Email security, Malware, Threat Intelligence

Malicious LNK files tapped in new APT36 campaign

An awareness sign in the laptop's email inbox informs of phishing attempts and the necessity for awareness.

Pakistan-linked threat group APT36, also known as Transparent Tribe, has used illicit Windows LNK files to compromise Indian government, strategic, and academic organizations as part of an advanced cyberespionage campaign, GBHackers News reports.

Intrusions commenced with the delivery of spear-phishing emails with a ZIP archive containing a PDF-spoofing Windows LNK file, which shows a real PDF document while exploiting the mshta.exe binary to run a remote HTA loader, according to an analysis from Cyfirma. After using custom Base64 decoding and XOR-based decryption to reconstruct the ReadOnly and WriteOnly payloads in memory, the loader proceeds to run the 'ki2mtmkl.dll' remote access trojan, which features different execution mechanisms based on the environment where it is loaded.

Apart from enabling arbitrary command execution and file system enumeration, the RAT also permits clipboard tracking and manipulation, systemic file targeting, and process control, said Cyfirma researchers, who noted the campaign to be indicative of APT36's increasingly intelligence gathering-focused operations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds