Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile

by Esmeralda McKenzie
Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile

Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile

Hackers Exercise Weaponized LNK Files to Exploit Microsoft Connection 03Manager Profile

Menace actors enjoy shifted from utilizing malicious macros to malicious LNK recordsdata for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Build of enterprise documents downloaded from unknown sources or the glean.

The hot assault vector makes use of the Microsoft Connection Supervisor Profile, which runs the map cmstp.exe for proxying the execution of malicious payloads.

This recent campaign modified into stumbled on to be equivalent to the Invicta stealer infection map, but the infection chain appears to be varying. This concludes that likelihood actors enjoy modified their TTPs (Ways, Tactics, and Procedures).

Generally, the LNK file containing the faraway VBScript infection is distributed by spam emails disguised as respectable-taking a peep attachments with file extensions esteem ZIP or ISO.

LNK Files to Exploit Microsoft Connection Supervisor Profile

Following the obtain of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a faraway expose execution of a .hta file on a faraway server.

Once this .hta file will get executed, it initiates the obtain of the VBScript that is extraordinarily obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, ensuing in the activation of a PowerShell downloader.

mBE9kwzka5V WCLZN 1MzFZCS3k3INmtXOaL0xTllde q Hxl0Bc8lqRYfyF8SQ5fKhMh9VozyZ7dzJaArhxOCwXDd6zAV 7Ig0 WNPepOG JR3Ou8uF5erUjs9dq6TCcMGuzfb4S8eIbvBWajgMgU
Malicious LNK file (Source: Cyble)
PL2v71BKHjxgl7kjJzPK1 1p3 RhBOjEH8xt7nrg12QYi63wnfiNtnhWAhmL FojxwXmDyEYWgMdc6uEmCnyvAuuJMqWw a2XeoOPSiBHD NHDmppkpVF7SBfGGXzFVYJyV0 n0mA TU2w5VHnlkmAg
Infection Chain (Source: Cyble)

This PowerShell downloader fetches the malware recordsdata from two URLs particularly,

  • hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
  • hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe

These recordsdata are then kept in the AppDataRoaming directory along with their customary names. The recordsdata are one PDF and one EXE file (Redline stealer library). The PowerShell downloader makes use of cmstp.exe for UAC (User Salvage entry to Retain an eye on) bypass.

hyYTpCRuWg6b5Z XIot UzC6WMBJNrmIqAMwMV3v 5 6gEOpQS1hA0ozjakzzZIv0yrOBupiPWC X2SKZr08bLqlWy33 Dvy2kt0sGsufXHMAHBwPwq8oDKKr8jFDf211eFatvTexl9CaoOaT7U 14c

Weaponized LNK Files Uncovered

As per the parable submitted to Cyber Security Files, the malware payloads, Weaponized LNK Files were stumbled on to be Blank Grabber, Redline Stealer, and NetSupport RAT.

Blank Grabber is a Python-primarily based originate-source stealer that contains a GUI builder and also will likely be traditional to generate stealer payloads with out problems. It also gives the map to customize the stealer esteem personalized icon, UAC bypass, and persistence during startup.

Redline Stealer is supplied on cyberforums and is thought of as one of basically the most illustrious infostealers in our on-line world. This will likely be traditional to obtain unauthorized access to at ease info esteem passwords, login credentials, autofill info, and credit card info.

NetSupport RAT is a commercial RAT traditional for respectable faraway access to users by directors but is being misused by likelihood actors to obtain unauthorized access.

Furthermore, a total myth has been published by Cyble researchers which gives detailed info about the obfuscation, assault vector, YARA principles, and moderately quite a lot of information.

Indicators of Compromise

Indicators Indicator Sort Description
110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9f SHA256 Blank Grabber
https[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exe URL Malicious URL
a6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6d SHA256 Malicious HTA File
hxxp[:]//onlythefamily[.]ddns.glean/crypt[.]exe URL Malicious URL
hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe URL Malicious URL
27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9 MD5SHA1SHA256 Redline Stealer
513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cdd SHA256 Redline Stealer
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 SHA256 Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 SHA256 Malicious Lnk File
9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9ee SHA256 Malicious HTA File
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 SHA256 NetSupportManager
hxxps://montec-shop[.]de/photos/client32[.]exe URL Malicious URL
hxxp[:]//94.156.253[.]17/Downloads/careabout[.]hta URL Malicious URL
6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfc SHA256 Malicious Lnk File
0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9 SHA256 Malicious Lnk File
e9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7e SHA256 Malicious Lnk File
de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59 SHA256 Malicious Lnk File
f9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9 SHA256 Malicious Lnk File
8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346 SHA256 Malicious Lnk File
687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053b SHA256 Malicious Lnk File
1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbb SHA256 Malicious Lnk File
c2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066d SHA256 Malicious Lnk File
cf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7a SHA256 Malicious Lnk File
837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95 SHA256 Malicious Lnk File
845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c SHA256 Malicious Lnk File
a2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929b SHA256 Malicious Lnk File
84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef SHA256 Malicious Lnk File
59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108d SHA256 Malicious Lnk File
48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0ace SHA256 Malicious Lnk File
cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02a SHA256 Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 SHA256 Malicious Lnk File
df86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bc SHA256 Malicious Lnk File
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 SHA256 Malicious Lnk File
8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798 SHA256 Malicious Lnk File
f602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72b SHA256 Malicious Lnk File
d1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1 SHA256 Malicious Lnk File
a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176e SHA256 Malicious Lnk File
e9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092 SHA256 Malicious Lnk File
3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72 SHA256 Malicious Lnk File
7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53b SHA256 Malicious Lnk File

Source credit : cybersecuritynews.com

Related Posts