Under the DNS Hood of an Ongoing Legacy MSHTA Tool Attack

Under the DNS Hood of an Ongoing Legacy MSHTA Tool Attack
Bitdefender detailed how attackers abused Microsoft’s legacy MSHTA tool to deliver CountLoader, which deployed LummaStealer and Amatera in multiple campaigns. The research also mapped 120 network IoCs and expanded the investigation to uncover related domains, IPs, typosquatting groups, and other artifacts tied to the ClickFix attack. #MSHTA #CountLoader #LummaStealer #Amatera #ClickFix

Keypoints

  • Attackers abused Microsoft’s legacy MSHTA tool as a delivery mechanism across multiple malware campaigns.
  • The HTA-based loader CountLoader was used to deploy the infostealers LummaStealer and Amatera.
  • Victims risked losing credentials, browser-stored data, session tokens, and cryptocurrency-related information.
  • Bitdefender identified 128 network IoCs, and the investigation refined this into 120 network IoCs for deeper analysis.
  • DNS analysis linked 17 client IPs to domain IoCs, 618 potential victim IPs to IP IoCs, and multiple typosquatting and malicious registration clusters.
  • Several domains and IPs continued to resolve or show historical activity, indicating sustained infrastructure use.
  • Additional investigation uncovered 2,260 email-connected domains, including 56 already confirmed malicious.

MITRE Techniques

  • [T1218.005 ] Signed Binary Proxy Execution: MSHTA – Attackers abused the legacy Microsoft tool as a trusted execution mechanism to deliver payloads (‘attackers continued to abuse Microsoft’s legacy MSHTA tool as a delivery mechanism’).
  • [T1105 ] Ingress Tool Transfer – CountLoader delivered second-stage malware onto victim systems (‘HTA-based loader CountLoader to deploy the infostealers LummaStealer and Amatera onto victims’ systems’).
  • [T1566 ] Phishing – The article describes domains and infrastructure consistent with phishing and malvertising campaigns (‘domains with various hostnames match algorithmically generated throwaway domains used in malvertising and phishing campaigns’).
  • [T1583.001 ] Acquire Infrastructure: Domains – Threat actors registered and used malicious domains and typosquatting groups to support their infrastructure (’20 of them were likely registered with malicious intent’; ‘appeared in three typosquatting groups’).
  • [T1583.006 ] Acquire Infrastructure: Web Services – Attacker-controlled OSS/S3 buckets were used to host payloads (‘Attacker-controlled OSS or S3 buckets are frequently used to host second-stage payloads or droppers’).
  • [T1036 ] Masquerading – Some domains were crafted to appear legitimate or to mimic trusted names (‘simple… domains’, ‘ms-team-ping6[.]com’).
  • [T1204 ] User Execution – The ClickFix/MSHTA chain implies victim interaction to trigger the attack (‘ClickFix attack targeting MSHTA users’).

Indicators of Compromise

  • [Domains] Malicious or suspicious domains and typosquatting variants – qlkwr[.]com, ms-team-ping6[.]com, simplerwebs[.]world, simplerwebs[.]space, and other 77 domains
  • [Subdomains] Subdomain IoCs linked to shared infrastructure – asd[.]s7610rir[.]pw, asq[.]d6shiiwz[.]pw, check[.]qlkwr[.]com, and other 8 subdomains
  • [IP addresses] IP IoCs and historical resolution targets – 103[.]115[.]17[.]90, 87[.]96[.]21[.]84, 107[.]175[.]187[.]111, and other 25 IPs
  • [Email addresses] Public email artifacts used for expansion analysis – 29 unique email addresses, including 13 public email addresses, and other 16 addresses
  • [File names / infrastructure artifacts] Hosting and payload infrastructure references – buck2nd[.]oss-eu-central-1[.]aliyuncs[.]com, d1[.]pool4883[.]pw, us1[.]pool4883[.]pw


Read more: https://circleid.com/posts/under-the-dns-hood-of-an-ongoing-legacy-mshta-tool-attack