Stealthy Fileless Attack Targets Attendees Of Upcoming US-Taiwan Defense Industry Event
cyble.com
Cyble Research and Intelligence Labs (CRIL) uncovers a campaign targeting the US-Taiwan Defense Industry Conference, using a malicious file to execute an in-memory attack, evading detection and exfiltrating sensitive data.

Archived version

  • Cyble Research and Intelligence Labs (CRIL) identified a campaign targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, as indicated by the lure document uncovered during the investigation.
  • The campaign involves a ZIP archive containing an LNK file that mimics a legitimate PDF registration form for deception.
  • When the LNK file is opened, it executes commands to drop a lure PDF and an executable in the startup folder, establishing persistence.
  • Upon system reboot, the executable downloads additional content and executes it directly in memory, effectively evading detection by the security products.
  • The first-stage loader triggers a second-stage loader, which downloads, decodes, and compiles C# code in memory, avoiding the creation of traceable files on disk.
  • Once the compiled code is executed, the malware exfiltrates sensitive data back to the attacker’s server via web requests designed to blend in with normal traffic, making detection more difficult.