Operation restyLink Detection

Since April 2022 researchers are observing a series of targeted cyber-attacks aimed specifically at Japanese organizations. The campaign, dubbed Operation RestyLink, is believed to be active since at least March 2022, with related malicious activity traced back to October 2021. The exact attribution is currently unclear, but the attack kill chain and its highly-targeted nature hint that a sophisticated ATP is responsible for the nefarious operation.

Detect Operation RestyLink 

To identify the malicious activity associated with persistence methods of the Operation RestyLink, download a Sigma rule provided by our keen Threat Bounty developer Osman Demir.

Suspicious Operation RestyLink Persistence by Writing of Dot File to Office Application Startup [Targeting Japan] (via cmdline)

The above-mentioned Sigma rule can be utilized across 23 SIEM, EDR, and XDR environments and is mapped to the MITRE ATT&CK framework, addressing the Persistence tactics with the corresponding Office Application Startup (T1137) technique.

Hit the Explore Detections button to access the entire list of detection content for current and emerging APT attacks.

Explore Detections

Attack Kill Chain and Attribution

According to the in-depth inquiry performed by SOC analyst Rintaro Koike, the latest RestyLink attack starts with a phishing email. The emails have malicious URLs inserted into its body. In case the victim is tricked to click the link, a ZIP archive containing LNK file is dropped from the adversaries server. In case executed, the LNK file drops DOT file to the Microsoft Startup folder leveraging the Windows command. Simultaneously, a decoy PDF is displayed on the screen, distracting the victim’s from the suspicious processes in the background.

The analysis of the similar intrusions noticed in April 2022 and earlier reveals that adversaries follow the same routine but use different file types and methods. For instance, threat actors pushed malicious ISO files via phishing to drop an EXE file with a malicious DLL hidden in it. The DLL turned out to be a UPX-packed Go downloader that dropped CobaltSrtike Stranger to the infected machine.

The same infrastructure was leveraged during attacks against Japan in January-March 2022 as well as in October-November 2021. Security experts point to the targeted nature of attacks and their sophistication which allows concluding that APT actors might stand behind the operation. The exact attribution is currently unknown, but with the low level of confidence, researchers point to DarkHotel, Kimsuky, APT29, or TA416 as possible attack operators.

Tap into the power of collaborating cyber defense and increase your threat hunting velocity by joining SOC Prime’s Detection as Code platform. Instantly discover usable and relevant information on cyber threats, access dedicated Sigma rules and on-the-fly translations for 25+ SIEM, EDR, and XDR solutions, and automate your threat hunting and threat detection operations to boost your cyber defense capabilities. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts