In a recent discovery by Cyble Research and Intelligence Labs (CRIL), a sophisticated cyber campaign has been unearthed, targeting attendees of the upcoming US-Taiwan Defense Industry Conference. This stealthy fileless attack utilizes a malicious file to conduct an in-memory attack, effectively evading traditional detection methods while extracting sensitive data from targeted systems.
The campaign involves a malicious ZIP archive disguised as a legitimate registration form for the conference. This deceptive tactic aims to deceive users into executing a harmful LNK file disguised as a PDF document. Upon execution, the LNK file initiates a series of covert actions to establish persistence and execute further malicious activities.
The stealthy nature of the campaign is highlighted by the use of a second-stage loader that dynamically compiles and executes C# code entirely in memory. This in-memory execution technique prevents the creation of traceable files on disk, making detection significantly more challenging for security tools.
CRIL’s investigation revealed that the initial infection vector remains unclear, with the lure document suggesting that spam emails may be used to distribute the malicious archive. The ZIP file, named “registration_form.pdf.zip,” contains an LNK file with a dual extension (.pdf.lnk), misleading users into believing it is a harmless PDF document.
Upon opening the LNK file, a series of commands are executed in the background, decoding embedded base64 content and saving the lure PDF and executable to the system. The executable is then placed in the startup folder for persistence, while the lure PDF is opened with the default PDF viewer.
The data exfiltration and network communication phase of the attack involve the exfiltration of sensitive data to the attacker’s server using web requests that mimic normal traffic. This technique complicates detection efforts, as the data is uploaded in a format that resembles standard web form submissions.
The attackers also utilize a compromised website to host and manage malicious content, storing exfiltrated data and additional payloads on an exposed open directory. The use of CKFinder, a PHP-based file management framework, facilitates the upload and management of these files.
The timing and sophistication of this fileless attack suggest the involvement of threat actors with geopolitical interests, possibly linked to previous cyberattacks on Taiwan by Chinese threat actors during significant political events. However, the specific threat actor behind this campaign has not been identified, and no direct links to known advanced persistent threat (APT) groups have been established.
This fileless attack demonstrates a high level of sophistication in both execution and evasion techniques, emphasizing the importance of vigilance and advanced detection strategies in defending against such stealthy cyber threats. As the campaign progresses, heightened awareness and proactive security measures will be crucial in safeguarding valuable defense-related information.