The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions. Author: AlienVault
Related Tags:
T1036.004
T1497.001
T1562.002
T1573.001
T1132.001
T1070.001
T1204.002
T1059.001
T1562.001
Associated Indicators:
CAC4D4364D20FA343BF681F6544B31995A57D8F69EE606C4675DB60BE5AE8775
7091CE97FB5906680C1B09558BAFDF9681A81F5F524677B90FD0F7FC0A05BC00
19D576E1A7C0C7E6DAE6DCE79743DB5F2DEFA79F
BCBDFF86DAEB92215081DFFC8660900816159721
A88597F35BF778F4A0C21D7F231C9091
005C762A3C39B1114C6521F52ACB66C3