BlackSanta Malware Triggers EDR and AV Evasion Before Unleashing Payload

Post Views: 107

BlackSanta Malware Campaign Uncovered

A sophisticated malware campaign, likely originating from a Russian-speaking threat actor, has been uncovered.

Targeting Human Resources Departments

The campaign leverages social engineering tactics to trick victims into opening malicious attachments, specifically targeting the human resources (HR) department’s hiring process.

Malware Delivery and Execution

The malware, dubbed BlackSanta, is delivered via an ISO file containing four seemingly innocuous files. However, upon closer inspection, a security analyst would notice a suspicious 3KB PDF file and a PowerShell script.

The PDF file launches a command that executes PowerShell with hidden window settings and execution policy bypass enabled. This, in turn, runs a script that extracts hidden data from a PNG image using least significant bit (LSB) steganography. The extracted data is then decoded into a PowerShell script, which is executed in memory.

System Information Collection and Payload Delivery

Once the script is executed, it collects basic system information, user, and host context by reading environment variables. This information is used to create a unique fingerprint string, providing the attacker with system and user context. Further payloads are delivered by the command and control (C2) server, which prepares the environment by exiting if it detects a Russian or CIS locale or language, a debugger, or a sandbox.

BlackSanta Component and Antivirus Evasion

The BlackSanta component is then injected, which enumerates running processes and compares each name against a hardcoded list of antivirus and EDR executables. When a match is found, it terminates the targeted process at the kernel level, bypassing standard protections.

Researchers’ Analysis

According to researchers, the campaign has been operational for a year, harvesting data and cryptocurrency artifacts. The attackers’ tactics, techniques, and procedures (TTPs) demonstrate a high level of sophistication, blending social engineering, living-off-the-land techniques, steganography, and kernel-level abuse to achieve stealthy persistence and credential theft. The researchers describe the campaign as “operationally disciplined intrusion engineering,” reflecting a mature adversary capable of evading detection.