Attackers are using spam emails with lures like human rights seminars to distribute malicious LNK files containing embedded PDFs and MSBuild project files. When a user opens the LNK, MSBuild executes the project files, which then deliver a fileless backdoor similar to TinyTurla, allowing attackers to control the infected system.
Criminals are using malicious shortcut files (LNKs) disguised as PDFs to target individuals interested in human rights and, when opened, display a convincing decoy document, such as a seminar invitation.
If the victim falls for the lure, the LNK executes a small backdoor program that grants the attacker remote control of the infected system, which allows the attacker to receive commands from a hidden server and manipulate the victim’s computer.
A malicious LNK file disguised as a PDF triggers a PowerShell script upon execution, and the script extracts data from the LNK and creates three files in the user’s temporary directory: a decoy PDF, encrypted data, and an MSBuild project.
The script then executes the MSBuild project using MSBuild.exe and opens the decoy PDF, which decrypts the hidden data, saves it as another MSBuild project with a .log extension, and schedules its own execution using Task Scheduler for persistence.
According to Cyble Research and Intelligence Labs, it creates a multi-stage infection chain where each stage leverages legitimate tools for malicious purposes.
The malicious LNK file drops a PowerShell script that leverages MSBuild to execute a series of tasks, as the script first retrieves an encrypted payload from a file and decrypts it using the Rijndael algorithm.
The decrypted content is another MSBuild project containing a final malicious payload, and the script then creates a scheduled task to run this new project every 20 minutes using MSBuild.exe, effectively achieving persistence and delayed execution of the ultimate malicious code.
The Tiny Backdoor uses MSBuild.exe to execute an inline task in memory, which creates two threads. One thread hides the MSBuild window and the other fetches commands from the C&C server using a unique identifier generated from the machine, while the C&C server is a compromised website.
The backdoor uses multiple threads to perform various tasks like executing shell commands, downloading files from the C&C server, uploading files to the C&C server, changing directories, retrieving the current directory and running PowerShell scripts.
