Hackers love music too; at least this one hacker who used Drake’s popular song “In My Feelings” lyrics to drop a malware surely loves hip hop. As disclosed by AppRiver, a cybersecurity company, a malware campaign spreading through Powerpoint had the lyrics hidden inside a Powershell command.
The hacker in question going by the alias “Master X” drops either Lokibot malware or Azorult malware depending upon the user he’s targeting. Lokibot is an information stealer, whereas, Azorult is a remote access trojan (RAT) that infects computers.
The attack is initiated with an email that disguises itself as a corporate mail to target enterprises. The email contains malicious Powerpoint attachments like the one given in the screenshot below:
When a user opens the attachment, a heavily obfuscated visual basic script runs. This script uses Microsoft HTML application host (mshta.exe) to redirect to a Bitly shortened URL (hxxp://j.mp?*) to evade security mechanisms deployed in the browser.
The next step involves terminating Excel or Word (if running) using the following command:
“C:WindowsSystem32cmd.exe” /c taskkill /f /im excel.exe & taskkill /f /im winword.exe
Next, a scheduled task is created that reaches Pastebin URL every 60 minutes to retrieve a script that decides whether the user will be targeted with Lokibot or Azorult payload.
When the script is decoded and translated into a PowerShell script, it contains a reference to Drake’s popular “In My Feelings” song’s lyrics. The hacker used the lyrics in the invoke expression cmdlet.
The script downloads a malicious executable file named calc.exe, which infects the users’ PC.
It is not sure whether the malware is successful or not as it has not infected a large number of people as of now.
However, the hacker surprised everyone with his humor and wit to add Drake’s lyrics as calling card in the malware.