At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This in-depth examination focuses on Sync-Scheduler stealer, a malware that specifically targets documents, and has been designed with anti-analysis capabilities.
The research explores the evasion tactics employed by threat actors, while also illuminating the procedures involved in crafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics of these threats, emphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate associated risks.
This study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong payload. It highlights how these threats keep changing and the importance of better security and user awareness to stay safe from such harmful attacks.
KEY FINDINGS
- Syns-Scheduler stealer is being distributed as an embedded component in Office document file.
- File-nesting is used to hide the malware code within a PowerPoint presentation that is embedded in a Word document.
- Malware code is hidden under the page title of the first slide of the PowerPoint presentation.
- The title of the PowerPoint presentation file contains a fraction of the malware code.
- Malware code is encoded in Base-64 and VBA macros leverage Task Scheduler to decode, generate, and execute the malware.
- Sync-Scheduler targets documents in the User directories e.g. Documents, Downloads and Desktop.
- The target file types are Word documents, Excel spreadsheets, PowerPoint presentations, PDFs and ZIP files.
- It copies the target files in the OneDrive folder under the User’s “AppData\Roaming” directory and replaces the extension of the file with a string, which is specific to the filetype.
- Exfiltrates the file over the network as form-data.
- Sync-Scheduler is equipped with anti-analysis capabilities and terminates the process if the analysis environment is detected.
- The associated threat actor with Sync-Scheduler has been actively operating since at least November 2023.
- An older version of the malware targets more file types including images, text, and other compressed archive formats.
Views: 0
