While hunting for threats in the wild just came across an ongoing campaign that has likely been going on since the beginning of February 2023. After conducting more in-depth analysis it seems like that this campaign is strikingly similar to that of the "Earth Bogle" threat actor, that was quite active in the mid of last year. The campaign has an interesting execution flow on the victim machines, with multiple levels of payloads being executed to avoid detection at certain levels.
To gain a thorough understanding of
what these files are doing, we had to follow the initial payload, image.ps1,
all the way to the AsyncRAT at the end of this
infection chain.
image.ps1
(21e1e60efdbf24f5f7e114e509096ae87ad1ef70c23f3361c61c70be746d788b)
This is the campaign's first stage
PowerShell payload, which drops the four files listed below in the Music
directory “C:\Users\Public\Music”.
·
Loader.vbs
·
install.ps1
·
install.vbs
·
report.ps1
(Fig.
Dropped Payloads)
After these files are created, the PowerShell
script sleeps for 6 seconds before launching install. vbs
was dropped earlier.
install.vbs
(072b492a6a95545c6e46fbd8ca0c194173c3437c0cca8eca807c7db103e89d27)
This is a VBScript payload that simply executes the install.ps1 file located at: C:\Users\Public\Music
install.ps1
(b293d21566f6766b82194e8beb6e555230d35adf8b2c20a3d756405ada04e0b2)
This is another PowerShell based payload that creates a scheduled
task called recycle that would run Loader.vbs
located at: C:\Users\Public\Music, right after one minute.
Loader.vbs
(157753d3c09ff4b7d2ff802ed25474a043019ecaf111893f93eafdca474b6590)
This is another VBScript payload that simply executes the Report.ps1 file located at:
C:\Users\Public\Music
Report.ps1 (cf4921a55199c27c24e4fbacc4a3e90d4d5249e4aeb4de2eafe56d395cdfbde4)
This is one of the most important PowerShell payloads in this campaign, as it loads a.NET assembly called NewPE2.dll directly into memory. The functionality of this DLL (26263e72e425b4c5deae7fcf7d5f94c734a7085fad1499d33b8993962cab669c) is to inject a payload into another process on the victim machine.
(Fig. Injector DLL and AsyncRAT
Injection into RegSvcs.exe)
Then the PowerShell script moves onto
calling the injector function NewPE2.PE.Execute( )
from the previously loaded assembly (NewPE2.dll) and injects the final AsyncRAT (09b421ff51c7495193a2aa3d5758823d50392db3e202bb7bcd6950255027c391)
payload into C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe using
the Process Hollowing technique. RegSvcs.exe is a legitimate .NET framework
binary available on windows machines.
(Fig.
NewPE2.dll – Execute function)
The final RAT operations are
File-less, which is a very well-known in the wild trend to evade file-based
detections, in which the malicious payloads are directly loaded into memory
rather than dropping them onto the disc. The threat actors in this case are
using the standard System.Reflection
class to load the injector DLL directly into memory.
The final malware (Stub.exe) in the victim's environment is from
the AsyncRAT malware family.
Stub.exe (09b421ff51c7495193a2aa3d5758823d50392db3e202bb7bcd6950255027c391)
This is the final payload of AsyncRAT in memory with variety of interesting things.
Anti-Analysis Techniques:
1. Delayed execution using Thread.Sleep for 3 seconds
(Fig. Sleep for 3 Seconds)
The
payload contains a large number of AES-256 encrypted strings, making it
difficult for researchers to reverse engineer and avoid string-based detection
mechanisms. We decrypted the strings using the identified encryption key and
the following parameters:
|
Key |
707A6F3C2C5A9CC20A666EA74B2FB993F326B7B5D0BF2733761AD03D8DDCDE87 |
|
IV |
80E38AD5ED1A73B536248BBE11972F07 |
|
KeySize |
256 |
|
BlockSize |
128 |
|
Mode |
CBC |
|
Padding |
PKCS7 |
(Fig. Tries to create a Mutex)
4. Detects Virtual Machine manufacturers like VMWare or VirtualBox and exits
(Fig. VM Check)
5. Uses CheckRemoteDebuggerPresent on the currently running process
(Fig. CheckRemoteDebuggerPresent on current process)
6. SandBoxie detection by looking for the module handle of SbieDll.dll
7. Terminate if the System Directory (C:\Windows\System32) size is less than 61GB
(Fig. System Directory Size Check)
8. Terminates if the OS name contains xp (indicating Windows XP)
Typical
Persistence Techniques:
This malware attempts to persist by employing common techniques such as creating a scheduled task to execute itself on logon and adding itself to the Windows Run registry.
(Fig.
Persistence using Scheduled Task & Run Registry)
This malware attempts to become a system critical process by utilising the kernel level function RtlSetProcessIsCritical, making it difficult for the victim to terminate this malicious process without causing Windows to crash.
(Fig.
Use of RtlSetProcessIsCritical)
To use the above mentioned function the malware is required to
have the SeDebugPrivilege privilege which it grabs by
entering into the Debug mode.
(Fig.
EnterDebugMode to grab SeDebugPrivilege)
Prevent System
Sleep or Screen Lock
The malware is attempting to keep running by using SetThreadExecutionState to prevent the system from entering Sleep mode or the screen from being locked.
(Fig.
Use of SetThreadExecutionState)
Typical Keylogging
Functionality
To log keys from the victim machine, the RAT has a common keylogging feature. It hooks the specified key logger into the processes and launches it as a separate thread using SetWindowsHookExA. These key logged data are saved in the C:WindowsTempLog.tmp file.
(Fig.
Keylogger)
C2
Communication
This variant of AsyncRAT
is using Sockets for communication to the C2, which in this case is osostata[.]com over the port number 7777. We can see that
this malware is trying to connect to the C2 using either IP:PORT
or DOMAIN:PORT combination. So it would create a Socket on either of these two:
1.
134.255.234[.]198:7777
2.
osostata[.]com:7777
134.255.234[.]198 is nothing but the
RDNS of the C2 domain osostata[.]com. This domain was
registered around 6 months back which matches the timeline of this campaign
generating a strong suspicion that this domain was intentionally bought &
registered for this malicious activity.
(Fig.
C2 Domain Registration Information)
This RAT is performing basic system
fingerprinting such as gathering host information, installed antivirus product,
whether the user is an Administrator or not, is it a 64bit machine or not, what
are the different Bitcoin application are there on the system, etc.
(Fig.
System Fingerprinting)
This information along with other data
gets exfiltrated to the C2 over SSL channel.
(Fig.
Data Exfiltration Over SSL Channel)
This Async RAT
has many more capabilities that would be interesting to cover into the next
blog post.
|
Initial
Access |
·
T1566.001 - Phishing: Spearphishing
Attachment |
|
Execution |
·
T1059.001 - Command and Scripting
Interpreter: PowerShell ·
T1059.003 - Command and Scripting
Interpreter: Windows Command Shell ·
T1059.005 - Command and Scripting
Interpreter: Visual Basic |
|
Persistence |
·
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder ·
T1053.005 - Scheduled Task/Job: Scheduled
Task |
|
Privilege
Escalation |
·
T1134 - Access Token Manipulation ·
T1055.012 - Process Injection: Process
Hollowing |
|
Defense Evasion |
·
T1622 - Debugger Evasion ·
T1497.001 - Virtualization/Sandbox Evasion:
System Checks |
|
Discovery |
·
T1083 - File and Directory Discovery ·
T1033 - System Owner/User Discovery ·
T1082 - System Information Discovery ·
T1057 - Process Discovery ·
T1010 - Application Window Discovery ·
T1518.001 - Software Discovery: Security
Software Discovery |
|
Collection |
·
T1056.001 - Input Capture: Keylogging ·
T1115 - Clipboard Data |
|
Command
and Control |
·
T1132.001 - Data Encoding: Standard Encoding ·
T1573.001 - Encrypted Channel: Symmetric
Cryptography ·
T1571 - Non-Standard Port |
|
Exfiltration |
·
T1041 - Exfiltration Over C2 Channel |
Comments
Post a Comment