New ZipLine Campaign Targets Critical Manufacturing Firms with In-Memory MixShell Malware

Check Point Research has uncovered a highly persistent phishing operation dubbed ZipLine, which reverses traditional attack vectors by exploiting victims’ own “Contact Us” web forms to initiate seemingly legitimate business communications.

Targeting primarily U.S.-based manufacturing companies in supply chain-critical sectors, the campaign leverages prolonged email exchanges often spanning weeks to build trust before delivering malicious ZIP archives.

Initial Access Tactics

Attackers pose as potential partners, discussing non-disclosure agreements (NDAs) or, in recent waves, AI transformation initiatives framed as internal “AI Impact Assessments” to solicit victim input on operational efficiencies.

This social engineering approach avoids reputation-based detections, as the victim initiates the email thread, and incorporates credible domains mimicking registered U.S. LLCs with templated websites featuring stock images for added legitimacy.

The payloads are hosted on abused platforms like Heroku, with dynamic content potentially tailored based on victim metadata such as IP addresses or user agents, ensuring stealthy delivery of in-memory implants without immediate suspicion.

The infection chain begins with a ZIP file containing benign lure documents a PDF and DOCX alongside a malicious LNK shortcut.

This LNK executes a PowerShell loader that scans predefined directories (e.g., Desktop, Downloads, Temp) for the ZIP, locates an embedded script via a marker string like “xFIQCV,” extracts it, bypasses AMSI by setting amsiInitFailed to true, and runs the script in memory after stripping “#” characters.

Persistence is achieved through TypeLib hijacking, modifying the registry CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} to point to a malicious SCT file, which relaunches the payload via cmd.exe upon system events like Explorer invocations.

The script then decrypts XOR-encrypted shellcode (Base64-encoded) based on system architecture, using System.Reflection.Emit for in-memory execution via VirtualAlloc, minimizing disk footprints.

MixShell Implant

At the core of ZipLine is MixShell, a custom shellcode-based backdoor that resolves Windows APIs via ROR4 hashing for evasion, parses an XOR-encrypted configuration block containing parameters like DNS domains, XOR keys, and lure names, and establishes a mutex from system identifiers (ProductId, InstallDate, SerialNumber) to ensure single-instance operation.

Command-and-control (C2) prioritizes DNS TXT tunneling with HTTP fallback, formatting subdomains as ... for chunked, encrypted data transmission limited to 60 characters per query.

Supported commands include file operations, command execution via pipes, and reverse proxying for network pivoting, where MixShell relays traffic through handshakes involving zero-byte messages and dynamic IP/port redirects.

A PowerShell variant of MixShell enhances evasion by scanning for debuggers (e.g., WinDbg, Wireshark), sandbox artifacts (e.g., VBox pipes), and virtualization indicators (e.g., low RAM/CPU cores), while using scheduled tasks for persistence and CRC32-hashed ProductIDs for victim fingerprinting.

Infrastructure analysis reveals domains like tollcrm[.]com resolving to IPs such as 172.210.58[.]69, linked to potential management panels and overlapping with prior campaigns like TransferLoader, suggesting ties to financially motivated actors like UNK_GreenSec.

Victimology spans industrial manufacturing, semiconductors, biotech, and energy sectors, with over 80% U.S.-focused, targeting both enterprises and SMBs for proprietary data or supply chain exploitation.

Defenders should monitor inbound forms, extended correspondences, and DNS anomalies, as Check Point Harmony Email & Collaboration employs AI-driven analysis to thwart such multi-stage threats through contextual phishing detection and threat emulation.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!