LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users.

Overview

Recent reporting has identified a trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain leveraging trusted Windows binaries. Upon execution, the installer initiates a sequence involving PowerShell, MSBuild, and regsvr32, ultimately leading to the execution of malicious scriptlet files such as Clippy.sct and a secondary launcher scriptlet. These scriptlets utilize ActiveX (WScript.Shell) to silently invoke:

Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage malware delivery campaign initially identified from LevelBlue’s MDR SOC through a SentinelOne detection of a suspicious Visual Basic Script (VBS) file.