Security researchers have observed a sophisticated campaign in recent weeks targeting critical infrastructure and government entities across South Asia.
Dubbed the DarkSamural operation, this attack chain leverages deceptively crafted LNK and PDF files to infiltrate networks, establish persistence, and exfiltrate sensitive information.
Initial reconnaissance indicates that the adversaries disguise malicious MSC (Microsoft Management Console) files with familiar PDF icons, enticing recipients to inadvertently launch embedded scripts.
As the campaign unfolds, stolen credentials and system metadata flow back to the attackers’ command-and-control servers, enabling further lateral movement.
The infection begins with a spear-phishing email containing a compressed archive. Recipients are presented with a file named Drone_Information.pdf[.]msc, which, despite its PDF-like appearance, executes when double-clicked.
Ctfiot analysts noted that these MSC files employ GrimResource technology to unpack and run obfuscated JavaScript, which in turn downloads a second-stage payload.
This multi-layered approach impedes signature-based detection, as each stage appears benign until deobfuscation occurs.
Researchers identified that the malicious script contacts a remote URL and retrieves a disguised DLL, eventually stored under C:ProgramDataDismCore[.]dll for subsequent execution.
By the third paragraph, it becomes evident that DarkSamural’s impact extends beyond initial access.
Victims have reported unauthorized file transfers, browser credential theft, and even remote shell access.
The combination of open-source and proprietary RATs—including Mythic, QuasarRat, and BADNEWS—grants the attackers versatile control over compromised machines.
.webp "DarkSamural APT Group Malicious LNK and PDF Files to Steal Critical Data 3")
Files harvested range from administrative documents to proprietary research, underscoring the campaign’s strategic focus on exfiltrating high-value targets.
Further analysis reveals that the malicious DLL embeds an export function, DIIRegisterServer, which dynamically resolves critical Windows APIs.
Upon execution, the sample gathers host details such as machine name, user account, and process ID, packaging them into a JSON check-in packet.
This packet is encrypted with AES-128-GCM and transmitted to the C2 endpoint over WinHTTP. The resulting network artifacts mimic legitimate update traffic, complicating anomaly detection.
Infection Mechanism and Obfuscation
A closer examination of the MSC file’s internal structure uncovers a multi-layered obfuscation scheme designed to thwart reverse engineering.
The initial JavaScript code, embedded in an XML StringTable, triggers an XSL transformation that launches mmc[.]exe with a remote script reference.
.webp "DarkSamural APT Group Malicious LNK and PDF Files to Steal Critical Data 4")
{71E5B33E-1064-11D2-808F-0000F875A9CE}
https[:]//caapakistaan[.]com/.../Unit-942-Drone-Info-MAK3[.]html
After fetching the second layer, the script reverses character sequences, substitutes tokens, converts to hexadecimal, and performs Base64 decoding to produce the final DLL.
The decoding routine exemplifies this transformation in Python:-
def decode (str):
b = list (str)
c=""[.]join (b[::-1]) [.]replace("$", "4") [.]replace ("!", "1")
d = ''[.]join ([chr (int (c [i:i+2], 16)) for i in range (0, len (c), 2)])
return base64[.]b64decode (d)Subsequently, the decoded bytes are written to disk and registered as a COM server, ensuring execution on system startup.
This layered obfuscation, combined with scheduled task creation, illustrates DarkSamural’s meticulous approach to infection and evasion.
Cybersecurity teams should inspect MSC file behavior, monitor anomalous mmc[.]exe invocations, and validate script-based downloads against known artifact hashes to detect and disrupt this campaign.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
