Tom Elkins – CyberSecurity Confabulation

Malware Campaign Lures Users With Fake W2 Form

Posted 8 months ago by Tom Elkins

Rapid7 has recently observed an ongoing campaign targeting users searching for W2 forms using the Microsoft search engine Bing. Users are subsequently directed to a fake IRS website, enticing them to download their W2 form that ultimately downloads a malicious JavaScript (JS) file instead. The JS file, when executed, downloads and executes a Microsoft Software Installer (MSI) package which in turn drops and executes a Dynamic Link Library (DLL) containing the Brute Ratel Badger.

In this blog, we will detail the attack chain and offer preventative measures to help protect users.

Overview:

Starting on June 21, 2024, Rapid7 observed two separate incidents in which users downloaded and executed suspicious JavaScript (JS) files linked to the URL hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/. Following execution of the JS files, Rapid7 observed the download and execution of an MSI file that was responsible for dropping a suspicious DLL into the user's AppData/Roaming/ profile. Upon further analysis, Rapid7 determined that the suspicious DLL contained a Brute Ratel Badger. Brute Ratel is a command and control framework used for red team and adversary simulation.

When executed successfully, the Brute Ratel Badger will subsequently download and inject the Latrodectus malware. Latrodectus is a stealthy backdoor used by threat actors to query information about the compromised machine, execute remote commands, and download and execute additional payloads.

On June 23, Zscaler ThreatLabz issued a tweet indicating that the initial access broker behind the deployment of the malware family known as Latrodectus was using Brute Ratel as a stager.

On June 24, a blog was released by reveng.ai, outlining an identical attack chain that we observed. From the posts, we noted overlapping indicators of compromise (IOC), indicating that the behavior observed was related.

Initial Access:

During analysis of the incidents, Rapid7 observed that users queried the search engine Bing containing the key words W2 form. They subsequently navigated to the domain appointopia[.]com, which re-directed the browser to the URL hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/.

After replicating the incident in a controlled environment, we observed that following the query for w2 form 2024 using Bing, the top result is a link to the domain appointopia[.]com which claims to have W2 forms available for download.

After clicking the link, the browser is directed to the URL `hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/`, which presents users with a fake IRS site, luring users into downloading their W2 form.

While interacting with the hyperlinks present on the website, we observed that each time, a CAPTCHA would appear, luring the users to solve it.

Upon closer examination, users were presented with a CAPTCHA system, seemingly designed to verify human activity. However, this CAPTCHA was part of a malicious scheme. Once answered successfully, the CAPTCHA would download a malicious JavaScript file named `form_ver`, appending the file name with the UTC time of access, such as `Form_Ver-14-00-21`. The source of the downloaded JS file came from a Google Firebase URL, `hxxps://firebasestorage.googleapis[.]com/v0/b/namo-426715.appspot.com/o/KB9NQzOsws/Form_Ver-14-00-21.js?alt=media&token=dd7d4363-5441-4b14-af8c-1cb584f829c7`. This JavaScript file would then be responsible for downloading the next stage payload.

Technical analysis:

We acquired one of the JS files from the incidents that took place on June 21 and analyzed the contents in a controlled environment. We observed that the JS file contained code hidden between commented out lines. Threat actors employ this technique in order to inflate the size of their files and obfuscate their code with the goal of evading antivirus solutions and hindering reversing.

In addition, we observed that the JavaScript contained a valid Authenticode certificate issued to Brass Door Design Build Inc. Threat actors will embed valid certificates in order to exploit trust mechanisms and make the scripts appear legitimate.

We analyzed the JS files and observed code resembling a technique used for extracting and executing hidden code within comments. Specifically: The code defines a ScriptHandler class that can read in a script file, parse out any lines starting with `//////`, and store those lines of code in an extractedCode property as seen in Figure 5. The code then defines a method `runExtractedCode()` that executes that extracted code using new `Function()`. It instantiates a ScriptHandler for the current script file, extracts the hidden code, and executes it.

This allows hiding arbitrary code within comments in a script, which will then be extracted and executed when the script is run. The comments provide a way to conceal the hidden code. This technique was used to hide malicious code within a script file designed to make the user think it is benign. When the script is executed, the concealed code would be extracted and run without the user's knowledge.

After cleaning up the script file, we observed that the purpose of the script was to download an MSI package from the URL `hxxp://85.208.108[.]63/BST.msi` and execute it.

In another related incident that occurred on June 25, we observed that the JS file was downloading the payload from a similar URL, `hxxp://85.208.108[.]30/neuro.msi`.

MSI Analysis

We acquired the latest MSI file, neuro.msi, from hxxp://85.208.108[.]30/neuro.msi and analyzed the contents. We observed that the contents of the MSI file contained a Cabinet (.cab) file named disk1.cab which stored a DLL, capisp.dll.

We also observed that the MSI package `neuro.msi` contained a custom action whose function was to drop the DLL, `capisp.dll`, within AppData/Roaming/ folder and execute it using `rundll32.exe` with the export `remi`.

We obtained the DLL from the MSI installer and analyzed the contents.

