Cybersecurity researchers are turning their attention to sophisticated social engineering campaigns targeting manufacturers who are critical of supply chains with memory malware called mixed shells.
This activity is called a zip line by checkpoint research.
“Instead of sending unsolicited phishing emails, the attacker will start contacting them via the company’s public ‘contact’ form and trick employees into starting a conversation,” he said in a statement shared with Hacker News. “The following weeks of professional and reliable exchanges are often sealed with fake NDAs, and then deliver weaponized zip files carrying the mixed shell, stealth-in-memory malware.”
The attacks throw a wide net across multiple organizations across sectors and geographical locations, but focus on US-based entities. Key goals include industrial manufacturing companies, including machinery, metalworking, component production, engineering systems, and companies related to hardware and semiconductors, consumer goods, biotechnology and pharmaceuticals.
This diverse yet focused target has increased the likelihood that the threat actors behind the campaign are being honeeded into industry sectors that are critical to the supply chain. Other countries targeted by Zipline include Singapore, Japan and Switzerland.
Currently, the source and motivation of the campaign is unknown, but Check Point has identified previously identified IP addresses used in attacks and infrastructure, as well as those used by Zscaler and Proofpoint as being adopted in the forwarding load attacks employed by threat clusters called UNK_GREENSEC.
Zipline is another example of threat actors increasingly charging banks for legal business workflows, such as approaching targets via company contact forms on their websites, and weaponizing trust in the process to avoid potential concerns.
The approach to using website contact forms as malware distribution vectors is not entirely new, but if Zipline is apart, it’s about avoiding scary tactics and urgent languages and defeating the recipient to get unintended actions.
This patient-based social engineering technique involves engaging victims into a multi-week conversation. In some cases, they even direct them to sign a non-disclosure agreement (NDA) before sending a ZIP file trapped in a booby. The recent wave of social engineering has also exploited the trends in artificial intelligence (AI) transformations, with attackers “providing” to help target entities implement new AI-centric initiatives to reduce costs and improve efficiency.
The attack chain is characterized by multi-stage payloads, in-memory execution, and DNS-based command-and-control (C2) channels, allowing threat actors to stay under the radar.
Specifically, the ZIP archive is equipped with a Windows Shortcut (LNK) that triggers the PowerShell Loader. This opens the path of custom in-memory mixshell implants using DNS tunnels and HTTP as a fallback C2 mechanism to support remote command execution, file manipulation and reverse network operations.
MixShell is also included in the PowerShell variant, which incorporates advanced non-development and sandbox avoidance techniques, which uses scheduled tasks for persistence and drops the reverse proxy shell and file download functionality.
Malicious zip files are hosted in a subdomain of herokuapp[.]com, a legitimate platform as a service (PAAS), com provides the computational and storage infrastructure to host web applications. This again describes the abuse of legitimate services to merge with legitimate enterprise network activity of threat actors.
The LNK file responsible for starting the execution chain also displays lure documents present in the ZIP file to avoid arousing the suspected victim. That said, Check Point noted that all ZIP files provided by the Heroku domain are malicious and suggest real-time customized delivery based on certain criteria.
“In many cases, attackers have registered US locations using domains that match the LLCS name, and in some cases they may have previously belonged to a legal business,” Checkpoint said. “Attackers maintain a template website similar to all these companies, suggesting a streamlined campaign planned at scale.”
The campaign poses serious risks for businesses as it can lead to theft of intellectual property and ransomware attacks, compromise business emails, account acquisitions that lead to economic fraud, and potential disruption in the supply chain due to the impact of cascades.
“The Zipline campaign is a wake-up call for all businesses that phishing considers to be a suspicious link to email,” said Sergey Shakevich, Threat Intelligence Group Manager at Checkpoint Research.
“Attackers are innovating faster than ever, combining human psychology, reliable communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention, AI-driven defense and create a culture of vigilance that treats any inbound interaction as a potential threat.”
Source link
