (in red) which is used to download the second payload, the URL (in orange) is written in reverse as the script uses VBScript’s StrReverse function (in blue) to reverse the payload, then it uses the saved shortcut to call the payload.
How Deceptive Bytes prevents such attacks
Deceptive Bytes’ platform blocks all unapproved scripts, reducing the attack surface on computers and servers in the enterprise.
Here’s a screenshot from one of our customers
SHA2-256 hashes (fiscale.wsf)