{"id":3520,"date":"2026-06-05T07:04:09","date_gmt":"2026-06-05T07:04:09","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/05\/the-evil-msi-background-is-back-fri-jun-5th\/"},"modified":"2026-06-05T07:04:09","modified_gmt":"2026-06-05T07:04:09","slug":"the-evil-msi-background-is-back-fri-jun-5th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/05\/the-evil-msi-background-is-back-fri-jun-5th\/","title":{"rendered":"The Evil MSI Background is Back!, (Fri, Jun 5th)"},"content":{"rendered":"
\n

A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[1<\/a>]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail containing a WeTransfer link.<\/p>\n

\"\"<\/p>\n

Often, the WeTransfer brand is abused in phishing emails. Here, it’s was an official link:\u00a0<\/p>\n

\nhxxps:\/\/we[.]tl\/t-R4Wv1JkvFfC4Awus<\/pre>\n
The thread-actor shared the initial file via this platform. The file is a piece of Javascript called “Remittance Advice.js” (SHA256:8a83de81fbac4eb0961f3d58982f299664a5fa4c874c7469e69f85f3fc5bd33f).<\/p>\n
The contains a lot of junk code that will just do nothing:<\/p>\n
\"\"<\/p>\n
Every for-loop will just move to the next line. In the middle of the file (>2MB), we have the interesting code that will perform the following tasks:<\/p>\n
It will decode the next payload in an environment variable:<\/p>\n
\n[Environment]::SetEnvironmentVariable(\"INTERNAL_DB_CACHE\", <encoded_payload>)<\/pre>\n
The obfuscation technique used is ROT13, old but still very efficient:<\/p>\n
\ncbjrefuryy.rkr -RkrphgvbaCbyvpl Olcnff -AbCebsvyr -JvaqbjFglyr Uvqqra -Pbzznaq<\/pre>\n
Decoded, it becomes:<\/p>\n
\npowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command<\/pre>\n
PowerShell is executed throug WMI:<\/p>\n