Severity
High
Analysis Summary
A targeted social engineering campaign has been identified, focusing on entities in Saudi Arabia by impersonating official government communication. The attack is designed to deceive recipients into believing the message originates from the Saudi Ministry of Finance, using a subject line such as “Work From Home Policy Update” to appear legitimate and relevant.
The attack begins with a malicious compressed file named “Work.zip,” which contains a disguised shortcut file labeled “Work From Home Policy Update.pdf.lnk.” This file is crafted to appear as a harmless PDF document but actually functions as a launcher for malicious activity once executed by the victim.
Technically, the campaign leverages a technique known as AppDomainManager Hijacking within a .NET environment. This method allows attackers to manipulate the application domain initialization process, enabling the remote loading and execution of a malicious dynamic-link library (DLL). In this case, the DLL named “IAStorHelpMosquitoproof.dll” is used as the payload to establish execution and potentially maintain persistence on the compromised system.
Overall, the campaign highlights the continued effectiveness of social engineering combined with advanced .NET exploitation techniques to deliver malware and evade detection.
Impact
- Unauthorized Access
- Remote Code Execution
- Data Theft
Indicators of Compromise
MD5
85cd2aa498a943d4c07ce75d30f6e68d
51d0d1482d0e034b3ef2ee6fc83719a4
SHA-256
4f353b9634509a5e1456e54ccb4ce64c1e6d95094df96048ef79b30cc2fda6cb
5d784d3ca02ab0015b028f34aa54bc8c50db39f9671dc787bc2a84f0987043b2
SHA1
63ba456b853e8c24fad02ca399be4ccc8b4e5b80
fe9ad4a7af08803ead89148067a2736c335fe020
Remediation
- Block and quarantine suspicious files like ZIP and LNK attachments at the email gateway to prevent initial infection
- Educate users to verify sender identity and avoid opening unexpected “policy update” files to reduce social engineering success
- Disable or restrict execution of LNK files from untrusted sources to limit abuse of shortcut-based attacks
- Implement application whitelisting to prevent unauthorized DLLs from executing within .NET environments
- Monitor and restrict AppDomainManager usage to detect and block hijacking attempts
- Deploy advanced endpoint detection and response (EDR) tools to identify abnormal process behavior and DLL loading
- Keep systems and .NET frameworks updated to minimize exploitation of known weaknesses
- Use network segmentation to limit lateral movement if a system is compromised
- Enable strong email filtering with sandboxing to analyze attachments before delivery
- Continuously monitor IOCs such as file hashes and block them across security tools