Cybersecurity experts have recently identified a sophisticated cyberattack campaign aimed at Russian automotive and e-commerce industries. This operation employs a newly discovered .NET-based malware, referred to as the CAPI Backdoor, to infiltrate targeted systems.
Attack Methodology
The attack initiates through phishing emails that deliver a ZIP archive to unsuspecting recipients. Upon extraction, the archive contains two components:
1. Decoy Document: A Russian-language file masquerading as an official notification concerning income tax legislation.
2. Malicious Shortcut (LNK) File: Named identically to the ZIP archive, this file is designed to execute the malware.
When the LNK file is activated, it leverages rundll32.exe, a legitimate Microsoft utility, to run the embedded .NET payload named adobe.dll. This technique, known as Living-off-the-Land (LotL), exploits trusted system binaries to execute malicious code, thereby evading detection by security software.
Capabilities of the CAPI Backdoor
Once operational, the CAPI Backdoor performs several actions:
– Privilege Assessment: Determines if it has administrative rights on the compromised system.
– Antivirus Detection: Compiles a list of installed security software to identify potential obstacles.
– Decoy Activation: Opens the decoy document to divert the user’s attention while malicious activities proceed in the background.
The malware then establishes a connection with a remote command-and-control (C2) server at IP address 91.223.75[.]96, awaiting further instructions. The backdoor is equipped to:
– Data Exfiltration: Extract information from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.
– System Surveillance: Capture screenshots and gather comprehensive system data.
– File Enumeration: List contents of directories to identify valuable files.
– Data Transmission: Send collected data back to the C2 server for analysis and exploitation.
Evasion and Persistence Mechanisms
To avoid detection and maintain a foothold in the system, the CAPI Backdoor employs several strategies:
– Environment Checks: Conducts extensive assessments to determine if it is operating within a virtual machine or a genuine host environment, helping it evade sandbox analysis.
– Persistence Techniques: Ensures continued operation through:
– Scheduled Tasks: Creates tasks that automatically execute the malware at specified intervals.
– Startup Folder Manipulation: Places a shortcut in the Windows Startup folder, ensuring the backdoor launches upon system boot.
Target Identification
Analysis by Seqrite Labs suggests that the attackers are specifically targeting the Russian automotive sector. This inference is based on the discovery of a malicious domain, carprlce[.]ru, which closely resembles the legitimate carprice[.]ru, indicating an attempt to deceive users and gain unauthorized access.
Conclusion
The emergence of the CAPI Backdoor underscores the evolving tactics of cybercriminals targeting specific industries through tailored phishing campaigns. Organizations, particularly in the automotive and e-commerce sectors, must remain vigilant, implement robust email filtering solutions, and educate employees about the dangers of phishing attacks to mitigate such threats.
