On March 20, 2025, MalwareHunterTeam revealed a ZIP file named CNP_MFA_Meeting_Documents.zip, discovered in Cambodia, containing a malicious LNK file designed to execute a hidden PowerShell script that downloads and extracts further payloads. The malware employs techniques such as DLL hijacking and creates a scheduled task for persistent access. Affected: Cambodia, Notepad++, Windows
Keypoints :
- ZIP file CNP_MFA_Meeting_Documents.zip uploaded from Cambodia.
- Contains an LNK file (Meeting_Staff_List.lnk) and a hidden folder (Resources).
- The LNK file executes a base64-encoded PowerShell script when opened.
- The script extracts Resources.zip and runs R.bat.
- R.bat strives to extract files using PowerShell, downloads 7-zip if it fails, then extracts files using 7-Zip.
- Creates a Scheduled Task for Notepad++.exe to run every 15 minutes.
- The Notepad++.exe is a targeted executable with a malicious DLL for DLL hijacking.
- Malicious DLL decrypts strings to perform persistence checks and establish registry run keys.
- Makes attempts to clean up traces after executing payloads.
MITRE Techniques :
- Execution (T1203) β The LNK file executes a base64-encoded PowerShell script.
- Command and Control (T1071) β Uses HTTP(s) to download additional payloads from the specified URL.
- Persistence (T1547) β Creates a Scheduled Task for Notepad++.exe to run at intervals.
- DLL Side-Loading (T1073) β Uses a malicious DLL that hijacks the legitimate Notepad++ executable.
- Exploitation for Client Execution (T1203) β The malicious PowerShell script and batch files exploit user interaction with the LNK file.
Indicator of Compromise :
- [File Name] CNP_MFA_Meeting_Documents.zip
- [File Name] Meeting_Staff_List.lnk
- [File Name] Resources.zip
- [File Name] R.bat
- [File Name] Notepad++.exe
Full Story: https://dmpdump.github.io/posts/Unattributed_Downloader_Cambodia/