Cyble Research and Intelligence Labs (CRIL) has discovered a sophisticated cyber campaign employing malicious LNK files, potentially distributed through spam emails. This intricate operation, possibly orchestrated by the notorious Turla Advanced Persistent Threat (APT) group, employs human rights seminar invitations and public advisories as bait to infiltrate users’ systems with a nefarious payload.
The threat actors (TAs) showcase a high level of sophistication by embedding lure PDFs and MSBuild project files within the .LNK files, ensuring a seamless execution process. Leveraging the Microsoft Build Engine (MSBuild), the TA executes these project files to deploy a stealthy, fileless final payload, acting as a backdoor to facilitate remote control over the compromised system.
Turla APT Group Infection Chain
The attack unfolds with a malicious .LNK file concealed within a ZIP archive, potentially delivered via phishing emails. Upon execution, the .LNK file triggers a PowerShell script, initiating a sequence of operations. These operations include extracting content from the .LNK file and creating three distinct files in the %temp% location: a lure PDF, encrypted data, and a custom MSBuild project.
The disguised .LNK file triggers a PowerShell script, which then opens the lure PDF while silently executing the embedded MSBuild project.
This project file, containing encrypted content, employs the Rijndael algorithm to decrypt data, subsequently executing a final backdoor payload.
The decrypted MSBuild project file, when executed using MSBuild.exe, runs an inline task directly in memory. This task enables the backdoor to initiate various operations, including monitoring processes, executing commands, and communicating with a Command and Control (C&C) server for further instructions.
Threat Actor Attribution to Turla APT Group
According to CRIL, the threat actor behind this campaign is the Turla APT group due to Russian-language comments in the code and behavioral similarities with previous Turla campaigns. The group’s focus on targeting NGOs aligns with the lure documents referencing human rights seminars.
The utilization of MSBuild and other legitimate applications highlights the persistent nature of the threat actor. By exploiting inherent functionalities, the Turla APT group can evade conventional security measures. Organizations must adopt a multi-layered security approach to mitigate risks effectively.
To fortify defenses against sophisticated threats like the Turla APT group, organizations should adopt key cybersecurity measures. This includes implementing robust email filtering to block malicious attachments and exercising caution when handling email attachments from unknown sources.
Limiting access to development tools such as MSBuild to authorized personnel helps prevent misuse while disabling unnecessary scripting languages like PowerShell reduces the risk of exploitation. Establishing network-level monitoring is crucial for detecting and responding to anomalous activities swiftly. These practices collectively enhance security posture, safeguarding sensitive data and systems from cyber threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.