A complicated new phishing marketing campaign has emerged, delivering the DeerStealer malware by way of weaponized .LNK shortcut information that exploit reliable Home windows binaries in a way referred to as “Dwelling off the Land” (LOLBin).
The malware masquerades as a reliable PDF doc named “Report.lnk” whereas covertly executing a fancy multi-stage assault chain that leverages mshta.exe, a reliable Microsoft HTML Utility host utility.
The assault represents a big evolution in malware supply mechanisms, using Microsoft’s personal instruments to bypass conventional safety measures.
The malicious .LNK file initiates a fastidiously orchestrated execution sequence that progresses by way of a number of system binaries earlier than in the end deploying the DeerStealer payload.
This strategy exploits the inherent belief that safety techniques place in reliable working system elements, making detection considerably more difficult.
LinkedIn analysts and researchers recognized this marketing campaign as significantly regarding because of its subtle evasion strategies and the abuse of the MITRE ATT&CK framework method T1218.005, which particularly covers the malicious use of mshta.exe.
The researchers famous that the assault’s reliance on dynamic path decision and obfuscated command execution represents a notable development in malware sophistication.
Execution Chain and An infection Mechanism
The DeerStealer an infection follows a exact five-stage execution chain: .lnk → mshta.exe → cmd.exe → PowerShell → DeerStealer.
The preliminary .LNK file covertly invokes mshta.exe to execute closely obfuscated scripts utilizing wildcard paths to evade signature-based detection techniques.
DeerStealer Delivered Through Obfuscated .LNK Utilizing LOLBin Abuse (Supply – LinkedIn)
The malware dynamically resolves the complete path to mshta.exe throughout the System32 listing, launching it with particular flags adopted by obfuscated Base64 strings.
To keep up stealth throughout execution, each logging and profiling capabilities are disabled, considerably decreasing forensic visibility.
The script employs a complicated character decoding mechanism the place characters are processed in pairs, transformed from hexadecimal to ASCII format, then reassembled into executable scripts by way of PowerShell’s IEX (Invoke-Expression) cmdlet.
This ensures the malicious logic stays hidden till runtime, successfully bypassing static evaluation instruments.
The ultimate payload supply entails dynamic URL decision from obfuscated arrays, simultaneous obtain of a decoy PDF doc to distract victims, and silent set up of the primary executable into the AppData listing.
The reliable PDF opens in Adobe Acrobat as a diversion tactic whereas the malware establishes persistence.
Key indicators of compromise embody the area tripplefury[.]com and SHA256 hashes fd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160 and 8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
