The Hacker News reports that malicious Windows LNK files masquerading as private key folders have been tapped to facilitate the distribution of the CTRL toolkit that enables credential phishing, keylogging, RDP takeovers, and Fast Reverse Proxy-based reverse tunneling.Multi-stage compromise commences with the distribution of a trojanized LNK file with a folder icon to lure double-clicks that prompt the execution of a concealed PowerShell command, which removes available persistence mechanisms, while also decoding and running a Base64-encoded blob in memory, according to an analysis from Censys. After altering firewall rules and ensuring persistence, the stager downloads an executable that serves as a .NET loader to launch the CTRL Management Platform, with pipe architecture allowing commands that obtain system details, execute a credential harvesting module, commence keylogger operations, and exfiltrate data. Another command enables the delivery of browser-spoofing toast notifications that power further credential theft and deliver the FRPWrapper.exe and RDPWrapper.exe payloads."The CTRL toolkit demonstrates a trend toward purpose-built, single-operator toolkits that prioritize operational security over feature breadth. By routing all interaction through FRP reverse tunnels to RDP sessions, the operator avoids the network-detectable beacon patterns that characterize commodity RATs," said Censys researchers.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




