FortiGuard Labs discovered the NordDragonScan infostealer, delivered via weaponized HTA scripts hidden in malicious LNK shortcuts and RAR archives, targeting Microsoft Windows systems. The malware steals browser data, documents, screenshots, and network information, then exfiltrates the stolen data to its C2 server. #NordDragonScan #kpuszkiev.com
Keypoints
- NordDragonScan is delivered through shortened URLs leading to malicious RAR archives containing LNK files that execute HTA scripts via mshta.exe.
- The HTA payload disguises itself by copying PowerShell.exe as install.exe and uses a decoy Ukrainian document to distract users.
- The infostealer collects diverse data including Chrome and Firefox profiles, screenshots, system details, network information, and specific file types from user folders.
- The malware creates persistence by adding a registry run key named “NordStar” and uses a custom C2 server at kpuszkiev.com for data exfiltration and command retrieval.
- NordDragonScan employs string obfuscation using XOR and byte-swapping to evade detection in static analysis.
- The C2 server uses specialized HTTP headers to communicate with infected hosts and dynamically provides upload URLs for stolen data.
- Fortinet products detect and block this threat using multiple signatures and provide additional protections such as content disarm and IP reputation blocking.
MITRE Techniques
- [T1204] User Execution – The attack leverages malicious LNK shortcuts that trigger mshta.exe to launch the HTA payload after user interaction. (‘malicious LNK shortcut that silently invokes mshta.exe to execute the hosted HTA payload’)
- [T1105] Ingress Tool Transfer – The malware downloads encoded payloads and decoys from remote servers to the victim machine (‘downloads an encoded TXT file from a remote server’)
- [T1059] Command and Scripting Interpreter – Uses HTA scripts executed by mshta.exe to deliver and execute payloads (‘executes the hosted HTA payload “1.hta”’)
- [T1033] System Owner/User Discovery – NordDragonScan collects computer name, username, OS version, architecture, processor count, and RAM information (‘retrieves the victim’s basic information … using WMI and .NET environment calls’)
- [T1046] Network Service Scanning – The malware scans the local network subnet by probing IP addresses to build an inventory of reachable hosts (‘initiates lightweight probes to each address in the same subnet’)
- [T1083] File and Directory Discovery – It enumerates files with specified extensions in Desktop, Documents, and Downloads folders (‘scans the local file system, including Desktop, Documents, and Downloads folders’)
- [T1056] Input Capture – The malware takes screenshots of the victim’s desktop (‘captures a screenshot and saves it as “SPicture.png”’)
- [T1071] Application Layer Protocol – Uses HTTPS with custom HTTP headers (“User-Agent: RTYUghjNM”) to communicate with the C2 server (‘It contacts the C2 server containing specially crafted HTTP headers’)
- [T1547] Boot or Logon Autostart Execution – Adds a registry run key “NordStar” for persistence (‘sets up persistence by adding a registry “NordStar”’)
Indicators of Compromise
- [Domain] Command and control and delivery domains – secfileshare[.]com, kpuszkiev[.]com
- [RAR Hash] Malicious archive containing LNK and HTA files – 2102c2178000f8c63d01fd9199400885d1449501337c4f9f51b7e444aa6fbf50e07b33b5560bbef2e4ae055a062fdf5b6a7e5b097283a77a0ec87edb7a3547253f3e367d673cac778f3f562d0792e4829a919766460ae948ab2594d922a0edae
- [HTA Hash] Malicious HTA payload – f8403e30dd495561dc0674a3b1aedaea5d6839808428069d98e30e19bd6dc045fbffe681c61f9bba4c7abcb6e8fe09ef4d28166a10bfeb73281f874d84f69b3d39c68962a6b0963b56085a0f1a2af25c7974a167b650cf99eb1acd433ecb772b9d1f587b1bd2cce1a14a1423a77eb746d126e1982a0a794f6b870a2d7178bd2c7b2b757e09fa36f817568787f9eae8ca732dd372853bf13ea50649dbb62f0c5c
- [Executable Hash] Payload executable named adblocker.exe – f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0