Operation ShadowCat Using Weaponized Office document To Attack Users In India

Researchers identified a brand contemporary attack marketing and marketing and marketing campaign (“Operation ShadowCat”) the spend of malicious LNK recordsdata dispensed thru negate mail emails, which triggers a PowerShell script that drops a .NET loader and a decoy Observe doc.

The loader fetches a steganographic PNG containing a Gzip-compressed payload, decompresses it in memory, and injects it into the PowerShell job for execution, which in-memory execution bypasses security detection.

The closing payload is a Dash-based fully RAT that grants attackers intensive control over the sufferer’s system, at the side of file manipulation, grunt execution, community scanning, recordsdata exfiltration, and credential extraction for lateral motion.

An attack leverages a .LNK file disguised as a Observe doc to arrangement a malicious PowerShell script, which comprises geo-space-based fully execution prevention, obfuscates strings thru character manipulation, self-destructs, creates a decoy doc, and dynamically generates and executes a malicious DLL, demonstrating a multi-phased technique to evade detection and arrangement its payload.

The PowerShell Script Employs Geo-Fencing

It initially determines the sufferer’s space the spend of “Accumulate-WinHomeLocation” and terminates if the nation fits a predefined checklist. The script then decodes obfuscated strings, likely containing malicious payloads or instructions.

It proceeds to invent a trap doc by deleting existing LNK recordsdata with the identical size and changing the normal LNK to a DOCX file, suggesting a attainable file-based fully an infection vector.

Analysis unearths a targeted attack leveraging a trap doc disguised as a parliamentary query to entice participants excited by Indian politics.

The PowerShell script, upon execution, downloads and decodes a malicious DLL from Base64-encoded recordsdata.

The DLL then employs steganography to extract shellcode from a reputedly innocuous PNG image, utilizing a system structure test to make your mind up the suitable payload.

The shellcode, generated the spend of the Donut framework, is one way or the opposite loaded into memory for execution, indicating a flowery attack designed to evade detection.

The malware encrypts and embeds API names inside its binary. Upon execution, it decrypts these, creates a suspended PowerShell job, writes shellcode, and extracts embedded code into its memory.

Because of this of this truth, it queues an asynchronous job call (APC) to the suspended job’s thread to arrangement the shellcode upon thread resumption and resumes the thread, triggering the APC and initiating shellcode execution, main to the loading and execution of the embedded malicious binary.

Analysts at Cyble Compare and Intelligence Labs identified complex Dash-based fully malware (8.4 MB) the spend of publicly readily available libraries cherish Yamux (multiplexing) and Secsy goftp (FTP) for stealthy communication and file operations.

The malware exhibits RAT (Faraway Entry Trojan) behavior with functionalities cherish itemizing traversal, file manipulation (invent, be taught, write, etc.), job termination, community scanning, and credential theft tools (Mimikatz, Rubeus).

It makes spend of WebSockets over port 443 for C&C communication, doubtlessly leveraging Netcat-cherish parts for distant control.

Curiously, the malware avoids focusing on Russian-talking regions, hinting at a financially motivated RaaS neighborhood with a probable Russian affiliation.