The manufacturing industry has long been a target of cybercriminals. While data encryption has been a prevalent tactic in recent years, threat actors are now increasingly focusing on stealing sensitive information and gaining control over critical infrastructure.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.
One of the latest campaigns on record involves the use of Lumma and Amadey malware.
Campaign Uses Fake LogicalDOC URLs
This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations.
Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry.
Attack Involves Scripts to Aid Infection
The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive.
The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim’s system. This includes:
- Data such as language settings
- Antivirus software
- Operating system versions
- Hardware specifications
This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization.
DLL Sideloading Ensures Evasion
Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading.
Final Objective
The primary aim of this attack is to steal important information and maintain control over the infected systems. By using both Lumma Stealer and Amadey Bot, the attackers can continuously monitor and manipulate their targets. This allows them to steal valuable data and disrupt operations, posing a significant threat to manufacturing businesses.
Why Businesses Need to Pay Attention
For manufacturing companies, the consequences of such attacks can be severe and include:
- Theft of intellectual property
- Disruption of operations
- Financial losses and compliance violations
Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers.
Analyze Lumma and Amadey Attacks with ANY.RUN Sandbox
To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN’s Interactive Sandbox that offers:
- Real-time Insights: In-depth view of malicious activities as they occur.
- Interactivity: Test threat responses in a live system.
- Comprehensive Reporting: Detailed reports on IOCs, malware families, and more.
By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out.
First, the .lnk file initiates SSH, which starts PowerShell.
PowerShell then launches Mshta with the AES-encrypted first-stage payload that it decrypts and executes.
PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.
Emmental leads to system infections with Lumma and Amadey as a result.
Strengthen your company’s security
with ANY.RUN’s Interactive Sandbox
Collect Threat Intelligence on Lumma and Amadey Attacks
With TI Lookup, ANY.RUN’s searchable database of the latest threat intelligence, you can find more info on malware and phishing campaigns. TI Lookup provides:
- Fresh Data: Latest samples from a global network of security professionals.
- Actionable Indicators: IOCs from traffic, memory dumps, and manual collection.
- Contextual Information: Links to full sandbox analysis sessions with detailed data.
Use the following query, consisting of the name of the threat and the path to one of the malicious files used in the attack, for your search:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=psloryama_analysis&utm_term=271124&utm_content=linktolookup#%7B%2522query%2522:%2522filePath:%255C%2522dbghelp.dll%255C%2522%2520AND%2520threatName:%255C%2522lumma%255C%2522%2522,%2522dateRange%2522:180%7D%20" rel="noreferrer" target="_blank">filePath:"dbghelp.dll" AND threatName:"lumma"</a> </td>
</tr>
</tbody></table>
The service provides a list of files matching the query along with sandbox sessions featuring analysis of samples belonging to the same campaign that you can explore in detail.
Collect information on the latest cyber attacks
with TI Lookup
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post Manufacturing Companies Targeted with New Lumma and Amadey Campaign appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: Manufacturing Companies Targeted with New Lumma Campaign
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment