APT-C-36: from NjRAT to LimeRAT

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The attack uses a spearphishing document with an embedded trigger; “The document is revised to see which is the trigger of the infection, finding a suspicious OLE object … which in turn will lead to a WSF file.”
• [T1036] Masquerading – The VBS component “shows the appearance of a legitimate Microsoft WinRM file.”
• [T1059.001] PowerShell – The infection chain uses PowerShell to download and execute scripts (e.g., “through powershell, will download a VBS file from the domain … and then launch it via Explorer”).
• [T1059.005] Visual Basic – The VBScript (VBS) component is used for downloading and executing payloads.
• [T1105] Ingress Tool Transfer – The stage involves downloading a VBS file and later the RAT payload from remote sources.
• [T1027] Obfuscated/Compressed Files and Information – Code is obfuscated and later deobfuscated to reveal the original payloads.
• [T1055.001] Dynamic-Link Library (DLL) Injection – The first DLL (DLL.PPAM / Fiber.dll) is injected into the PowerShell process.
• [T1055.012] Process Hollowing – NjRAT is injected into a suspended RegAsm.exe process via process hollowing.
• [T1547.001] Boot or Logon Autostart: Startup Folder – Persistence is achieved by creating a startup link disguised as Notepad.
• [T1053.005] Scheduled Task – A scheduled task is created to ensure persistence of the actor’s payload.
• [T1132] Data Encoding – The final payloads are encoded (e.g., Base64), then decoded in memory before execution.
• [T1071.001] Application Layer Protocol – C2 communications occur over web-based endpoints and public hosting (e.g., duckdns, HTTP(S)).