Fake “Scanned from a Xerox Multifunction Printer ” delivers Trickbot — 2 Comments

  1. Assuming it’s the same as the one I just checked, it doesn’t drop or download a custom version of PowerShell, it just copies the existing PS folder into %temp%\YEOFI\ renames powershell.exe and executes a ‘malware typical’ download command

    Set y = CreateObject(“scripting.filesystemobject”)
    y.CopyFolder Environ(“SystemRoot”) + “\system32\WindowsPowerShell\v1.0”, Environ(“Temp”) + “\YEOFI”

Leave a Reply

Your email address will not be published. Required fields are marked *