Capisp.dll Analysis

During initial analysis, we observed the DLL was associated with the VLC media player. We also observed that the DLL contained a suspicious resource named نالوقتمتأخر located at the offset of 0x00EB2C0. We determined that the resource name نالوقتمتأخر was Arabic and translates to ‘It is late’, referring to time.

While analyzing the export function `remi` we observed that the function starts by storing a hardcoded string `)5Nmw*CP>sC%dh!E(eT6d$vp<)`, which is reserved for later use. The function then calculates the resource located at offset (0x00EB2C0) that marks the start of the encrypted data, which will be decrypted using an XOR decryption routine with the previously stored string.

After the data is decrypted, the function then utilizes the Windows API `VirtualAlloc` to allocate a new region of memory in order to copy and store the decrypted data.

Using that logic, we replicated the process in Cyberchef and observed that the decrypted data resembled another Windows binary. While analyzing the new binary, we observed an interesting string, `badge\_x64_rtl.bin.packed.dll`. We also observed that the new binary contained yet another embedded binary.

Further analysis revealed that the purpose of the decrypted binary was to load and execute the embedded binary. We identified the embedded binary as a Brute Ratel Badger (BRC4), a remote access agent in Brute Ratel. Upon successful execution, the BRC4 program attempts to establish connections to three hard coded Command and Control (C2) domains:

*bibidj[.]biz

*barsman[.]biz

*garunt[.]biz

In previous versions of the attack, we observed the BRC4 program attempting to establish communication with the C2 domains `barsen[.]monster` and `kurvabbr[.]pw`.

Following execution of the BRC4 program, we observed the download of `Latrodectus` which was subsequently injected into the Explorer.exe process.

We observed that the Latrodectus malware attempts to contact the following URLs:

* hxxps://meakdgahup[.]com/live/

* hxxps://riscoarchez[.]com/live/

* hxxps://jucemaster[.]space/live/

* hxxps://finjuiceer[.]com/live/

* hxxps://trymeakafr[.]com/live/

Conclusion

Rapid7 has observed a recent campaign targeting users searching for W2 forms. The campaign lures users into downloading JS files masqueraded as supposed W2 forms from a fake IRS website. Once the JS files are executed, it downloads and executes MSI packages containing the Brute Ratel badger. Upon successful compromise, the threat actors follow up by deploying the malware family known as Latrodectus, a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware.

Mitigation guidance:

➔ Provide user awareness training that's aimed at informing users on how to identify such threats.
➔ Prevent execution of scripting files such as JavaScript and VisualBasic by changing the default ‘open-with’ settings to notepad.exe.
➔ Block or warn on uncategorized sites at the web proxy. Aside from blocking uncategorized sites, certain web proxies will display a warning page, but allow the user to continue by clicking a link in the warning page. This will stop drive-by exploits and malware from being able to download further payloads.

Rapid7 customers:

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

Suspicious Process - WScript Runs JavaScript File from Temp Or Download Directory
Endpoint Prevention - A process attempted 'Self Injection' technique

MITRE ATT&CK Techniques

Tactics	Technique	Description
Resource Development	SEO Poisoning (T1608.006)	Threat Actor employed SEO poisoning, ensuring their advertisement was listed first in search results
Initial Access	Drive-by Compromise (T1189)	Upon successfully solving CAPTCHA, browser is directed to download a JavaScript file from another URL
Execution	Command and Scripting Interpreter: JavaScript (T1059.007)	User executes the downloaded JavaScript file
Defense Evasion	Embedded Payloads (T1027.009)	Brute Ratel payload is embedded within decrypted payload
Defense Evasion	Command Obfuscation (T1027.010)	Downloaded JavaScript file contains commands broken up by commented lines to hinder analysis and anti-virus scanners
Defense Evasion	Encrypted/Encoded File (T1027.013)	Latrodectus employs string decryption to hinder detection and analysis
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	DLL dropped by MSI package contains XOR routine to decrypt the Brute Ratel payload
Privilege Escalation	Dynamic-link Library Injection (T1055.001)	Latrodectus DLLs are injected into the Explorer.exe process
Command and Control	Web Protocols (T1071.001)	Brute Ratel and Latrodectus communicate with their C2 servers using HTTPS

Indicators of compromise:

Host Based Indicators (HBIs)

Indicator	File Hash	Description
Form_Ver-14-00-21.js	F8121922AE3A189FBAE0B17C8F5E665E29E2E13B2E7144DABA4B382432B4949E	JS File downloaded from URL hxxps://firebasestorage[.]googleapis.com/v0/b/namo-426715.appspot.com/o/KB9NQzOsws/Form_Ver-18-44-37.js?alt=media&token=dd7d4363-5441-4b14-af8c-1cb584f829c7
BST.msi	5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6	MSI file downloaded from URL hxxp://85.208.108[.]63/BST.msi
neuro.msi	D71BFAB9CCA5DF6A28E12BA51FE5EAF0F9151514B3FD363264513347A8C5CF3A	MSI file downloaded from URL hxxp://85.208.108[.]30/nuero.msi contained within JS file
vpn.msi	4586250dbf8cbe579662d3492dd33fe0b3493323d4a060a0d391f20ecb28abf1	MSI file downloaded from URL hxxp://193.32.177[.]192/vpn.msi contained within JS file
aclui.dll	8484560C1526EE2E313A2B57F52EA5B31EDD05A0C9664BD7F60DA020871BFE6F	DLL contained within MSI file BST.msi and vpn.msi
capisp.dll	9B7BDB4CB71E84C5CFF0923928BF7777A41CB5E0691810AE948304C151C0C1C5	DLL contained within MSI file neuro.msi
BruteRatel payload	AD4A8983EDFB0DBA81E3D0BAE1AB549B500FD8A07DAF601E616B7E721D0674C6	BruteRatel decrypted payload contained within capisp.dll

