Hackers Exploit Prelude, Seek Partners for One-Click

Check Point Research recently reported a new targeted campaign by Zipline, utilizing the MixShell tool against industrial and high-tech companies. The unique aspect of this attack is the use of a “contact us” form on the victim’s website to initiate contact, followed by weeks of correspondence to establish a false impression of a business partnership. In some cases, fake non-disclosure agreements are included in the emails, leading to the eventual delivery of a malicious ZIP archive to employees.

Within the ZIP archive is a Windows shortcut that triggers a PowerShell script, loading the MixShell system into memory. This system operates without leaving traces on the disk, communicating with a control server via DNS-tunneling and HTTP. This method allows the attacker to remotely execute commands, transfer and download files, set up a reverse proxy, and establish a foothold on the network. MixShell also includes anti-analysis techniques and evasion mechanisms, utilizing the Windows Task Scheduler to maintain access and secretly load additional modules.

The distribution of the malware is carried out through the HerokuApp service, disguising the activity as legitimate network traffic. The ZIP file also includes a seemingly innocuous document as a “bait” to avoid suspicion. Researchers have observed that not all files from the specified domain are malicious, indicating a dynamic selection process based on the target. Attackers register domains with names resembling American LLCs or use pre-existing companies, displaying a high level of organization and sophistication.

The targeted companies span across the USA, Singapore, Japan, and Switzerland, focusing on industries such as industrial production, mechanical engineering, metalworking, component manufacturing, engineering systems, semiconductors, consumer goods, biotechnology, and pharmaceuticals. This targeted approach underscores the intent to disrupt key links in the global supply chain. Check Point has identified links between this campaign and similar operations previously observed by Zscaler and Proofpoint, related to the UNK_Greensec cluster.

Zipline poses various threats, including data theft, encryption breaches, compromised corporate email, fraudulent activities, and disruptions in supply chains. Of note is the use of relevant topics such as AI implementation and cost optimization to make the phishing emails more convincing to the targeted organizations. Check Point emphasizes that this campaign represents a new generation of social engineering, focusing on building trust and leveraging business processes to circumvent traditional security measures and lower employee vigilance.

/Reports, release notes, official announcements.