![]() ![]() These LNK files contain internet shortcut files that will be opened by the web browser installed on the system. MD5 hash: 45278d4ad4e0f4a891ec99283df153c3įilename: Conversations - iOS - Swipe Icons - Zeplin.lnk Zeplin is a collaboration platform used by developers and designers in the enterprise industry. On May 12, 2020, we discovered two LNK files that used the Zeplin platform (zeplin.io) as the decoy theme. In this section, we will describe the various themes used in this campaign. The decoy content could be an internet shortcut file (.url file extension) or a PDF file. The LNK files used by this threat actor contain decoy files that are displayed to the user while the malicious activities are carried out in the background. In this blog, we provide a detailed description of the distribution strategy, threat attribution, shellcode, anti-analysis techniques and the final backdoor of this campaign. The C&C network infrastructure was correlated to Higaisa APT. The infection chain used by the LNK files is very similar to the instance observed in March 2020 by Anomali. The decoy files used in the two instances of the LNK attack targeted users of Chinese origin. ![]() We attribute this attack (with a moderate confidence level) to the South Korean advanced persistent threat (APT) actor Higaisa. This backdoor uses sophisticated and deceptive techniques, such as FakeTLS-based network communication over a duplicated socket handle and a complex cryptographic key derivation routine. Recently, Malwarebytes published a blog about this attack, but the details of the backdoor were not mentioned in that blog. The final backdoor, to the best of our knowledge, has not been documented before in the public domain. For those who are unfamiliar, an LNK file is a shortcut or "link" used by Windows as a reference to an original file, folder, or application similar to an alias on the Macintosh platform. In May 2020, we observed several LNK files in the wild, which we attribute to the same threat actor based on the code overlap, similar tactics, techniques and procedures (TTPs) and similar backdoor. And we recently noticed another campaign using this technique. To learn more about publishing designs from XD to Zeplin, check out this support article on the Zeplin website.Cybercriminals will often use LNK files attached in an email to launch an attack on unsuspecting victims. To get started, you can install the Zeplin for Adobe XD plugin. We can’t wait to hear how product teams are using XD and Zeplin together to deliver on the promise of design. With these updates to the Zeplin for Adobe XD plugin, connecting design to delivery has never been easier. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |