Hackers Use Weaponized LNK Files to Exploit Microsoft Connection 03Manager Profile

Threat actors have shifted from using malicious macros to malicious LNK files for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Office documents downloaded from unknown sources or the internet.

The current attack vector uses the Microsoft Connection Manager Profile, which runs the process cmstp.exe for proxying the execution of malicious payloads.

This current campaign was found to be similar to the Invicta stealer infection method, but the infection chain seems to be varying. This concludes that threat actors have changed their TTPs (Tactics, Techniques, and Procedures).

In most cases, the LNK file containing the remote VBScript infection is distributed via spam emails disguised as legitimate-looking attachments with file extensions like ZIP or ISO.

LNK Files to Exploit Microsoft Connection Manager Profile

Following the download of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a remote command execution of a .hta file on a remote server.

Once this .hta file gets executed, it initiates the download of the VBScript that is extremely obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, resulting in the activation of a PowerShell downloader. 

Malicious LNK file (Source: Cyble)
Infection Chain (Source: Cyble)

This PowerShell downloader fetches the malware files from two URLs namely,

  • hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
  • hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe

These files are then stored in the AppData\Roaming directory along with their original names. The files are one PDF and one EXE file (Redline stealer library). The PowerShell downloader uses cmstp.exe for UAC (User Access Control) bypass. 

Weaponized LNK Files Uncovered

As per the report submitted to Cyber Security News, the malware payloads, Weaponized LNK Files were discovered to be Blank Grabber, Redline Stealer, and NetSupport RAT.

Blank Grabber is a Python-based open-source stealer that contains a GUI builder and can be used to generate stealer payloads easily. It also provides the option to customize the stealer like custom icon, UAC bypass, and persistence during startup. 

Redline Stealer is sold on cyberforums and is one of the most prominent infostealers in cyberspace. This can be used to gain unauthorized access to sensitive information like passwords, login credentials, autofill data, and credit card details. 

NetSupport RAT is a commercial RAT used for legitimate remote access to users by administrators but is being misused by threat actors to gain unauthorized access. 

Furthermore, a complete report has been published by Cyble researchers which provides detailed information about the obfuscation, attack vector, YARA rules, and other details.

Indicators of Compromise

IndicatorsIndicator TypeDescription
110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9fSHA256Blank Grabber
https[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exeURLMalicious URL
a6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6dSHA256Malicious HTA File
hxxp[:]//onlythefamily[.]ddns.net/crypt[.]exeURLMalicious URL
hxxp[:]//a0820799.xsph[.]ru/Payload[.]exeURLMalicious URL
27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9MD5SHA1SHA256Redline Stealer
513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cddSHA256Redline Stealer
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115SHA256Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563SHA256Malicious Lnk File
9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9eeSHA256Malicious HTA File
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3SHA256NetSupportManager
hxxps://montec-shop[.]de/images/client32[.]exeURLMalicious URL
hxxp[:]//94.156.253[.]17/Downloads/careabout[.]htaURLMalicious URL
6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfcSHA256Malicious Lnk File
0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9SHA256Malicious Lnk File
e9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7eSHA256Malicious Lnk File
de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59SHA256Malicious Lnk File
f9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9SHA256Malicious Lnk File
8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346SHA256Malicious Lnk File
687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053bSHA256Malicious Lnk File
1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbbSHA256Malicious Lnk File
c2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066dSHA256Malicious Lnk File
cf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7aSHA256Malicious Lnk File
837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95SHA256Malicious Lnk File
845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559cSHA256Malicious Lnk File
a2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929bSHA256Malicious Lnk File
84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fefSHA256Malicious Lnk File
59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108dSHA256Malicious Lnk File
48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0aceSHA256Malicious Lnk File
cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02aSHA256Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563SHA256Malicious Lnk File
df86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bcSHA256Malicious Lnk File
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115SHA256Malicious Lnk File
8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798SHA256Malicious Lnk File
f602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72bSHA256Malicious Lnk File
d1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1SHA256Malicious Lnk File
a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176eSHA256Malicious Lnk File
e9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092SHA256Malicious Lnk File
3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72SHA256Malicious Lnk File
7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53bSHA256Malicious Lnk File

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.