A phishing campaign named FAUX#ELEVATE is currently targeting French corporations by using malicious resume files to install data stealers and cryptocurrency miners. These attacks use sophisticated evasion techniques and legitimate cloud services to bypass security measures and quickly compromise enterprise workstations.
The FAUX#ELEVATE cyberattack begins with a phishing email containing a heavily obfuscated VBScript file disguised as a French-language resume. To avoid detection, the script is inflated with over two hundred thousand lines of junk code and random sentences, reaching nearly ten megabytes in size. When a user opens the file, it displays a fake error message to trick them into thinking the document is corrupted while it silently performs environment checks. The malware specifically targets domain-joined enterprise machines and ignores home computers to ensure it only impacts high-value corporate targets.
Once active, the script enters a persistent loop to trick the user into granting administrator privileges through User Account Control prompts. After gaining these permissions, the malware immediately disables security features by adding exclusion paths to Microsoft Defender for all primary drive letters and modifying the Windows Registry. This allows the attacker to operate without interference from local antivirus software. The dropper then downloads encrypted archives from Dropbox containing a suite of tools designed for credential theft, file exfiltration, and unauthorized cryptocurrency mining.
The campaign effectively uses a living-off-the-land strategy by abusing legitimate infrastructure to manage its operations. It utilizes compromised WordPress sites in Morocco to host configuration files and relies on mail.ru SMTP servers to send stolen browser data and desktop files to the attackers. The toolkit includes specialized components to bypass modern browser encryption and a kernel driver to maximize the efficiency of the Monero mining software. This combination of tools ensures that the attackers can profit from both sensitive corporate data and the hardware resources of the infected machine.
Speed and stealth are central to the success of this operation, with the entire infection process taking approximately twenty-five seconds from execution to data theft. After the initial payloads are deployed and the credentials have been exfiltrated, the malware initiates an aggressive cleanup routine to delete its own tools and minimize its forensic footprint. This leaves only the persistent miner and a trojan behind, making it difficult for security teams to reconstruct the full scope of the initial breach during a post-incident investigation.
This multi-stage operation highlights the evolving complexity of threats facing corporate environments today. By blending social engineering with advanced technical evasion, the actors behind FAUX#ELEVATE can rapidly compromise systems and maintain a long-term presence on a network. The focus on French-speaking organizations suggests a deliberate regional targeting strategy aimed at specific economic sectors. Security professionals are advised to monitor for unusual VBScript execution and unauthorized modifications to Windows Defender exclusion lists to defend against such threats.cy to secure their environments before active exploitation begins.
Source: https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/