Cyble researchers describe a campaign that uses malicious LNK files disguised as PDFs to drop a tiny, fileless backdoor via MSBuild, with a multi-stage infection chain including PowerShell and inline MSBuild tasks. The activity is attributed to Turla (medium confidence) and uses a compromised Philippine website for C2, highlighting sophisticated abuse of legitimate tools to evade detection. #TinyBackDoor #Turla #TinyTurla #MSBuild #LNK #Philippines
Keypoints
- The campaign leverages malicious LNK files masquerading as PDF documents, potentially distributed via spam emails.
- Threat actors use human rights seminar invitations and public advisories as lure documents to infect targets.
- Malicious LNK files embed lure PDFs and MSBuild project files to enable seamless execution within the lure.
- The final payload is delivered via MSBuild in a stealthy, fileless manner and functions as a backdoor.
- The backdoor provides remote command capabilities and persists through a scheduled task, enabling continuous control.
- Turla attribution is supported by Russian-language code comments, NGO-focused lure, PHP-based C2 usage, and behavioral similarities to TinyTurla.
MITRE Techniques
- [T1204] User Execution – The execution begins when a user opens the malicious LNK, triggering further payloads. Quote: “User opens the malicious Shortcut file.”
- [T1036] Masquerading – The LNK file is masqueraded as a PDF document. Quote: “.LNK file masqueraded as a PDF document.”
- [T1140] Deobfuscate/Decode Files or Information – The inline task deobfuscates the encrypted content within the MSBuild workflow. Quote: “Deobfuscate/Decode Files or Information.”
- [T1127.001] Trusted Developer Utilities Proxy Execution – MSBuild is used to execute the malicious inline task. Quote: “MSBuild used to execute the malicious inline task.”
- [T1053.005] Scheduled Task/Job – A scheduled task is created to execute the final backdoor in the background. Quote: “Adds task schedular entry for persistence.”
- [T1071.001] Web Protocols – Backdoor communications with the C2 server over HTTP. Quote: “Backdoor communications with C&C server.”
- [T1041] Exfiltration Over C2 Channel – The backdoor exfiltrates data over the C2 channel. Quote: “Sending exfiltrated data over C2 channel.”
- [T1059.001] PowerShell – A PowerShell script embedded within the LNK is triggered to orchestrate behavior. Quote: “PowerShell script embedded within it.”
Indicators of Compromise
- [SHA256] Archive file – b4db8e598741193ea9e04c2111d0c15ba79b2fa098efc3680a63ef457e60dbd9
- [SHA256] Malicious .LNK file – 6829ab9c4c8a9a0212740f46bf93b1cbe5d4256fb4ff66d65a3a6eb6c55758a1
- [SHA256] Malicious MSBuild Project File (final payload) – 8c97df4ca1a5995e22c2c4887bea2945269d6f5f158def98d5ebdd5311bb20c4
- [SHA256] Decoy PDF – 76629afb86bd9024c3ea6759eeea197ba6c8c780e0041d1f8182d206cf3bd1b4
- [Domain] C2 Domain – hxxps://ies[.]inquirer[.]com[.]ph
- [SHA256] Zip file – c2618fb013135485f9f9aa27983df3371dfdcb7beecde86d02cee0c258d5ed7f
- [SHA256] .LNK – cac4d4364d20fa343bf6816544b31995a57d8f69ee606c4675db60be5ae8775