The STAC5777 attack chain was more involved, with more hands-on-keyboard hacking and commands. During the first stage, the attacker used the browser to download two .dat files, which they then combined into an archive called pack.zip.
The archive contained multiple files, including a legitimate executable called OneDriveStandaloneUpdater.exe, two .dll files from the OpenSSL Toolkit project, an unknown winhttp.dll,and a file called settingsbackup.dat. The archive and files were unpacked in a folder called OneDriveUpdate under the Windows AppData directory.
Malware was capable of stealing system info and recording keystrokes
The winhttp.dll file was a backdoor that was automatically sideloaded by the legitimate OneDrive executable. The file was capable of gathering system information, including configuration details, the name of the current user, and recording keystrokes. The researchers also believe it was meant to decrypt the settingsbackup.dat and execute it as a second-stage payload, but they did not manage to analyze this file.
