Cyber Security News

APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems

Gamaredon, a persistent threat actor since 2013, targets the government, defense, diplomacy, and media sectors of their victims, primarily through cyberattacks, to gain sensitive information and disrupt operations.

It continues to employ sophisticated tactics, leveraging malicious LNK and XHTML files alongside intricate phishing schemes to carry out cyberattacks.

Phishing emails with four distinct attack payloads aimed to trick users into executing malicious attachments or compressed files, allowing attackers to infiltrate target systems and deploy malware for further nefarious actions.

Attack Flowchart

By using spear-phishing emails with malicious LNK attachments, it targets government and key organizations, which, when executed, abused mshta.exe to remotely download and run malicious code.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Malicious actors use booby-trapped XHTML attachments to download compressed files containing weaponized LNK shortcuts, which exploit mshta.exe to deliver additional malware payloads, with communication facilitated by IP addresses and trycloudflare.com. 

Example of decoded malicious code

Gamaredon APT uses obfuscated HTML emails to deliver LNK files by leveraging mshta.exe or PowerShell to download malicious payloads from trycloudflare.com or fixed IP addresses. 

The downloaded scripts, often PowerShell, communicate with the C2 server, sending system information and potentially executing further commands based on the response. 

It uses two main infection methods: emails with compressed files containing decoy PDFs and malicious HTAs, and compressed files with LNKs that drop PowerShell scripts persisting on registry startup. 

Malicious code example

The entry module initiates two background jobs: one for communication with the C2 server and another for scanning removable disks, which retrieves C2 IP, gathers system information, sends it to the C2 server, and executes received commands, either directly or through a dedicated module.

The “Get C2 Module” attempts to retrieve a command and control server IP through various methods (domain resolution, URL fetching, DNS lookup) and saves it to a hidden file, where the “code execution module” decrypts a hidden payload using the system serial number and executes it in the background. 

Code Execution Module Code Example

Gamaredon Group’s malware scans removable disks, creates shortcuts to execute PowerShell scripts, encodes PowerShell scripts in the registry, and modifies the registry for persistent startup, enabling automatic execution and maintaining persistent infection.

Tracked by 360 Advanced Threat Research Institute, it continues its malicious activities, employing techniques previously seen in past attacks, as the analysis reveals a portion of their ongoing operations, highlighting the persistent threat posed by this APT group.

To enhance email, system, and terminal security, deploy advanced email gateways to filter malicious attachments and phishing emails, implement robust log monitoring and analysis, and ensure all devices have up-to-date antivirus and antimalware software.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

51 minutes ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

1 hour ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

1 hour ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

1 hour ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

1 hour ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

1 hour ago