Keypoints
- Attack delivered via ‘attached.zip’ containing a decoy PDF and a malicious LNK named like a DOCX to trick users.
- The LNK contains obfuscated PowerShell which replaces the LNK with a same-named .docx and creates ‘UHCYbG.cab’ in the public folder, then unpacks it.
- The CAB contains start.vbs which launches multiple BAT scripts that collect system info, register persistence (Registry Run), download further payloads, and attempt data exfiltration.
- BAT scripts perform directory and systeminfo collection (saved to d1.txt–d4.txt), conditional downloads from goosess[.]com and stuckss[.]com, and RC4+Base64 encryption for transfer.
- Temporary files are deleted after execution; the campaign shows code and behavioral similarity to previous Konni APT activity.
- Genian EDR can detect the PowerShell and chained BAT behaviors from the shortcut execution and provide visibility into C2 connections.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivery via a compressed attachment ‘attached.zip’ containing a malicious LNK disguised as a DOCX (‘”attached.zip” compressed file was distributed… contains “Attachment 1_… .docx.lnk”‘).
- [T1204.002] User Execution: Malicious File – LNK shortcut used to trick users into execution by masquerading as a DOCX (‘the shortcut (LNK) file has a double extension… can be easily mistaken’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Obfuscated PowerShell in the LNK executes payload creation and unpacking (‘the shortcut file contains obfuscated PowerShell commands.’).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – BAT script creates Registry Run entries for persistence (‘Registry Run creation…’).
- [T1560.001] Archive Collected Data / Exploitation of Archives – The attack creates ‘UHCYbG.cab’ and unpacks it to deploy scripts and binaries (‘create the “UHCYbG.cab” file in the public folder path and unzip it’).
- [T1027] Obfuscated Files or Information – Use of obfuscation and RC4+Base64 encoding for payloads and transfers (‘[RC4+Base64] used for encryption and download’).
- [T1041] Exfiltration Over C2 Channel – Collected files and system information are prepared and sent to actor-controlled servers (save… information and name the computer as stuckss[.]com server… leak attempt’).
- [T1071.001] Application Layer Protocol: Web Protocols – Downloads and C2 interactions performed via web requests to goosess[.]com and stuckss[.]com (‘download zip file from goosess[.]com server’).
Indicators of Compromise
- [File Hashes] listed as key IoCs in the report – 1af7148dc027753297e0f28770f16d4e, a2c40c8b4aebee3f558ffb0f0e807852, and 8 more hashes.
- [Domains] C2 and download servers – stuckss[.]com, goosess[.]com.
- [File Names] malicious payload and artifacts observed – attached.zip, Attachment 1_Name_Personal Information Collection and Use Agreement.docx.lnk, UHCYbG.cab, start.vbs (and multiple BAT files like 49120862.bat, 60712945.bat).
The technical attack chain begins with a compressed email attachment ‘attached.zip’ that contains a decoy PDF and a malicious shortcut named to resemble a DOCX file. The LNK hides obfuscated PowerShell which, when executed, replaces the .lnk with a same-named .docx and creates a CAB file named UHCYbG.cab in a public folder; that CAB is then unzipped and removed. Execution is handed off to start.vbs which invokes a series of BAT scripts that perform environment checks and conditional logic to carry out persistence, collection, and payload retrieval.
Inside the unpacked CAB are multiple BAT files (e.g., 49120862.bat, 78345839.bat, 47835693.bat, 60712945.bat) and an unzip utility. The BAT scripts create Registry Run entries for persistence, enumerate and save directory listings and systeminfo into files like d1.txt–d4.txt, and use PowerShell to download and decrypt additional payloads from goosess[.]com and stuckss[.]com. Several components use RC4+Base64 for encryption/encoding during download or upload, and temporary files (including the CAB) are deleted after use to hinder analysis.
The overall goal is to harvest local system information, maintain execution via registry autostart, and fetch or exfiltrate data to actor-controlled C2 servers. Detection should focus on suspicious LNK execution that spawns obfuscated PowerShell, chained VBS→BAT workflows, registry Run key creation, unexpected archive extraction in public folders, and network requests to the listed domains; the report cites Genian EDR as capable of surfacing these PowerShell/BAT behaviors and C2 connections for rapid response.
Read more: https://www.genians.co.kr/blog/threat_intelligence/bitcoin