CASHY200 is a PowerShell-based backdoor associated with the larger xHunt malware campaign. Despite initially being heavily targeted at government and shipping organisations in the Middle East, it now appears to be affecting organisations throughout Europe.
CASHY200 is delivered via malicious Microsoft Office attachments distributed through email phishing campaigns. When opened, a preliminary script in the attachments will execute CASHY200 directly in memory.
In several samples, CASHY200 used randomly generated identifiers that are stored in the registry at HKCU\Software\Microsoft\Cashe\index and used the command value 200 to communicate with the C2 server. Hanse the basis for the name CASHY200.
If successfully executed, CASHY200 will connect to a command and control server, using a bespoke DNS tunnelling protocol in order to bypass standard network monitoring, before awaiting further commands. CASHY200 variants are able to extract files as well as install secondary payloads.