FortiGuard Labs has discovered a new campaign that targets Microsoft Windows users with the NordDragonScan infostealer. This high-severity threat leverages a complex infection chain to infiltrate systems and harvest very sensitive user data. The stolen data is then exfiltrated to a command-and-control server for potential use in many future cyberattacks. This malware showcases advanced attacker tactics that demand immediate attention from Windows users and organizations alike. The campaign represents a very worrying new trend for cybersecurity professionals who are working to defend corporate networks.
The attack begins with a deceptive initial vector, utilizing shortened URLs that redirect to a malicious file-sharing website. This prompts the download of a malicious RAR archive with a Ukrainian-themed filename which contains a harmful LNK shortcut. Upon execution, this shortcut invokes mshta.exe to run a weaponized HTA script from the same server. The HTA script masquerades as a legitimate process and distracts users with a benign decoy document in Ukrainian.
It silently deploys the core payload, “adblocker.exe,” into the victim’s temporary directory on their personal computer.
Once installed, the NordDragonScan malware employs custom string obfuscation through XOR operations and byte-swapping to hide itself. This helps to conceal its hardcoded strings from static analysis by most modern antivirus security software products. It establishes a working directory named “NordDragonScan” in the local app data folder to stage stolen information. Its reconnaissance capabilities are extensive, gathering detailed system information through WMI and various .NET function calls.
Beyond system data, it steals files with specific extensions from Desktop, Documents, and Downloads folders.
The malware ensures its persistence through a registry entry named “NordStar” under Windows’ CurrentVersion\Run key. This specific technique allows the malware to survive system reboots and maintain its presence on the infected machine. It communicates with its command-and-control server using custom HTTP headers and the victim’s MAC address. It also retrieves dynamic URLs from the server for the purpose of exfiltrating all of the stolen data. Screenshots are taken and saved, adding to the trove of sensitive data bundled for upload to the server.
Reference:
