Threat Actor Targets the Manufacturing Industry with Lumma Stealer and Amadey Bot

Subject: Threat Actor Targets the Manufacturing Industry with Lumma Stealer and Amadey Bot

Tactics: TA0001 Initial Access

Technique: T1566.001 Phishing: Spearphishing Attachment

Procedure:

The attack begins with a spear-phishing email containing an LNK file disguised as a PDF document. This LNK file is hosted on a remote WebDAV share and impersonates LogicalDOC, a cloud-based document management system. When executed, the LNK file launches ssh.exe to run a PowerShell command that fetches and executes a malicious payload from a remote server. This server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL. The PowerShell code then triggers another malicious script hosted on Pastebin, which downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable that sideloads a malicious DLL file. This DLL injects malicious code into various processes, ultimately leading to the deployment of Lumma Stealer and Amadey Bot.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0032 When adversaries attempt to remotely manipulate, damage or effect some change in the physical environment, they are vulnerable to Man-in-the-Middle manipulations.

Engagement Opportunity:

his attack presents several engagement opportunities:

• Decoy Documents and Fake Portal: Set up a controlled environment with decoy documents and a fake LogicalDOC portal to observe the threat actor’s TTPs, collect their tools, and disrupt their operations.
• User Awareness Training: Improve user training to better identify and prevent similar attacks, focusing on recognizing suspicious emails and attachments.
• System Monitoring: Enhance system monitoring to detect suspicious PowerShell execution, unusual SSH activity, and other indicators of compromise.

Threat Actor: Unknown, potentially targeting the manufacturing industry

Threat Objective:

Exfiltration of sensitive information and maintaining persistent control over compromised systems.

Deception Opportunity:

• Deceptive System: Deploy a deceptive system with fake credentials and sensitive-looking documents to lure the threat actor. This system can be configured to mimic a real manufacturing environment, enticing the attacker to deploy their tools and reveal their TTPs.
• Misinformation: Plant misinformation within the decoy documents to confuse the attacker and waste their resources.
• Honeyfiles: Create attractive “honeyfiles” with misleading names to entice the attacker and track their activity.

Sensor Data Placement: User-Mode

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The analysis focuses on a combination of adversary-specific tools, pre-existing system tools, and techniques that are common but not universal. This provides a balance between detectability and evasiveness. However, a sophisticated attacker could modify their tools and techniques to evade detection based on these observables.

• Sensor Data Placement: User-Mode (processes, files, network activity)
• Observable Level: Core to Adversary-Brought Tool (specific to Lumma Stealer and Amadey Bot), Core to Pre-Existing Tool (PowerShell, ssh.exe), Core to Some Implementations of (Sub-)Technique (obfuscation, DLL side-loading)

Link to Report: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/

Link to Report II.:

Additional Comments:

This attack chain showcases the increasing sophistication of threat actors in leveraging various evasion techniques and legitimate system tools to bypass security mechanisms. Implementing a multi-layered defense strategy with strong user awareness training, system monitoring, and network-level monitoring is crucial for detecting and preventing such attacks.

Possible elements: Deceptive Document Watermarks, Embedded Honeytokens, Honeyfile with Canary Token, Honeyfiles with Deceptive Content

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: Manufacturing Industry Attack Graph

[1]: Initial Access (TA0001) - Phishing (T1566): Spearphishing Attachment (T1566.001) - Email with malicious LNK file disguised as PDF (Core to Adversary-Brought Tool)
[2]: Execution (TA0002) - Command and Scripting Interpreter (T1059): PowerShell (T1059.001) - Execute PowerShell command via ssh.exe (Core to Pre-Existing Tool)
[3]: Command and Control (TA0011) - Application Layer Protocol (T1071): HTTP (T1071.001) - Communicate with remote server via AMP URL and shortened URL (Core to Adversary-Brought Tool)
[4]: Defense Evasion (TA0005) - Obfuscated Files or Information (T1027) - Employ obfuscation and encryption in PowerShell code (Core to Some Implementations of (Sub-)Technique)
[5]: Defense Evasion (TA0005) - System Binary Proxy Execution (T1218): Mshta (T1218.005) - Utilize mshta.exe to execute malicious payload (Core to Pre-Existing Tool)
[6]: Privilege Escalation (TA0004) - DLL Side-Loading (T1574) - Sideload malicious DLL (Core to Sub-Technique or Technique)
[7]: Privilege Escalation (TA0004) - Process Injection (T1055) - Inject malicious code into various processes (Core to Sub-Technique or Technique)
[8]: Persistence (TA0003) - Scheduled Task/Job (T1053): Scheduled Task (T1053.005) - Create scheduled task for Amadey bot persistence (Core to Some Implementations of (Sub-)Technique)
[9]: Exfiltration (TA0010) - Automated Exfiltration (T1020) - Exfiltrate sensitive data using Lumma Stealer (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of Network Monitoring)
3 --> 4 (Lack of Network Intrusion Detection)
4 --> 5 (Lack of Application Whitelisting)
5 --> 6 (Lack of System Monitoring)
6 --> 7 (Lack of Privilege Management)
7 --> 8 (Lack of System Monitoring)
7 --> 9 (Lack of Data Loss Prevention)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: Manufacturing Industry Attack Pseudocode

function Initial_Access_Phishing(target_email):
# Craft spearphishing email with malicious LNK file disguised as PDF
# Host LNK file on remote WebDAV share
# Send email to target_email
return malicious_lnk_file

function Execution_Command_and_Scripting_Interpreter(malicious_lnk_file):
# Execute LNK file
# Launch ssh.exe to run PowerShell command
return remote_payload

function Command_and_Control_Application_Layer_Protocol(remote_payload):
# Fetch payload from remote server via AMP URL and shortened URL
return obfuscated_code

function Defense_Evasion_Obfuscated_Files_or_Information(obfuscated_code):
# Deobfuscate and decrypt code
return malicious_script

function Defense_Evasion_System_Binary_Proxy_Execution(malicious_script):
# Execute script using mshta.exe
return dll_payload

function Privilege_Escalation_DLL_Side_Loading(dll_payload):
# Sideload malicious DLL
return process_injection_code

function Privilege_Escalation_Process_Injection(process_injection_code):
# Inject malicious code into various processes
return persistence_mechanism

function Persistence_Scheduled_Task(persistence_mechanism):
# Create scheduled task for Amadey bot persistence
return exfiltration_module

function Exfiltration_Automated_Exfiltration(exfiltration_module):
# Deploy Lumma Stealer
# Exfiltrate sensitive data
return success