09-03-2018, 07:24 AM
In The Name OF Allah
Al-Salam Alelkum
![[Image: New-Project.jpg]](https://i2.wp.com/gbhackers.com/wp-content/uploads/2018/09/New-Project.jpg)
Quote:Attackers use to deliver a shortcut file (.lnk) through URL or link in email or as an attachment, once the user opens the file contains a WMIC command, it downloads the malicious file from the attacker’s remote server. The file downloaded from the remote server is the malicious XSL(eXtensible Stylesheet Language) file and the malicious XSL contains the javascript which is executed using another legitimate application mshta[.]exe used in running Microsoft HTML Application Host.https://gbhackers.com/hackers-abusing-wi...words/amp/
Researchers said the JavaScript contains a list of 52 domains and it chooses a random URL as well as the random port between 25010-25099 to download the HTA file.
Wa Salam Alekum