"The executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP."
"The LNK file dropper is designed to launch a hidden PowerShell command, which then wipes existing persistence mechanisms from the victim's Windows Startup folder."
"One of the downloaded payloads, 'ctrl.exe,' functions as a .NET loader for launching an embedded payload, the CTRL Management Platform, which can serve either as a server or a client depending on the command-line arguments."
Researchers identified a Russian-origin remote access toolkit called CTRL, distributed through malicious Windows shortcut files disguised as private key folders. The toolkit, built using .NET, facilitates credential phishing, keylogging, RDP hijacking, and reverse tunneling. The attack begins with a weaponized LNK file that triggers a multi-stage process, leading to the deployment of the toolkit. It modifies firewall rules, sets up persistence, and creates backdoor local users. One payload, 'ctrl.exe,' acts as a .NET loader for the CTRL Management Platform, allowing for server or client communication.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]