⚠️ THREAT ALERT: These great digital gifts will arrive just in time for Mother’s Day
The campaign leverages a seasonal social engineering motif—“digital gifts” delivered via email, SMS, and messenger platforms—co‑opted to lure recipients into clicking a curated landing page that hosts a drive‑by exploitation chain. The initial payload is a malicious JavaScript resource obfuscated with AV evasion techniques (e.g., polymorphic string encoding and runtime deobfuscation) that triggers a same‑origin policy bypass using a mis‑configured CORS header on a compromised third‑party CDN. Once the script executes, it enumerates the victim’s browser environment and, when a vulnerable version of Chromium‑based browsers is detected (specifically Chrome < 112.0.5615.0, Edge < 112.0.1722.0, or the embedded WebView in Android apps), it exploits CVE‑2023‑50766 (use‑after‑free in the V8 JIT compiler) to achieve arbitrary code execution, subsequently dropping a second‑stage ELF or PE payload via a forged download from a legitimate cloud storage domain.
In parallel, the malicious page employs a fallback vector targeting legacy PDF readers by offering a “gift card” PDF that contains a crafted embedded JavaScript exploiting CVE‑2024‑3103 (heap overflow in Adobe Acrobat/Reader 2023.x). The exploit chain leverages the PDF’s OpenAction to execute the same obfuscated script, which then escalates privileges using a local privilege escalation flaw in Windows 10/11 (CVE‑2023‑28268) when the victim runs the downloaded binary. The final stage establishes a persistent C2 channel over DNS over HTTPS (DoH) to an attacker‑controlled domain, using encrypted tunneling to evade network‑based detection. Indicators of compromise include the domain pattern “gift‑hub[.]cloud”, the SHA‑256 hash d4a9c3e5b8f2e1c6a7b9e4f0c3d2a1b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2, and the embedded malicious VBScript payload “gift.vbs” that attempts to add a startup registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Mitigation should begin with immediate user awareness training focused on seasonal phishing lures, emphasizing verification of sender authenticity and avoidance of unsolicited “digital gift” links. From a technical standpoint, organizations must enforce strict content security policy (CSP) headers—disallowing inline scripts and restricting script sources to trusted origins—and ensure that all browsers, PDF readers, and associated rendering engines are patched to the latest stable releases (Chrome 112.0.5615.0+, Edge 112.0.1722.0+, Adobe Acrobat 2024.001). Deploying endpoint detection and response (EDR) solutions with heuristic analysis of script behavior, coupled with network intrusion detection systems (NIDS) that flag anomalous DoH traffic to non‑whitelisted domains, will further reduce the attack surface. Additionally, applying Microsoft’s “Block untrusted fonts” policy and disabling the WebView component in mobile applications where not required can curtail the secondary vector, while regular credential hygiene and multi‑factor authentication (MFA) mitigate the impact of any potential post‑exploitation credential theft.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments