Cyber Security News

APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems

Gamaredon, a persistent threat actor since 2013, targets the government, defense, diplomacy, and media sectors of their victims, primarily through cyberattacks, to gain sensitive information and disrupt operations.

It continues to employ sophisticated tactics, leveraging malicious LNK and XHTML files alongside intricate phishing schemes to carry out cyberattacks.

Phishing emails with four distinct attack payloads aimed to trick users into executing malicious attachments or compressed files, allowing attackers to infiltrate target systems and deploy malware for further nefarious actions.

Attack Flowchart

By using spear-phishing emails with malicious LNK attachments, it targets government and key organizations, which, when executed, abused mshta.exe to remotely download and run malicious code.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Malicious actors use booby-trapped XHTML attachments to download compressed files containing weaponized LNK shortcuts, which exploit mshta.exe to deliver additional malware payloads, with communication facilitated by IP addresses and trycloudflare.com. 

Example of decoded malicious code

Gamaredon APT uses obfuscated HTML emails to deliver LNK files by leveraging mshta.exe or PowerShell to download malicious payloads from trycloudflare.com or fixed IP addresses. 

The downloaded scripts, often PowerShell, communicate with the C2 server, sending system information and potentially executing further commands based on the response. 

It uses two main infection methods: emails with compressed files containing decoy PDFs and malicious HTAs, and compressed files with LNKs that drop PowerShell scripts persisting on registry startup. 

Malicious code example

The entry module initiates two background jobs: one for communication with the C2 server and another for scanning removable disks, which retrieves C2 IP, gathers system information, sends it to the C2 server, and executes received commands, either directly or through a dedicated module.

The “Get C2 Module” attempts to retrieve a command and control server IP through various methods (domain resolution, URL fetching, DNS lookup) and saves it to a hidden file, where the “code execution module” decrypts a hidden payload using the system serial number and executes it in the background. 

Code Execution Module Code Example

Gamaredon Group’s malware scans removable disks, creates shortcuts to execute PowerShell scripts, encodes PowerShell scripts in the registry, and modifies the registry for persistent startup, enabling automatic execution and maintaining persistent infection.

Tracked by 360 Advanced Threat Research Institute, it continues its malicious activities, employing techniques previously seen in past attacks, as the analysis reveals a portion of their ongoing operations, highlighting the persistent threat posed by this APT group.

To enhance email, system, and terminal security, deploy advanced email gateways to filter malicious attachments and phishing emails, implement robust log monitoring and analysis, and ensure all devices have up-to-date antivirus and antimalware software.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

5 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

5 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

5 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

5 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

9 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

9 hours ago