This article discusses a sophisticated phishing attack characterized by a deceptive email presenting a job offer. The attack utilizes a password-protected ZIP file containing an LNK file that executes commands to establish persistence and deploy a malicious DLL. It highlights the techniques used by the threat actor to conduct the attack and indicates that the operation bears similarities to prior attacks attributed to the APT37 group. Affected: United Industrial Complex, individuals targeted by the phishing email, cybersecurity sector.
Keypoints :
- The attack starts with a phishing email posing as a job offer.
- A password-protected ZIP file is attached to the email.
- The ZIP file contains an LNK file that, when opened, executes PowerShell commands.
- The PowerShell commands perform various actions, including copying files and executing a malicious .NET application.
- The .NET application, d.exe, loads an obfuscated DLL, DomainManager.dll.
- DomainManager.dll implements various checks to confirm internet connectivity and avoid detection.
- The article draws parallels with previous attacks attributed to the APT37 group.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The adversary exploits the user’s interaction with the malicious email attachment to execute commands.
- T1059.001 – Command and Scripting Interpreter: PowerShell used to execute commands for persistence and malicious activity.
- T1547.001 – Boot or Logon Autostart Execution: The malicious executable is placed in the Startup folder to maintain persistence.
- T1040 – Network Sniffing: The loader checks internet connectivity by making request calls.
- T1064 – Scripting: The script in the PowerShell command is used to handle file operations and execute payloads.
Indicator of Compromise :
- [File] Предложение о работе.zip
- [File] Предложение о работе.pdf.lnk
- [File] d.exe
- [File] DomainManager.dll
- [URL] hxxps://hwsrv-1253398.hostwindsdns[.]com/307c77ab-f41f-4dd4-a478-2a71b9625f64/c/discountcode.php