THE blog post by Xavier Mertens discusses a newly discovered malware technique involving a malicious JavaScript payload hidden in an MSI-branded JPEG file. The payload originates from a WeTransfer link and executes PowerShell commands to decode further malicious content. The obfuscation method used is ROT13, which conceals the command that fetches a .NET DLL designed to manage Windows Task Scheduler. The attacker utilizes legitimate cloud services for hosting the payloads. The article highlights the ongoing evolution of malware delivery techniques and hints at further analysis to come.
Malware hides in MSI branded JPEG via WeTransfer link
CyberSIXT Evidence Panel
Source marked as original reporting
Article by CyberSIXT