Executive Summary

Security researchers have uncovered a targeted cyberespionage campaign deploying a new .NET-based malware, dubbed CAPI Backdoor. The campaign, detailed by Seqrite Labs, is specifically targeting organizations within the Russian automobile and e-commerce industries. The initial access vector is a phishing email carrying a ZIP archive. This archive contains a malicious Windows shortcut (LNK) file that executes the backdoor. The malware employs living-off-the-land (LotL) techniques for execution, establishes persistence via multiple methods, and communicates with a command-and-control (C2) server to exfiltrate data and receive further instructions.

Threat Overview

The attack begins with a classic phishing email sent to targets in the specified Russian sectors. The email contains a ZIP attachment which, when opened, reveals a decoy document and a malicious LNK file.

• Initial Access: The user is tricked into clicking the LNK file, which may be disguised as the decoy document. The LNK file is crafted to execute the malware payload.
• Execution: The LNK file uses rundll32.exe, a legitimate and signed Microsoft binary, to load and execute a malicious DLL named adobe.dll. This use of a trusted system utility is a LotL technique (T1218.011 - System Binary Proxy Execution: Rundll32) designed to bypass basic application whitelisting and security controls.
• Payload - CAPI Backdoor: The executed .NET malware performs several actions. It first checks if it has administrator privileges and gathers a list of installed antivirus products on the system (T1518.001 - Software Discovery: Security Software Discovery). To appear legitimate, it opens the benign decoy document (related to Russian income tax law) to distract the user.
• Command and Control: The backdoor then establishes a connection to a hardcoded C2 server at the IP address 91.223.75[.]96 to await commands.
• Persistence: The malware ensures it survives a reboot by employing two persistence mechanisms: creating a scheduled task (T1053.005 - Scheduled Task/Job: Scheduled Task) and placing an LNK file in the Windows Startup folder (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).
• Actions on Objectives: The C2 server can issue commands for the backdoor to perform actions like enumerating files and folders and exfiltrating the listings back to the attacker.

Researchers linked the campaign to the Russian auto sector through the discovery of a typosquatted domain, carprlce[.]ru, which impersonates the legitimate Russian car sales site carprice.ru.

IOCs

Detection & Response

• Process Monitoring: Monitor for rundll32.exe executing DLLs from unusual locations (e.g., AppData, Temp folders) or executing DLLs with suspicious names like adobe.dll. Correlate this with a parent process of explorer.exe (if a user clicked an LNK file). This is a form of Process Analysis (D3-PA).
• Persistence Auditing: Regularly audit persistence locations for unauthorized entries. This includes checking the Windows Startup folder for suspicious LNK files and reviewing scheduled tasks for newly created tasks that execute unknown binaries or scripts.
• Network Traffic Analysis: Block and alert on any network connections to the known C2 IP address 91.223.75[.]96. Monitor for DNS requests to the typosquatted domain carprlce[.]ru. This is a form of Network Traffic Analysis (D3-NTA).
• Email Security: Use advanced email security gateways to scan ZIP archives for malicious LNK files and block them before they reach the user's inbox.

Mitigation

• User Training: Educate users about the dangers of opening attachments from unsolicited emails, especially ZIP files, and the risks associated with LNK files.
• Attack Surface Reduction: Configure Windows to show file extensions by default, making it easier for users to spot that a file is an .lnk rather than a document. Consider blocking LNK files arriving as email attachments at the mail gateway.
• Application Control: Implement application control policies, such as Windows Defender Application Control, to restrict the execution of unsigned or untrusted DLLs, even when called by a legitimate process like rundll32.exe. This is a form of Executable Allowlisting (D3-EAL).
• PowerShell Hardening: Constrain PowerShell language mode and enable script block logging to detect and prevent malicious script execution, a common follow-on activity.