Click me to the moon: counterfeit invoice archive contains JavaScript dropper and leads to host compromise
Introduction During my daily blue-team operations I stumbled across a lightning fast infection chain, all started with a suspicious attachment received via e-mail through a compromised supplier address. Since the installed security solution blocked only the first stage payload, I took charge of the alerts and decided to deep dive and analyze the sample. Analysis The initial access vector is a .zip archive, downloaded from the web, containing the following files:...