Comprehensive Analysis of the Recent LNX_DROPPER Malware Campaign: Tactics, Techniques, and Impact

Alex Morgan — Threat Intelligence Analyst

Key Takeaways

• The LNX_DROPPER campaign leverages malicious ISO files to initiate infections.
• Our analysis identified the use of T1559 – Use of Native Tools to execute PowerShell commands for persistence.
• Indicators of compromise (IOCs) included specific file hashes and registry keys enabling command and control (C2) communication.

Executive Summary

In this detailed investigation, we analyzed the LNX_DROPPER malware campaign, which has been targeting various organizations through sophisticated initial access methods. The campaign employs a mixture of social engineering and exploitation of vulnerabilities to deploy its payloads. Throughout our investigation, we gathered various indicators of compromise (IOCs) and mapped the attack’s tactics, techniques, and procedures (TTPs) against the MITRE ATT&CK framework.

Initial Access

During the investigation of the LNX_DROPPER attack vector, we observed that initial access was commonly achieved through email phishing campaigns. The emails contained links to malicious ISO files disguised as legitimate documentation.\User\Downloads\MaliciousFile.iso. Upon mounting the ISO, the victim would inadvertently execute a malicious executable file inside, triggering the infection process. This behavior aligns with T1566.001 – Phishing: Malicious Link.

Execution & Persistence

Our analysis revealed that once executed, the implant, notably a PowerShell script named malicious_script.ps1, would initiate a series of commands to ensure persistence. By utilizing T1059.001 – Command and Scripting Interpreter: PowerShell, it executed commands to create a scheduled task. We noted the following registry modification at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure execution upon user login, showcasing an initial persistence technique.

Command and Control

The command and control (C2) infrastructure employed by the LNX_DROPPER operators exhibited characteristic signs of obfuscation and redundancy. Communication typically leveraged HTTP/HTTPS protocols, with the implant configured to beacon to a controlled domain every 30 seconds. Our analysis captured DNS queries for www.example-c2.com, which resolved to a dynamic IP address, illustrating the methodical approach to maintain communication with compromised endpoints.T1071 – Application Layer Protocol is relevant here as it highlights the use of standard protocols for evading detection.

Lateral Movement & Discovery

Once a foothold was established, the malware’s functionality included lateral movement capabilities. We observed it utilizing T1021.002 – Remote Services: SMB/Windows Admin Shares to spread through the internal network by enumerating local machines and exploiting shared folders. Additionally, the implant leveraged credentials harvested through T1003 – Credential Dumping to gain further access across the environment.

Impact & Objectives

The objectives of the LNX_DROPPER campaign were twofold: data theft and disruption of operations. During our investigation, we analyzed the payload’s capabilities, noting it included modules for downloading additional payloads and exfiltrating sensitive data. Files were ultimately sent to the C2 server via encoded HTTPS requests, underscoring the campaign’s focus on maintaining low visibility and ensuring data integrity throughout the exfiltration process.

MITRE ATT&CK Mapping

• T1566.001 – Phishing: Malicious Link: Used to deliver malicious ISO files via email.
• T1059.001 – Command and Scripting Interpreter: PowerShell: Abused for executing scripts and commands for persistence.
• T1071 – Application Layer Protocol: Utilized for C2 communications over standard network protocols.
• T1021.002 – Remote Services: SMB/Windows Admin Shares: Employed for lateral movement within the network.
• T1003 – Credential Dumping: Harvested credentials for further network traversal.

Detection Opportunities

• Monitor for execution of ISO files in the user’s download directory, particularly those leading to suspicious executables.
• Implement logging for registry modifications within HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to catch unauthorized persistence mechanisms.
• Analyze network traffic for suspicious DNS queries and C2 communication patterns, specifically looking for beacons targeting domains known to be associated with malicious activity.

Analyst Notes

The LNX_DROPPER campaign is a reminder of the evolving threat landscape where standard techniques are being weaponized against unsuspecting targets. As defenders, we must embed detection capabilities at multiple points in the attack lifecycle. User education remains pivotal in reducing initial access points, but robust monitoring and incident response protocols are crucial to identifying and neutralizing these threats post-exploitation.

Source: Original Report