Since April 2022 researchers are observing a series of targeted cyber-attacks aimed specifically at Japanese organizations. The campaign, dubbed Operation RestyLink, is believed to be active since at least March 2022, with related malicious activity traced back to October 2021. The exact attribution is currently unclear, but the attack kill chain and its highly-targeted nature hint that a sophisticated ATP is responsible for the nefarious operation.
To identify the malicious activity associated with persistence methods of the Operation RestyLink, download a Sigma rule provided by our keen Threat Bounty developer Osman Demir.
The above-mentioned Sigma rule can be utilized across 23 SIEM, EDR, and XDR environments and is mapped to the MITRE ATT&CK framework, addressing the Persistence tactics with the corresponding Office Application Startup (T1137) technique.
In a view of the challenges of APT threat mitigation, Blue Team members require additional resources to boost their threat detection capabilities. Hit the View Detections button to reach the world-largest pool of curated, context-enriched detection algorithms addressing the latest threats. Enthusiastic to create Sigma and Yara rules and turn your detection engineering skills into financial benefits? Join our Threat Bounty Program!
According to the in-depth inquiry performed by SOC analyst Rintaro Koike, the latest RestyLink attack starts with a phishing email. The emails have malicious URLs inserted into its body. In case the victim is tricked to click the link, a ZIP archive containing LNK file is dropped from the adversaries server. In case executed, the LNK file drops DOT file to the Microsoft Startup folder leveraging the Windows command. Simultaneously, a decoy PDF is displayed on the screen, distracting the victim’s from the suspicious processes in the background.
The analysis of the similar intrusions noticed in April 2022 and earlier reveals that adversaries follow the same routine but use different file types and methods. For instance, threat actors pushed malicious ISO files via phishing to drop an EXE file with a malicious DLL hidden in it. The DLL turned out to be a UPX-packed Go downloader that dropped CobaltSrtike Stranger to the infected machine.
The same infrastructure was leveraged during attacks against Japan in January-March 2022 as well as in October-November 2021. Security experts point to the targeted nature of attacks and their sophistication which allows concluding that APT actors might stand behind the operation. The exact attribution is currently unknown, but with the low level of confidence, researchers point to DarkHotel, Kimsuky, APT29, or TA416 as possible attack operators.
Tap into the power of collaborating cyber defense and increase your threat hunting velocity by joining SOC Prime’s Detection as Code platform. Instantly discover usable and relevant information on cyber threats, access dedicated Sigma rules and on-the-fly translations for 25+ SIEM, EDR, and XDR solutions, and automate your threat hunting and threat detection operations to boost your cyber defense capabilities.