Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile
Menace actors enjoy shifted from utilizing malicious macros to malicious LNK recordsdata for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Build of enterprise documents downloaded from unknown sources or the glean.
The hot assault vector makes use of the Microsoft Connection Supervisor Profile, which runs the map cmstp.exe for proxying the execution of malicious payloads.
This recent campaign modified into stumbled on to be equivalent to the Invicta stealer infection map, but the infection chain appears to be varying. This concludes that likelihood actors enjoy modified their TTPs (Ways, Tactics, and Procedures).
Generally, the LNK file containing the faraway VBScript infection is distributed by spam emails disguised as respectable-taking a peep attachments with file extensions esteem ZIP or ISO.
LNK Files to Exploit Microsoft Connection Supervisor Profile
Following the obtain of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a faraway expose execution of a .hta file on a faraway server.
Once this .hta file will get executed, it initiates the obtain of the VBScript that is extraordinarily obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, ensuing in the activation of a PowerShell downloader.
This PowerShell downloader fetches the malware recordsdata from two URLs particularly,
- hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
- hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
These recordsdata are then kept in the AppDataRoaming directory along with their customary names. The recordsdata are one PDF and one EXE file (Redline stealer library). The PowerShell downloader makes use of cmstp.exe for UAC (User Salvage entry to Retain an eye on) bypass.
Weaponized LNK Files Uncovered
As per the parable submitted to Cyber Security Files, the malware payloads, Weaponized LNK Files were stumbled on to be Blank Grabber, Redline Stealer, and NetSupport RAT.
Blank Grabber is a Python-primarily based originate-source stealer that contains a GUI builder and also will likely be traditional to generate stealer payloads with out problems. It also gives the map to customize the stealer esteem personalized icon, UAC bypass, and persistence during startup.
Redline Stealer is supplied on cyberforums and is thought of as one of basically the most illustrious infostealers in our on-line world. This will likely be traditional to obtain unauthorized access to at ease info esteem passwords, login credentials, autofill info, and credit card info.
NetSupport RAT is a commercial RAT traditional for respectable faraway access to users by directors but is being misused by likelihood actors to obtain unauthorized access.
Furthermore, a total myth has been published by Cyble researchers which gives detailed info about the obfuscation, assault vector, YARA principles, and moderately quite a lot of information.
Indicators of Compromise
Indicators | Indicator Sort | Description |
110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9f | SHA256 | Blank Grabber |
https[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exe | URL | Malicious URL |
a6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6d | SHA256 | Malicious HTA File |
hxxp[:]//onlythefamily[.]ddns.glean/crypt[.]exe | URL | Malicious URL |
hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe | URL | Malicious URL |
27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9 | MD5SHA1SHA256 | Redline Stealer |
513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cdd | SHA256 | Redline Stealer |
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 | SHA256 | Malicious Lnk File |
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 | SHA256 | Malicious Lnk File |
9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9ee | SHA256 | Malicious HTA File |
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 | SHA256 | NetSupportManager |
hxxps://montec-shop[.]de/photos/client32[.]exe | URL | Malicious URL |
hxxp[:]//94.156.253[.]17/Downloads/careabout[.]hta | URL | Malicious URL |
6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfc | SHA256 | Malicious Lnk File |
0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9 | SHA256 | Malicious Lnk File |
e9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7e | SHA256 | Malicious Lnk File |
de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59 | SHA256 | Malicious Lnk File |
f9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9 | SHA256 | Malicious Lnk File |
8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346 | SHA256 | Malicious Lnk File |
687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053b | SHA256 | Malicious Lnk File |
1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbb | SHA256 | Malicious Lnk File |
c2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066d | SHA256 | Malicious Lnk File |
cf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7a | SHA256 | Malicious Lnk File |
837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95 | SHA256 | Malicious Lnk File |
845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c | SHA256 | Malicious Lnk File |
a2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929b | SHA256 | Malicious Lnk File |
84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef | SHA256 | Malicious Lnk File |
59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108d | SHA256 | Malicious Lnk File |
48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0ace | SHA256 | Malicious Lnk File |
cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02a | SHA256 | Malicious Lnk File |
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 | SHA256 | Malicious Lnk File |
df86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bc | SHA256 | Malicious Lnk File |
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 | SHA256 | Malicious Lnk File |
8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798 | SHA256 | Malicious Lnk File |
f602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72b | SHA256 | Malicious Lnk File |
d1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1 | SHA256 | Malicious Lnk File |
a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176e | SHA256 | Malicious Lnk File |
e9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092 | SHA256 | Malicious Lnk File |
3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72 | SHA256 | Malicious Lnk File |
7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53b | SHA256 | Malicious Lnk File |
Source credit : cybersecuritynews.com