DarkSamurai APT Group Utilizes Malicious LNK and PDF Files to Exfiltrate Sensitive Data

Security researchers have recently identified a sophisticated campaign, known as the DarkSamural operation, targeting critical infrastructure and government entities across South Asia. This attack chain employs cleverly disguised LNK and PDF files to infiltrate networks, establish persistence, and exfiltrate sensitive information. Initial reconnaissance reveals that adversaries mask malicious MSC (Microsoft Management Console) files with familiar PDF icons, enticing recipients to inadvertently execute embedded scripts. The infection process begins with a spear-phishing email containing a compressed archive. Recipients encounter a file named Drone_Information.pdf[.]msc, which, despite its PDF-like appearance, executes upon double-clicking. Analysts from Ctfiot have noted that these MSC files utilise GrimResource technology to unpack and run obfuscated JavaScript, which subsequently downloads a second-stage payload. This multi-layered approach complicates signature-based detection, as each stage appears benign until deobfuscation occurs.

The impact of DarkSamural extends beyond initial access, with victims reporting unauthorized file transfers, browser credential theft, and even remote shell access. The attackers leverage a combination of open-source and proprietary Remote Access Trojans (RATs), including Mythic, QuasarRat, and BADNEWS, granting them versatile control over compromised machines. The files harvested range from administrative documents to proprietary research, highlighting the campaign’s strategic focus on exfiltrating high-value targets. Further analysis indicates that the malicious DLL embeds an export function, DIIRegisterServer, which dynamically resolves critical Windows APIs. Upon execution, the sample collects host details such as machine name, user account, and process ID, packaging them into a JSON check-in packet. This packet is encrypted with AES-128-GCM and transmitted to the command-and-control endpoint over WinHTTP, resulting in network artifacts that mimic legitimate update traffic, thereby complicating anomaly detection. A closer examination of the MSC file’s internal structure reveals a multi-layered obfuscation scheme designed to thwart reverse engineering, with the initial JavaScript code embedded in an XML StringTable triggering an XSL transformation that launches mmc[.]exe with a remote script reference. 

Categories: Cybersecurity Threats, Malware Techniques, Data Exfiltration 

Tags: DarkSamural, Critical Infrastructure, Spear-Phishing, MSC Files, Obfuscated JavaScript, Command-and-Control, Credential Theft, Remote Access, Exfiltration, Multi-layered Obfuscation