In a recent cybersecurity incident, researchers at Dr.Web uncovered a sophisticated malware attack targeting a major Russian railway freight company. The attack, which ultimately failed, attempted to exploit a vulnerability in the popular Yandex Browser to establish a foothold in the compromised system.
Anatomy of the Attack: From Phishing to Exploitation
The attack began with a carefully crafted phishing email disguised as a job application. Attached to the email was an archive purportedly containing a PDF resume. However, the file actually had a double extension: .pdf.lnk. This .lnk extension, typically used for Windows shortcuts, allowed the attackers to execute malicious PowerShell commands and download two harmful scripts.
Dual Payload Strategy
The first payload included a legitimate PDF file as a decoy and an executable file named YandexUpdater.exe, masquerading as a Yandex Browser update component. This dropper, identified as Trojan.Packed2.46324, deployed a more sophisticated malware called Trojan.Siggen28.53599. This trojan is capable of remote control, system information gathering, and loading additional modules.
The second payload consisted of another decoy PDF and a trojan labeled Trojan.Siggen27.11306. This malware, a DLL with encrypted payload, was designed to exploit a vulnerability in Yandex Browser related to DLL Search Order Hijacking.
Exploiting Yandex Browser: A Deep Dive
The malware leveraged a vulnerability in Yandex Browser’s DLL loading mechanism. By placing a malicious DLL named Wldp.dll in the browser’s installation folder, the attackers ensured their code would be loaded before the legitimate system DLL. This technique granted the malware elevated permissions and the ability to execute commands under the browser’s identity.
Sophisticated Evasion Techniques
The malware employed multi-layer encryption to protect its payload. It used two decryption stages: first with a key based on the DLL’s path hash, and then with a global key encoded within the trojan. This process ultimately resulted in shellcode that launched a .NET application, which in turn attempted to download additional malware from a remote server.
Implications and Mitigation
Following the discovery of this vulnerability, Dr.Web promptly informed Yandex of the issue. In response, Yandex released version 24.7.1.380 of their browser, which addresses the vulnerability now identified as CVE-2024-6473. This incident underscores the importance of timely software updates and robust cybersecurity measures, especially for organizations in critical infrastructure sectors.
This sophisticated attack serves as a stark reminder of the evolving threat landscape. Organizations must remain vigilant, implement multi-layered security strategies, and prioritize employee education on phishing and social engineering tactics. Regular security audits, prompt patching, and collaboration with cybersecurity experts are crucial steps in safeguarding against such targeted attacks.