The manufacturing industry has long been a target of cybercriminals. While data encryption has been a prevalent tactic in recent years, threat actors are now increasingly focusing on stealing sensitive information and gaining control over critical infrastructure.
One of the latest campaigns on record involves the use of Lumma and Amadey malware.
Campaign Uses Fake LogicalDOC URLs
This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations.
Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry.
Attack Involves Scripts to Aid Infection
The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive.
The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim’s system. This includes:
- Data such as language settings
- Antivirus software
- Operating system versions
- Hardware specifications
This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization.
DLL Sideloading Ensures Evasion
Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading.
Key Objective
The primary purpose of this attack is to:
- Steal important information with Lumma Stealer
- Maintain control over the infected systems with Amadey Bot
Aattackers gain the ability to continuously monitor and manipulate their targets, which poses a significant threat to manufacturing businesses.
Why Businesses Need to Pay Attention
For manufacturing companies, the consequences of such attacks can be severe and include:
- Theft of intellectual property
- Disruption of operations
- Financial losses and compliance violations
Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers.
Analysis of the Attack with ANY.RUN Sandbox
To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN’s Interactive Sandbox that offers:
- Real-time Insights: In-depth view of malicious activities as they occur.
- Interactivity: Test threat responses in a live system.
- Comprehensive Reporting: Detailed reports on IOCs, malware families, and more.
By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out.
First, the .lnk file initiates SSH, which starts PowerShell.
PowerShell then launches Mshta with the AES-encrypted first-stage payload that it decrypts and executes.
PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.
Emmental leads to system infections with Lumma and Amadey as a result.
Collect Threat Intelligence on Lumma and Amadey Attacks
With TI Lookup, ANY.RUN’s searchable database of the latest threat intelligence, you can find more info on malware and phishing campaigns. TI Lookup provides:
- Fresh Data: Latest samples from a global network of security professionals.
- Actionable Indicators: IOCs from traffic, memory dumps, and manual collection.
- Contextual Information: Links to full sandbox analysis sessions with detailed data.
Use the following query, consisting of the name of the threat and the path to one of the malicious files used in the attack, for your search:
The service provides a list of files matching the query along with sandbox sessions featuring analysis of samples belonging to the same campaign that you can explore in detail.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.