Cybersecurity researchers have discovered a Russian-originated remote access toolkit distributed via malicious Windows Shortcuts (LNK) files disguised as private key folders.
According to Censys, the CTRL toolkit is custom-built using .NET and includes a variety of executables that facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling through Fast Reverse Proxy (FRP).
“These executables load encrypted payloads, harvest credentials through a sophisticated Windows Hello phishing UI, provide keylogging, RDP session hijacking, and reverse proxy tunneling through FRP,” said Censys security researcher Andrew Northern.
The attack surface management platform announced that it has recovered CTRL from Open Directory at 146.19.213.[.]The attack chain distributing the toolkit relies on a weaponized LNK file (“Private Key #kfxm7p9q_yek.lnk”) containing a folder icon that tricks users into double-clicking it.
This triggers a multi-step process where each step decrypts or decompresses the next step, all the way to toolkit deployment. The LNK file dropper is designed to launch hidden PowerShell commands that erase any existing persistence mechanisms from the victim’s Windows startup folder.
It also decodes Base64 encoded BLOBs and executes them in memory. The stager tests TCP connectivity to hui228.[.]Run ru:7000 to download the next stage payload from the server. Additionally, it modifies firewall rules, sets persistence using scheduled tasks, creates a backdoor local user, and spawns a cmd.exe shell server on port 5267 that can be accessed through the FRP tunnel.
One of the downloaded payloads, ‘ctrl.exe’, acts as a .NET loader to launch the embedded payload, the CTRL management platform. The CTRL management platform can act as a server or client depending on the command line arguments. Communication takes place via Windows Named Pipes.
“The dual-mode design means that the operator deploys ctrl.exe once to the victim (via the stager) and then interacts with the victim by running the ctrl.exe client through an FRP-tunneled RDP session,” Censys said. “The named pipes architecture keeps all C2 command traffic local to the victim machine; nothing traverses the network except for the RDP session itself.”
The supported commands allow the malware to collect system information, launch modules designed for credential collection, launch the keylogger as a background service (if configured as a server), and install keyboard hooks to capture all keystrokes to a file named “C:\Temp\keylog.txt” and extract the results.
The credential capture component is launched as a Windows Presentation Foundation (WPF) application that mimics a real Windows PIN validation prompt to capture the system PIN. In addition to blocking attempts to escape phishing windows using keyboard shortcuts such as Alt+Tab, Alt+F4, or F4, this module also validates the entered PIN against the actual Windows credential prompt via UI automation using the SendKeys() method.
“If the PIN is rejected, the victim is looped back and shown an error message,” Northern explained. “The window remains open even if the PIN is successfully validated against the real Windows Authenticator. The captured PIN is recorded with the prefix.” [STEALUSER PIN CAPTURED] Copy to the same keylog file used by the background keylogger. ”
One of the commands included in the toolkit can be used to impersonate web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Iron to send toast notifications to perform additional credential theft or deliver other payloads. The other two payloads dropped as part of the attack are:
FRPWrapper.exe. This is a Go DLL that is loaded into memory to establish an RDP and raw TCP shell reverse tunnel through the operator’s FRP server. RDPWrapper.exe: Enables unlimited concurrent RDP sessions.
“This toolkit demonstrates intentional operational security; the three hosted binaries do not contain hard-coded C2 addresses,” Censys said. “All data exfiltration is done through an FRP tunnel via RDP. The operator connects to the victim’s desktop and reads the keylog data through a ctrl named pipe. This architecture leaves minimal network forensic artifacts compared to the traditional C2 beacon pattern.”
“The CTRL toolkit represents a trend toward purpose-built, single-operator toolkits that prioritize operational security over breadth of functionality. By routing all interactions to RDP sessions over FRP reverse tunnels, operators avoid the network-detectable beacon patterns that are characteristic of commodity RATs.”
Source link
