Researchers identified a new attack campaign (“Operation ShadowCat”) using malicious LNK files distributed via spam emails, which triggers a PowerShell script that drops a .NET loader and a decoy Word document.
The loader fetches a steganographic PNG containing a Gzip-compressed payload, decompresses it in memory, and injects it into the PowerShell process for execution, which in-memory execution bypasses security detection.
The final payload is a Go-based RAT that grants attackers extensive control over the victim’s system, including file manipulation, command execution, network scanning, data exfiltration, and credential extraction for lateral movement.
An attack leverages a .LNK file disguised as a Word document to execute a malicious PowerShell script, which incorporates geo-location-based execution prevention, obfuscates strings through character manipulation, self-destructs, creates a decoy document, and dynamically generates and executes a malicious DLL, demonstrating a multi-phased approach to evade detection and execute its payload.
.webp "Operation ShadowCat Using Weaponized Office document To Attack Users In India 3")
The PowerShell Script Employs Geo-Fencing
It initially determines the victim’s location using “Get-WinHomeLocation” and terminates if the country matches a predefined list. The script then decodes obfuscated strings, likely containing malicious payloads or commands.
It proceeds to create a lure document by deleting existing LNK files with the same size and converting the original LNK to a DOCX file, suggesting a potential file-based infection vector.
.webp "Operation ShadowCat Using Weaponized Office document To Attack Users In India 4")
Analysis reveals a targeted attack leveraging a lure document disguised as a parliamentary question to entice individuals interested in Indian politics.
The PowerShell script, upon execution, downloads and decodes a malicious DLL from Base64-encoded data.
The DLL then employs steganography to extract shellcode from a seemingly innocuous PNG image, utilizing a system architecture check to select the appropriate payload.
The shellcode, generated using the Donut framework, is ultimately loaded into memory for execution, indicating a sophisticated attack designed to evade detection.
.webp "Operation ShadowCat Using Weaponized Office document To Attack Users In India 5")
The malware encrypts and embeds API names within its binary. Upon execution, it decrypts these, creates a suspended PowerShell process, writes shellcode, and extracts embedded code into its memory.
Subsequently, it queues an asynchronous procedure call (APC) to the suspended process’s thread to execute the shellcode upon thread resumption and resumes the thread, triggering the APC and initiating shellcode execution, leading to the loading and execution of the embedded malicious binary.
.webp "Operation ShadowCat Using Weaponized Office document To Attack Users In India 6")
Analysts at Cyble Research and Intelligence Labs identified complex Go-based malware (8.4 MB) using publicly available libraries like Yamux (multiplexing) and Secsy goftp (FTP) for stealthy communication and file operations.
The malware exhibits RAT (Remote Access Trojan) behavior with functionalities like directory traversal, file manipulation (create, read, write, etc.), process termination, network scanning, and credential theft tools (Mimikatz, Rubeus).
It uses WebSockets over port 443 for C&C communication, potentially leveraging Netcat-like features for remote control.
Interestingly, the malware avoids targeting Russian-speaking regions, hinting at a financially motivated RaaS group with a possible Russian affiliation.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo