FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.
A few days after the initial discovery, the Hungarian National Cyber Security Center issued a warning about this attack. This post provides a detailed analysis.
The initial infection occurs via a phishing email impersonating a Hungarian government portal. This portal is used to conduct official business online, such as submitting documents, ordering IDs, etc.
The email tells the victim that their credentials have changed and that new ones are attached. The language suggests it was written by a native speaker, however the email did not use the expected grammar of an official communication.
