Cyble Research and Intelligence Labs (CRIL) has recently uncovered a sophisticated cyber campaign aimed at attendees of the upcoming US-Taiwan Defense Industry Conference. This stealthy fileless attack utilizes a malicious file to carry out an in-memory attack, evading traditional detection methods while exfiltrating sensitive data from targeted systems.
The fileless campaign detected by CRIL involves a malicious ZIP archive disguised as a legitimate registration form for the conference. This deceptive tactic is designed to trick users into executing a harmful LNK file that appears to be a PDF document. When executed, the LNK file initiates a series of covert actions to establish persistence and execute further malicious activities.
Overview of the Stealthy Fileless Attack Campaign
Upon execution of the LNK file, it extracts a lure PDF and a base64-encoded executable. This executable, protected by the .NET Confuser tool, is placed in the startup folder to ensure it runs every time the system reboots. Once the executable is activated, it downloads additional malicious content, including an encrypted DLL file from a remote server. This DLL is then decrypted and loaded directly into memory, avoiding detection by conventional security tools.
The campaign’s stealthiness is further enhanced by the second-stage loader, which dynamically compiles and executes C# code entirely in memory. This technique, known as in-memory execution, prevents the creation of traceable files on disk, making detection significantly more challenging.
Technical Analysis
CRIL’s investigation revealed that the initial infection vector remains unclear, though the lure document suggests that spam emails might be used to distribute the malicious archive. The ZIP file, named “registration_form.pdf.zip,” contains an LNK file with a dual extension (.pdf.lnk), misleading users into believing it is a harmless PDF document.
When the LNK file is opened, it executes a series of commands in the background. It decodes embedded base64 content, saving the lure PDF and executable to the system. The executable is then placed in the startup folder to ensure persistence. Following this, the lure PDF is opened with the system’s default PDF viewer.
The first-stage loader, “updater.exe,” is designed to run from the startup directory. It sends a POST request to a compromised site, revealing the victim’s machine information. The loader then retrieves additional content from a URL controlled by the attackers, including a base64-encoded and XOR-encrypted DLL file. This DLL file is dynamically loaded and executed in memory using .NET’s “Assembly.Load” function.
The second-stage loader follows a similar process, downloading encrypted C# code, which is compiled and executed entirely in memory. This approach effectively evades detection by traditional security measures.
Data Exfiltration and Network Communication
Once the compiled code is executed, it initiates the exfiltration of sensitive data. The data is sent to the attacker’s server using web requests that mimic normal traffic, further complicating detection efforts. The “WebClient” object is employed to upload data in a format that resembles standard web form submissions, with the “ContentType” set to “application/x-www-form-urlencoded” and the “UserAgent” header altered to simulate a web browser.
The attackers also leverage a compromised website to host and manage malicious content. This includes storing exfiltrated data and additional payloads on an exposed open directory. CKFinder, a PHP-based file management framework, is used to facilitate the upload and management of these files.
The sophisticated nature of this fileless attack and its timing suggest that it is likely conducted by threat actors with geopolitical interests. Historically, Chinese threat actors have targeted Taiwan around significant political events, as evidenced by increased cyberattacks during Taiwan’s recent presidential election. While this pattern aligns with the current attack’s context, the specific threat actor behind this campaign has not been identified. No direct links have been established to known advanced persistent threat (APT) groups or other threat actors.
Conclusion
This fileless attack exemplifies a high level of sophistication in both its execution and evasion techniques. By disguising the initial payload as a legitimate conference registration document and employing advanced in-memory execution methods, the attackers can steal sensitive information without leaving traditional traces on the disk.
The timing of the attack, coinciding with the US-Taiwan Defense Industry Conference, underscores its potential intent to target valuable defense-related information. As the campaign progresses, vigilance and advanced detection strategies will be crucial in defending against such stealthy fileless attacks.