Campaign Uses Fake LogicalDOC URLs <\/h2>\n\n\n\n
This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations. <\/p>\n\n\n\n
Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry. <\/p>\n\n\n\n
Attack Involves Scripts to Aid Infection <\/h2>\n\n\n\n
The malicious LNK file, once activated, initiates PowerShell<\/a> via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive. <\/p>\n\n\n\n The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim\u2019s system. This includes: <\/p>\n\n\n\n This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization. <\/p>\n\n\n\n Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading. <\/p>\n\n\n\n The primary purpose of this attack is to: <\/p>\n\n\n\n Attackers gain the ability to continuously monitor and manipulate their targets, which poses a significant threat to manufacturing businesses.<\/p>\n\n\n\n For manufacturing companies, the consequences of such attacks can be severe and include: <\/p>\n\n\n\n Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers. <\/p>\n\n\n\n To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN\u2019s Interactive Sandbox<\/a> that offers: <\/p>\n\n\n\n By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out. <\/p>\n\n\n\n View analysis session<\/a> <\/p>\n\n\n First, the .lnk file initiates SSH, which starts PowerShell. <\/p>\n\n\n PowerShell then launches Mshta with the AES-encrypted first-stage payload that it decrypts and executes. <\/p>\n\n\n PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal<\/a>. <\/p>\n\n\n Emmental leads to system infections with Lumma and Amadey as a result. <\/p>\n\n\n\n\n\n
DLL Sideloading Ensures Evasion <\/h2>\n\n\n\n
Key Objective<\/h2>\n\n\n\n
\n
Why Businesses Need to Pay Attention <\/h2>\n\n\n\n
\n
Analysis of the Attack with ANY.RUN Sandbox<\/h2>\n\n\n\n
\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/1image-1024x578.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/2image.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/3image.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/4image.png\")
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/5image-1024x575.png\")