Threat Intelligence

Illicit LNK files deploy Russian CTRL toolkit

Laptop Screen Warning Alert: Cyber Attack, Virus, Malware, Spyware, System Hacked

The Hacker News reports that malicious Windows LNK files masquerading as private key folders have been tapped to facilitate the distribution of the CTRL toolkit that enables credential phishing, keylogging, RDP takeovers, and Fast Reverse Proxy-based reverse tunneling.

Multi-stage compromise commences with the distribution of a trojanized LNK file with a folder icon to lure double-clicks that prompt the execution of a concealed PowerShell command, which removes available persistence mechanisms, while also decoding and running a Base64-encoded blob in memory, according to an analysis from Censys. After altering firewall rules and ensuring persistence, the stager downloads an executable that serves as a .NET loader to launch the CTRL Management Platform, with pipe architecture allowing commands that obtain system details, execute a credential harvesting module, commence keylogger operations, and exfiltrate data. Another command enables the delivery of browser-spoofing toast notifications that power further credential theft and deliver the FRPWrapper.exe and RDPWrapper.exe payloads.

"The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs," said Censys researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds