APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems

Gamaredon, a persistent threat actor since 2013, targets the government, defense, diplomacy, and media sectors of their victims, primarily through cyberattacks, to gain sensitive information and disrupt operations.

It continues to employ sophisticated tactics, leveraging malicious LNK and XHTML files alongside intricate phishing schemes to carry out cyberattacks.

Phishing emails with four distinct attack payloads aimed to trick users into executing malicious attachments or compressed files, allowing attackers to infiltrate target systems and deploy malware for further nefarious actions.

By using spear-phishing emails with malicious LNK attachments, it targets government and key organizations, which, when executed, abused mshta.exe to remotely download and run malicious code.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Malicious actors use booby-trapped XHTML attachments to download compressed files containing weaponized LNK shortcuts, which exploit mshta.exe to deliver additional malware payloads, with communication facilitated by IP addresses and trycloudflare.com. 

Gamaredon APT uses obfuscated HTML emails to deliver LNK files by leveraging mshta.exe or PowerShell to download malicious payloads from trycloudflare.com or fixed IP addresses. 

The downloaded scripts, often PowerShell, communicate with the C2 server, sending system information and potentially executing further commands based on the response. 

It uses two main infection methods: emails with compressed files containing decoy PDFs and malicious HTAs, and compressed files with LNKs that drop PowerShell scripts persisting on registry startup. 

The entry module initiates two background jobs: one for communication with the C2 server and another for scanning removable disks, which retrieves C2 IP, gathers system information, sends it to the C2 server, and executes received commands, either directly or through a dedicated module.

The “Get C2 Module” attempts to retrieve a command and control server IP through various methods (domain resolution, URL fetching, DNS lookup) and saves it to a hidden file, where the “code execution module” decrypts a hidden payload using the system serial number and executes it in the background. 

Gamaredon Group’s malware scans removable disks, creates shortcuts to execute PowerShell scripts, encodes PowerShell scripts in the registry, and modifies the registry for persistent startup, enabling automatic execution and maintaining persistent infection.

Tracked by 360 Advanced Threat Research Institute, it continues its malicious activities, employing techniques previously seen in past attacks, as the analysis reveals a portion of their ongoing operations, highlighting the persistent threat posed by this APT group.

To enhance email, system, and terminal security, deploy advanced email gateways to filter malicious attachments and phishing emails, implement robust log monitoring and analysis, and ensure all devices have up-to-date antivirus and antimalware software.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses