Pakistan-linked threat group APT36, also known as Transparent Tribe, has used illicit Windows LNK files to compromise Indian government, strategic, and academic organizations as part of an advanced cyberespionage campaign, GBHackers News reports.Intrusions commenced with the delivery of spear-phishing emails with a ZIP archive containing a PDF-spoofing Windows LNK file, which shows a real PDF document while exploiting the mshta.exe binary to run a remote HTA loader, according to an analysis from Cyfirma. After using custom Base64 decoding and XOR-based decryption to reconstruct the ReadOnly and WriteOnly payloads in memory, the loader proceeds to run the 'ki2mtmkl.dll' remote access trojan, which features different execution mechanisms based on the environment where it is loaded.Apart from enabling arbitrary command execution and file system enumeration, the RAT also permits clipboard tracking and manipulation, systemic file targeting, and process control, said Cyfirma researchers, who noted the campaign to be indicative of APT36's increasingly intelligence gathering-focused operations.
Email security, Malware, Threat Intelligence
Malicious LNK files tapped in new APT36 campaign

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



