VERY IMPORTANT

The attack chain begins with the arrival of a shortcut (.lnk) file delivered via a URL, such as a link in an email, or sent as an email attachment. Once the recipient clicks on the file, the next stage in the attack is initiated. The shortcut file contains a WMIC command to download a file from a remote server. The XSL file contains JavaScript which is executed using mshta.exe, another legitimate tool often abused by cyber criminals. The JavaScript contains a list of 52 domains each assigned an ID number from 1-52. The JavaScript has a function (radador) to randomly generate a number from a range of 1-52, effectively choosing a random domain from the list. In order to generate a unique URL, the JavaScript generates a random number using the radador function, as well as a random port number from 25010-25099, and adds them to the domain to create a download URL. The URL is used to download an HTML Application (HTA) file. This indicators of compromise have been created by AlienVault Labs.