In a recent analysis by Cyble Research and Intelligence Labs (CRIL), a multi-stage cyberattack campaign has been identified, targeting the manufacturing industry. The attack, which heavily relies on process injection techniques, aims to deliver dangerous payloads, including Lumma Stealer and Amadey Bot.
Through a series of evasive actions, the threat actor (TA) exploits various Windows tools and processes to bypass traditional security defenses, leading to potential data theft and persistent system control.
Lumma Stealer and Amadey Bot Attack: LNK File and Remote Execution
CRIL recently discovered a sophisticated multi-stage attack campaign that begins with a spear-phishing email. The email contains a link that leads to an LNK file, disguised as a PDF document, which when clicked, triggers a series of commands. This LNK file is hosted on a WebDAV server, which makes it difficult for security software to trace.
For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file.
Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system.
The Role of Living-off-the-Land Binaries and DLL Sideloading
In this advanced attack, the Lumma Stealer and Amadey Bot payloads are injected into the victim’s system through a multi-stage code injection process. A significant part of this attack involves Living-off-the-Land Binaries (LOLBins), which are legitimate executables that attackers exploit to carry out their activities without triggering alarms. In this case, ssh.exe, powershell.exe, and mshta.exe are used to carry out a sequence of commands that bypass traditional security mechanisms. These LOLBins are highly effective because they are already trusted system utilities that rarely raise suspicion during normal operations.
The use of DLL sideloading further complicates detection. The attacker drops malicious DLL files alongside legitimate applications, like “syncagentsrv.exe,” and exploits these files to execute malicious code in memory. This technique is particularly evasive because the malware never writes malicious code to disk, making it harder to detect using conventional security software.
Once executed, the Amadey Bot and Lumma Stealer are deployed onto the victim’s system. Lumma Stealer is a notorious information-stealing malware designed to exfiltrate sensitive data, such as login credentials and other valuable system information. Meanwhile, the Amadey Bot serves as a powerful tool to establish persistence, allowing attackers to maintain control over the compromised system.
The Infection Chain
The infection chain begins with the LNK file, which runs ssh.exe and a subsequent PowerShell command to fetch additional scripts from the attacker’s server. These scripts are obfuscated, making it difficult for traditional security software to identify malicious behavior. They download a ZIP file, which is extracted, and a legitimate executable is used to sideload a malicious DLL.
The malicious DLL is designed to load encrypted payloads and execute them. This entire process takes place in memory, with no malicious files left on the disk to aid detection. After sideloading the malicious DLL, the system executes the Lumma Stealer and Amadey Bot, allowing attackers to steal sensitive information and maintain access to the infected systems.
The Exploitation of Legitimate Windows Tools and the Use of LOLBins
The threat actor’s use of legitimate tools like ssh.exe and mshta.exe is a clear example of the growing sophistication of modern cyberattacks. By leveraging these tools, the attacker avoids detection by traditional antivirus and endpoint protection systems. These tools are often left unchecked in enterprise environments, giving attackers an opportunity to bypass security measures with ease.
The campaign also makes use of IDATLoader, a powerful technique for deploying malware in multiple stages. IDATLoader is an essential part of the attack’s ability to sideload and execute malicious DLLs, allowing the attacker to deploy both Lumma Stealer and Amadey Bot with precision.
Persistence Mechanisms
To maintain persistence on compromised systems, the attackers use the Task Scheduler. The Amadey Bot is configured to run automatically by creating a task called “NodeJS Web Framework” that launches the bot from the %Appdata% directory. This technique ensures that even if the victim attempts to remove the malware, it can be re-executed the next time the system is rebooted.
Furthermore, the attackers utilize msiexec.exe to inject Lumma Stealer into system processes, ensuring that their malware operates undetected by conventional security tools. This process enables the malware to continue functioning in the background, exfiltrating data and maintaining control over the infected machine.
Conclusion
To mitigate the risks of sophisticated attacks like those targeting the manufacturing industry, organizations should implement robust email filtering systems, educate users on the dangers of phishing emails, and restrict or monitor the use of Living-off-the-Land Binaries (LOLBins) such as ssh.exe, powershell.exe, and mshta.exe.
Disabling unnecessary services like WebDAV, using application whitelisting to prevent the execution of untrusted applications, and deploying advanced network and URL filtering can help block malicious redirects and AMP URLs.
Additionally, restricting PowerShell scripts and other scripting languages can limit attackers’ ability to execute harmful commands. With these proactive measures, organizations can better protect against sophisticated threats like Lumma Stealer and Amadey Bot, ensuring the security of sensitive data and critical infrastructure.
