LATRODECTUS malware utilizes scheduled tasks for persistence, executing a copy of itself and establishing a foothold in the compromised system.
Tag: T1053.005
Engage Report: TA397 RATs War
TA397 utilizes a malicious shortcut (LNK) file embedded within a RAR archive. This LNK file, when activated, executes PowerShell code that creates a scheduled task on the victim’s machine. This scheduled task enables the download and execution of additional payloads, establishing persistence on the compromised system.
Hunting FLUX#CONSOLE
Attackers are exploiting vulnerabilities in Microsoft Management Console (MMC) snap-in files to execute malicious code.
Lazarus Lure in Yacht club
The Lazarus group is conducting a spearphishing campaign targeting individuals involved in the maritime industry, particularly yacht and luxury vessel sales, using malicious attachments to deliver malware.
DONOT Hunt Me
A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.
DONOT APT Attack
- The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
- Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
- A scheduled task named “Schedule” is created to execute a malicious DLL file via
rundll32.exeevery 5 minutes, ensuring persistence. - The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
- The attacker sends commands and exfiltrates data over the established C2 channel.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.
COLDRIVER – UNC4057, Star Blizzard and Callisto
The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.
DONOT APT’s Attack on Maritime & Defense Manufacturing
- Technique: Spearphishing Attachment (T1566.001)
- Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
- Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
- Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
- Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
- Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via
rundll32.exeevery 5 minutes. This ensures the malware’s persistence on the compromised system.
- Technique: Application Layer Protocol: HTTP (T1071.001)
- Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
- Technique: Exfiltration Over C2 Channel (T1041)
- Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.