A newly identified cyber threat campaign is actively exploiting Windows LNK shortcut files to distribute the MastaStealer infostealer. This multifaceted attack begins with targeted spear-phishing emails that ensnare unsuspecting users with ZIP archives containing a single LNK file. Upon interaction, this malicious shortcut initiates a complex, multi-stage infection process designed to pilfer sensitive information and evade security measures.
The attack chain is engineered to appear legitimate to the victim. When a user clicks on the compromised LNK file, the malware launches Microsoft Edge, displaying the AnyDesk website prominently. This visual diversion is intended to reassure the user that a legitimate software installation is underway. However, in the background, the hidden LNK file silently executes a more sinister operation: it downloads and deploys an MSI installer from a compromised online domain.
MastaStealer’s Elaborate Evasion Tactics
The infection process reveals a sophisticated strategy for bypassing standard security protocols. Following the initial download, the MSI installer extracts its payload into a discreetly hidden directory structure, specifically within %LOCALAPPDATA%TempMW-files.cab. Subsequently, the contents are decompressed, and the core Command and Control (C2) beacon is dropped onto the system. This critical component, the primary tool for communication with attacker-controlled servers, is strategically placed at %LOCALAPPDATA%MicrosoftWindowsdwm.exe.
The choice of the filename “dwm.exe” is a deliberate act of misdirection. This name closely mimics that of the legitimate Windows Display Window Manager process, a crucial component of Windows’ graphical interface. By adopting an authentic-sounding filename and directory structure, the malware significantly increases its chances of remaining undetected by automated security tools and vigilant system administrators alike.
This campaign’s success in circumventing traditional detection methods is attributed to its meticulous file placement and the calculated use of common Windows process names. Security researchers noted that the attack was uncovered due to Windows Installer event logs, which recorded Application Event ID 11708 failures. This alert was triggered when the affected user lacked the necessary local administrator privileges to complete the MSI deployment, leading to an unexpected halt in the infection chain.
PowerShell-Based Defender Exclusion
A particularly concerning aspect of this malware campaign involves the sophisticated method employed to neutralize Windows Defender. During the installation phase, the malware executes a targeted PowerShell command. This command’s primary objective is to create an exclusion path within Windows Defender’s real-time scanning capabilities. Specifically, the command executed is: Add-MpPreference -ExclusionPath "C:UsersadminAppDataLocalMicrosoftWindowsdvm.exe".
This single PowerShell command effectively renders the malware’s C2 beacon invisible to Windows Defender’s continuous monitoring. By omitting this specific executable path from real-time scans, the malware is granted unfettered ability to communicate with its command and control infrastructure. The identified C2 servers supporting this operation are cmqsqomiwwksmcsw[.]xyz, accessible via IP address 38.134.148.74, and ykgmqooyusggyyya[.]xyz, reachable at 155.117.20.75.
This tactic highlights a prevalent trend in cybercrime: attackers are increasingly leveraging legitimate system administration tools and features, such as PowerShell, to bypass modern endpoint protection solutions. Instead of attempting brute-force breaches, they are adept at exploiting built-in functionalities to weaken security defenses from within.
To mitigate this threat, organizations are advised to implement strict monitoring of unusual PowerShell executions, particularly those involving MpPreference parameters. Furthermore, the adoption of application whitelisting policies can serve as a crucial defense layer, preventing unauthorized modifications to critical security software like Windows Defender.
The ongoing evolution of MastaStealer and its deployment techniques underscores the persistent threat posed by infostealers. As attackers refine their methods to evade detection, organizations must remain vigilant and proactive in their cybersecurity strategies. Future developments will likely focus on the continuous adaptation of these evasion tactics and the potential discovery of new initial access vectors. Organizations should monitor security advisories closely and ensure their defenses are updated to counter these emerging threats.