The infamous APT-C-24 menace actor group, generally referred to as Sidewinder or Rattlesnake, has advanced its assault methodology by deploying refined LNK file-based phishing campaigns focusing on authorities, power, navy, and mining sectors throughout South Asia.
Lively since 2012, this superior persistent menace group has shifted away from its conventional exploitation of Microsoft Workplace vulnerabilities, as a substitute embracing a extra stealthy strategy utilizing weaponized shortcut recordsdata to execute distant malicious scripts.
Current assault samples found by safety researchers reveal a fastidiously orchestrated marketing campaign the place victims obtain compressed archives containing three malicious LNK recordsdata, every designed with twin extensions resembling “file 1.docx.lnk,” “file 2.docx.lnk,” and “file 3.docx.lnk.”
These misleading filenames are strategically crafted to seem as legit doc recordsdata, exploiting person belief and rising the probability of execution.
The attackers have refined their supply mechanism to maximise an infection chance by offering a number of entry factors inside a single bundle.
Ctfiot analysts recognized that these LNK recordsdata leverage the Microsoft HTML Utility Host (MSHTA) program to execute malicious scripts hosted on distant command-and-control servers.
The distant URLs exhibit a particular sample, terminating with parameters “yui=0,” “yui=1,” and “yui=2,” serving as distinctive identifiers for every variant whereas sustaining purposeful similarity throughout all three recordsdata.
Assault Course of (Supply – Ctfiot)
The assault methodology demonstrates refined environmental consciousness capabilities, with the malicious scripts performing complete system reconnaissance earlier than continuing with payload deployment.
Upon execution, the preliminary JavaScript element conducts anti-analysis checks by querying system specs by means of Home windows Administration Instrumentation (WMI), particularly analyzing processor core counts and bodily reminiscence allocation to tell apart between real goal environments and safety analysis sandboxes.
Superior Evasion and Payload Deployment Mechanisms
The group’s technical sophistication turns into evident of their multi-layered obfuscation methods and conditional payload supply system.
The preliminary HTML utility performs twin performance by concurrently deploying decoy content material to keep up sufferer deception whereas establishing persistence by means of memory-resident assault parts.
The malicious script queries processor cores utilizing “SELECT NumberOfCores FROM Win32_Processor” and requires a minimal of two cores alongside 810MB of bodily reminiscence earlier than continuing with payload decryption.
As soon as environmental checks go validation, the script employs Base64 decoding mixed with XOR encryption to decrypt and reflectively load a closely obfuscated C# downloader element.
This refined payload performs safety software program detection, scanning for processes related to Kaspersky, ESET, and different endpoint safety options earlier than establishing communication with command-and-control infrastructure.
The attackers exhibit operational safety consciousness by quickly rotating compromised domains and selectively delivering superior payloads solely to victims assembly particular focusing on standards, considerably complicating safety analysis efforts and menace searching actions.
Enhance your SOC and assist your crew defend your small business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
