Today, we’re sitting down with Rupert Marais, our in-house security specialist, to dissect a sophisticated multi-stage phishing campaign recently targeting Russia. This attack is a masterclass in modern evasion techniques, blending social engineering with the abuse of legitimate public cloud services and native Windows features. We’ll explore how attackers are using simple tricks to gain initial access, their clever methods for distributing malicious tools across platforms like GitHub and Dropbox to avoid takedowns, and the specific techniques they employ to methodically disable security software like Microsoft Defender. Furthermore, we will delve into the dual-threat payload of this campaign—a powerful remote access trojan and a destructive ransomware—and discuss the often-overlooked financial risks it poses, even to victims who don’t have their files encrypted.
Attackers are using shortcut files with double extensions, like ‘.txt.lnk’, to trick users. Why does this simple trick remain so successful, and what layered technical controls, beyond just user training, can effectively neutralize this initial point of entry? Please provide specific examples.
This trick works because it preys on our cognitive shortcuts and the default settings of our operating systems. When a user sees a filename like “Задание_для_бухгалтера_02отдела.txt.lnk,” their brain often registers the familiar “.txt” and overlooks the true extension, “.lnk,” which is hidden by Windows by default. The Russian-language filename, translating to a task for an accountant, adds a layer of social engineering that makes it seem like a routine business document, lulling the recipient into a false sense of security. Beyond training, we need strong technical controls. For example, organizations can implement endpoint policies that block or heavily audit the execution of PowerShell commands originating from LNK files. Another powerful control is using application whitelisting or attack surface reduction rules to prevent scripts from running out of common user directories like the local application data folder, which is exactly where this attack’s first script lands.
This campaign splits its infrastructure, hosting scripts on GitHub and binaries on Dropbox. Could you detail the tactical advantages this separation provides the attackers and how security teams can adapt their threat intelligence and blocking strategies to counter such distributed threats?
Splitting the infrastructure is a brilliant move for operational resilience. It’s like a spy network using separate dead drops for instructions and equipment. By hosting the initial loader scripts on GitHub and the heavier binary payloads like the Amnesia RAT on Dropbox, the attackers compartmentalize their assets. If a security researcher finds the GitHub repository and gets it taken down, the core payload on Dropbox is still safe. The attackers can simply stand up a new repository and point their phishing lures to it without having to re-upload and reconfigure their main tools. To counter this, security teams need to move beyond simple domain blocking. Threat intelligence must focus on chaining behaviors together. We should be creating detection rules that look for a process, like PowerShell, making an outbound connection to GitHub and then, shortly after, a connection to a file-sharing service like Dropbox. This behavioral pattern is far more indicative of a multi-stage attack than a single indicator of compromise (IOC).
A notable feature is the use of a tool called ‘defendnot’ to programmatically disable Microsoft Defender. Can you walk us through how this type of tool works and discuss what proactive measures, such as enabling Tamper Protection, organizations should implement to prevent such security bypasses?
The ‘defendnot’ tool is particularly insidious because it doesn’t exploit a vulnerability in the traditional sense; it abuses a legitimate feature. It programmatically interacts with the Windows Security Center API to register a fake, non-existent antivirus product on the system. Windows is designed to avoid conflicts between security products, so when it sees this new “antivirus” has been installed, it automatically disables Microsoft Defender to make way for it. The attacker essentially tricks the operating system into deactivating its own shields. The most critical proactive measure, as Microsoft themselves recommend, is to enable Tamper Protection. This feature is specifically designed to lock down Defender’s settings, preventing unauthorized changes whether they come from a user, a script, or a malicious tool like this. Monitoring for any unexpected changes to Defender’s service status or suspicious API calls is also a key defensive tactic.
The attack chain includes a deliberately long delay—in this case, 444 seconds—before fetching the next stage. What is the strategic purpose of this pause, and how does it help the malware evade detection by automated security tools like sandboxes?
That 444-second delay is a classic anti-sandbox technique. Automated sandboxes are designed for efficiency; they execute a suspicious file and watch its behavior for a limited time, usually just a few minutes, to determine if it’s malicious. An attacker who knows this can build in a long sleep command. The sandbox will run the initial script, see it do nothing for a couple of minutes, and conclude it’s benign. It’s only after this observation window closes—over seven minutes later in this case—that the script wakes up and fetches the next malicious stage from the GitHub repository. This pause effectively breaks the chain of events in the eyes of the automated analysis tool, allowing the malware to slip through undetected into the target’s network.
The Amnesia RAT payload exfiltrates a wide range of data using the Telegram Bot API. From a forensic standpoint, what makes this method of data exfiltration so challenging to trace, and what network monitoring rules can help detect these covert communications?
Using the Telegram Bot API for exfiltration is incredibly challenging for defenders because it blends malicious traffic with legitimate, encrypted web traffic. The communication goes out over standard HTTPS to Telegram’s servers, which are widely used and trusted. Blocking Telegram outright isn’t feasible for most organizations. From a forensic standpoint, the data is just another encrypted stream heading to a popular cloud service, making it difficult to distinguish from an employee simply using the messaging app. To detect this, network monitoring has to be more nuanced. Instead of looking for connections to a “bad” IP, we should be creating rules that flag unusual patterns, such as a server or a system process like svchost.scr initiating HTTPS connections to api.telegram.org. We can also monitor for an abnormally high volume of data being sent to that specific API endpoint, which could indicate data theft in progress.
Beyond data theft, the malware deploys ransomware that also hijacks the clipboard to reroute cryptocurrency payments. Could you explain the mechanics of this clipboard attack and describe how it represents a significant, often overlooked, financial threat even for users who don’t get encrypted?
This clipboard hijacking is a deviously simple and effective financial attack. The malware constantly monitors the system’s clipboard in the background. It’s programmed to recognize the specific format of cryptocurrency wallet addresses. When a user copies a legitimate wallet address to paste it into a transaction, the malware instantly and silently replaces the contents of the clipboard with an attacker-controlled address. The user, assuming the paste operation worked correctly, often won’t double-check the long, complex string of characters before hitting “send.” This means that even if the ransomware fails to encrypt the user’s files, they could still lose thousands of dollars in a single misdirected transaction. It’s a significant threat because it targets the user’s actions directly, bypassing many security controls focused on files and networks.
What is your forecast for the evolution of multi-stage attacks that leverage public cloud services and native Windows features for execution?
I forecast that this trend will not only continue but accelerate and become the standard for sophisticated threat actors. Attackers are realizing they don’t need to reinvent the wheel with complex zero-day exploits when they can achieve full system compromise by “living off the land.” We’re going to see them get even better at blending in, using a wider array of trusted cloud services—not just GitHub and Dropbox, but services like Google Drive, Pastebin, and others—to host different stages of their attacks, making attribution and takedowns a nightmare. The abuse of native Windows features like PowerShell, WMI, and even policy enforcement mechanisms will become more profound, as it allows attackers to operate with a stealth that is incredibly difficult to detect with traditional signature-based tools. The future of defense lies in comprehensive behavioral analysis and assuming that any legitimate tool can and will be used for malicious purposes.
