ZAPiXDESK

The attacks typically began with phishing emails posing as discussions about proposals for humanitarian aid. Victims were asked to follow a link that led to the download of a malicious archive file.

Victims were asked to follow a link that led to the download of a malicious archive file.

BouncyCastle.Cryptography.dll must be in the same directory of the ZAPiXDESK.ps1 file... It may also be necessary to enable set the execution policy to Unrestricted or Bypass in PowerShell to execute the script... run script: .\ZAPiXDESK.ps1

Open PowerShell on target computer (it will attempt to claim administrative rights).

a separate tool called ZAPIXDESK was used specifically to steal data from the WhatsApp messenger application.

First, it obtains the OfflineDeviceUniqueID... It generates the first decryption key to session.db based on staticKey protect by DPAPI-NG than recovers clientKey from WAL file... With clientKey, it is able to derives encryption key... where all other keys were stored and are recovered from WAL file. DbKeys are used to decrypt the others databases.

First, it obtains the OfflineDeviceUniqueID, indicating the method used (TPM, REGISTRY, etc...), used in keys derivations linked to the machine.

A script that extracts DBKeys and decrypts all SQLITE3 database files (including db and write-ahead-logfiles ). On completion a ZIP file containing all WhatsApp decrypted LocalState db's... The tool copies the WhatsApp localstate files (where SQLite3 DB files are located) to operate them

... або ж з месенджеру WhatsApp (із застосуванням програмного засобу ZAPIXDESK) ...

Also downloaded to the infected machine is a malware family dubbed AGINGFLY and a PowerShell script referred to as SILENTLOOP