A sophisticated cyberattack campaign is leveraging everyday Windows scripting tools to infiltrate corporate systems by disguising malware as legitimate job application documents. The attack is centered around LNK files masquerading as resumes, which, when opened, initiate a stealthy infection process.
Deceptive Techniques in Cyberattacks
These malicious LNK files are engineered to appear authentic, deceiving even vigilant users by displaying a genuine-looking resume while executing harmful scripts in the background. Hackers utilize a combination of PowerShell, VBScript, and BAT files to install a backdoor known as Xctdoor, granting them continuous access to compromised machines without triggering security alerts.
Research conducted by ASEC, part of AhnLab, has thoroughly analyzed this sophisticated attack chain. Their findings reveal that the threat employs a multi-layered execution strategy, generating multiple script files with random names in public system directories, thereby complicating detection efforts.
Targeted Departments and Persistent Threats
This attack specifically targets departments that frequently handle external documents, such as HR, sales, and customer support. Given that resumes are a routine part of these teams’ workflows, the likelihood of inadvertently opening a malicious file is high. Security teams in organizations processing large document volumes face significant challenges in identifying this threat early.
The Xctdoor malware family is designed for sustained access to infected systems. Once planted, it communicates with an external command and control (C&C) server, enabling attackers to execute remote actions at any time. Its persistence mechanisms ensure the malware remains active even after system reboots.
Technical Execution and Mitigation Strategies
Upon execution of the malicious LNK file, a series of scripts—batch files, PowerShell scripts, and VBScript files—are deposited in the C:UsersPublicVideos directory. These scripts register a Task Scheduler entry named “Office365,” ensuring the malware stays operational by running a VBScript every ten minutes.
The PowerShell script further downloads additional files using the curl command, with some files encoded in Base64. These are decoded into additional PowerShell scripts stored in the C:UsersPublicPictures path. Subsequently, a script named p2.ps1 establishes a startup shortcut and decrypts the downloaded files to produce executable and DLL files.
The exploitation continues with DLL Side-Loading, launching the legitimate ProximityUxHost.exe program, which inadvertently loads a malicious DLL. This technique allows harmful code to execute while appearing normal to the system. Security analysis confirms that settings.dat, an Xctdoor backdoor, is injected into the legitimate process once the DLL is loaded.
Protective Measures and Recommendations
This multi-stage attack is challenging to detect due to its use of multiple disguise layers, including fake documents and scheduled scripts that blend into normal activities. Regularly checking the Task Scheduler for suspicious entries and removing them promptly is crucial.
ASEC advises users to verify the actual file extension and source of documents from unknown senders before opening them. Known malicious files should be eradicated from the C:UsersPublicAppData path during system checks. Keeping up with threat intelligence updates is vital for quickly identifying related indicators.
For full protection, organizations should stay informed on the latest cybersecurity threats and employ stringent document handling protocols.
