Cyble CRIL uncovered a stealthy fileless attack campaign targeting attendees of the US-Taiwan Defense Industry Conference, delivered via a deceptive ZIP containing an LNK file disguised as a PDF. The malware uses in-memory loading, startup persistence, and memory-based compilation to exfiltrate data while evading detection. #StealthyFilelessAttack #USTaiwanDefenseIndustryConference #LNKIconSmuggling
Keypoints
- Campaign targets individuals connected to the US-Taiwan Defense Industry Conference.
- Malicious ZIP archive contains an LNK file masquerading as a legitimate PDF.
- LNK executes commands to drop a lure PDF and an executable in the startup folder for persistence.
- Executable downloads additional content and executes it in memory, evading detection.
- Malware compiles C# code in memory, avoiding file creation on disk.
- Exfiltration of sensitive data occurs via web requests designed to blend with normal traffic.
- Attack likely delivered through phishing emails, leveraging social engineering tactics. Chinese threat actors are suspected due to historical targeting of Taiwan around significant events.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The ZIP archive containing the LNK file may be delivered via phishing or spam emails. “The ZIP archive containing the LNK file may be delivered via phishing or spam emails.”
- [T1547.001] Registry Run Keys / Startup Folder – update.exe added into the Startup folder. “update.exe added into the Startup folder.”
- [T1204.002] User Execution: Malicious File – Malicious LNK file executed by the user after extracted from archive file. “Malicious LNK file executed by the user after extracted from archive file.”
- [T1027.012] Obfuscated Files or Information: LNK Icon Smuggling – The LNK file uses a PDF file icon, leveraging the “IconEnviromentDataBlock” to appear as a harmless PDF document. “The LNK file uses a PDF file icon, leveraging the “IconEnviromentDataBlock” to appear as a harmless PDF document.”
- [T1140] Deobfuscate/Decode Files or Information – Certutil is used to decode base64 content. “Certutil is used to decode base64 content.”
- [T1027.004] Obfuscated Files or Information: Compile After Delivery – CSharp code is compiled and executed in memory. “CSharp code is compiled and executed in memory.”
- [T1132.002] Data Encoding: Non-Standard Encoding – Encrypted file is downloaded from TA controlled server. “Encrypted file is downloaded from TA controlled server.”
- [T1048.003] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol – Exfiltrated data is transmitted using standard protocol. “Exfiltrated data is transmitted using standard protocol.”
Indicators of Compromise
- [SHA-256] 6b1af6be189e31168b8f4eff84cd475eb5d0cbd08e646760fb352165a30cb269 – registration_form.pdf.zip
- [SHA-256] 0e07b96c508dfc0e11f119071cca4ec628dae635771532dae7f034ed369591d7 – updater.exe
- [URL] hxxp://tdea.com.tw/asset/uploads/files/68679813[.]txt – URL used to obtain the DLL/C# code
- [URL] hxxp://tdea.com.tw/asset/uploads/files/68679815[.]txt – URL used to obtain the DLL
- [URL] hxxp://tdea[.]com[.]tw/ckeditor/ckfinder/core/connector/php/connector[.]php?command=SaveFile&type=Files¤tFolder=%2F&langCode=en&hash=f92a86fd96382c5a – POST endpoint for exfiltration
- [URL] hxxp://tdea.com.tw/asset/uploads/files/68679811[.]txt – URL used to fetch the C# code
- [File Name] registration_form.pdf.zip – Lure archive name containing the malicious LNK
- [File Name] registration_form.pdf.lnk – Dual-extension LNK disguised as a PDF
- [Domain] tdea.com.tw – Command and data hosting domain used by the attacker