Cyber Security News

APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems

Gamaredon, a persistent threat actor since 2013, targets the government, defense, diplomacy, and media sectors of their victims, primarily through cyberattacks, to gain sensitive information and disrupt operations.

It continues to employ sophisticated tactics, leveraging malicious LNK and XHTML files alongside intricate phishing schemes to carry out cyberattacks.

Phishing emails with four distinct attack payloads aimed to trick users into executing malicious attachments or compressed files, allowing attackers to infiltrate target systems and deploy malware for further nefarious actions.

Attack Flowchart

By using spear-phishing emails with malicious LNK attachments, it targets government and key organizations, which, when executed, abused mshta.exe to remotely download and run malicious code.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Malicious actors use booby-trapped XHTML attachments to download compressed files containing weaponized LNK shortcuts, which exploit mshta.exe to deliver additional malware payloads, with communication facilitated by IP addresses and trycloudflare.com. 

Example of decoded malicious code

Gamaredon APT uses obfuscated HTML emails to deliver LNK files by leveraging mshta.exe or PowerShell to download malicious payloads from trycloudflare.com or fixed IP addresses. 

The downloaded scripts, often PowerShell, communicate with the C2 server, sending system information and potentially executing further commands based on the response. 

It uses two main infection methods: emails with compressed files containing decoy PDFs and malicious HTAs, and compressed files with LNKs that drop PowerShell scripts persisting on registry startup. 

Malicious code example

The entry module initiates two background jobs: one for communication with the C2 server and another for scanning removable disks, which retrieves C2 IP, gathers system information, sends it to the C2 server, and executes received commands, either directly or through a dedicated module.

The “Get C2 Module” attempts to retrieve a command and control server IP through various methods (domain resolution, URL fetching, DNS lookup) and saves it to a hidden file, where the “code execution module” decrypts a hidden payload using the system serial number and executes it in the background. 

Code Execution Module Code Example

Gamaredon Group’s malware scans removable disks, creates shortcuts to execute PowerShell scripts, encodes PowerShell scripts in the registry, and modifies the registry for persistent startup, enabling automatic execution and maintaining persistent infection.

Tracked by 360 Advanced Threat Research Institute, it continues its malicious activities, employing techniques previously seen in past attacks, as the analysis reveals a portion of their ongoing operations, highlighting the persistent threat posed by this APT group.

To enhance email, system, and terminal security, deploy advanced email gateways to filter malicious attachments and phishing emails, implement robust log monitoring and analysis, and ensure all devices have up-to-date antivirus and antimalware software.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

23 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago