Paliz, the PowerShell downloader in a ZIP and beyond

[harlan4096]

Threat actors regularly come up with new techniques for malware downloaders to hide and execute their code with the expectation that they can fool antivirus solutions for some time. Paliz is an archive that carries malicious code in an unusual location.

ZIP Archive Contents

This malware arrives via email attachment. The attached file is a ZIP archive using names like aggiornamento-documentazione-PT-0533984.zip ("update documentation"), or facture-prestation-V-384718.zip ("invoice presentation") to make users believe that it is worth to take a look into the archive's contents. The email text for the facture-prestation-V-384718.zip sample is seen below.

Cher(e) client(e),
Veuillez noter que votre compte présente un solde débiteur à ce jour correspondant à la facture V-384718 jointe.
Nous vous remercions de nous faire parvenir votre règlement dans les plus brefs délais, ou de nous fournir un justificatif de paiement (si vous l'avez fait récemment, merci de ne pas tenir compte de ce message).
Cliquez sur ce lien pour vous identifier et accéder directement à votre facture V-384718

Bonne réception

Cordialement..
Thibault Leroy
L.F.A.C.
61, Rue A Traversa
26300 Alixan

If the user opens or extracts the ZIP archive they will see an image file and a Windows shortcut that poses as an important business document (see picture below). File names like documentatione cliente.lnk ("customer documentation"), document financier pour client.lnk ("financial document for client"), notifice cliente.lnk ("notify customers") are used for the shortcuts. The image files are PNG or JPEG files, some of which actually look like an invoice, others show diagrams related to finances. The image files make the look and feel of the archive's contents more legitimate.

The file names and email contents indicate that the malware targets French and Spanish businesses.

Continue Reading