Network Based Indicators (NBIs)

Indicator	Description
appointopia[.]com	Domain used for SEO poisoning that redirects to URL hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/
hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/	URL containing fake IRS website, luring users into trying to download W2 form
85.208.108[.]63	Domain hosting BST.msi
193.32.177[.]192	Domain hosting vpn.msi
85.208.108[.]30	Domain hosting neuro.msi
kurvabbr[.]pw	BruteRatel C2 - Payload contained within aclui.dll
barsen[.]monster	BruteRatel C2 - Payload contained within aclui.dll
barsman[.]biz	BruteRatel C2 - Payload contained within capisp.dll
bibidj[.]biz	BruteRatel C2 - Payload contained within capisp.dll
garunt[.]biz	BruteRatel C2 - Payload contained within capisp.dll
hxxps://meakdgahup[.]com/live/	Latrodectus C2
hxxps://riscoarchez[.]com/live/	Latrodectus C2
hxxps://jucemaster[.]space/live/	Latrodectus C2
hxxps://finjuiceer[.]com/live/	Latrodectus C2
hxxps://trymeakafr[.]com/live/	Latrodectus C2

Resources

Article	URL
Zscaler ThreatLabz Post	https://x.com/Threatlabz/status/1804918852528357791
Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame	https://blog.reveng.ai/latrodectus-distribution-via-brc4/

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader

Posted 11 months ago by Tom Elkins

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).

In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

While utilization of MSIX packages by threat actors to distribute malicious code is not new, what distinguished this incident was the attack flow of the compromise. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

MSIX Installers

In January of 2024, Red Canary released an article attributing different threat actors to various deployments of malicious MSIX installers. The MSIX installers employed a variety of techniques to deliver initial payloads onto compromised systems.

All the infections began with users navigating to typo squatted URLs after using search engines to find specific software package downloads. Typo squatting aka URL hijacking is a specific technique in which threat actors register domain names that closely resemble legitimate domain names in order to deceive users. Threat actors mimic the layout of the legitimate websites in order to lure the users into downloading their initial payloads.

Additionally, threat actors utilize a technique known as SEO poisoning, enabling the threat actors to ensure their malicious sites appear near the top of search results for users.

Technical Analysis

Typo Squatted Malvertising

In our most recent incident involving the IDAT Loader, Rapid7 observed a user downloading an installer for an application named ‘Room Planner’ from a website posing as the legitimate site. The user was searching Google for the application ‘Room Planner’ and clicked on the URL hxxps://roomplannerapp.cn[.]com. Upon user interaction, the users browser was directed to download an MSIX package, Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).

PowerShell Scripts

During execution of the MSIX file, a PowerShell script, 1.ps1 , was dropped into the folder path C:\Program Files\WindowsApps\RoomPlanner.RoomPlanner_7.2.0.0_x86__s3garmmmnyfa0\ and executed. Rapid7 determined that it does the following:

Obtain the IP address of the compromised asset
Send the IP address of the compromised asset to a Telegram bot
Retrieve an additional PowerShell script that is hosted on the Telegram bot
Delete the message containing the IP address of the compromised asset
Invoke the PowerShell script retrieved from the Telegram bot

In a controlled environment, Rapid7 visited the Telegram bot hosting the next stage PowerShell script and determined that it did the following:

Retrieve the IP address of the compromised asset by using Invoke-RestMethod which retrieved data from the domain icanhazip[.]com
Enumerate the compromised assets Operating System, domain and AV products
Send the information to the Telegram bot
Create a randomly generated 8 character name, assigning it to the variable $JAM
Download a gpg file from URL hxxps://read-holy-quran[.]group/ld/cr.tar.gpg, saving the file to %APPDATA% saving it as the name assigned to the $JAM variable
Decrypt the contents of the gpg file using the passphrase ‘riudswrk’, saving them into a newly created folder named after the $JAM variable within C:\ProgramData\$JAM\cr\ as a .RAR archive file
Utilize tar to unarchive the RAR file
Start an executable named run.exe from within the newly created folder
Create a link (.lnk) file within the Startup folder, named after the randomly generated name stored in variable $JAM, pointing towards run.exe stored in file path C:\ProgramData\$JAM\cr\ in order to create persistence
Read in another PowerShell script hosted on a Pastebin site, hxxps://pastebin.pl/view/raw/a137d133 using downloadstring and execute its contents (the PowerShell script is a tool used to bypass AMSI) with IEX (Invoke-Expression)
Download data from URL hxxps://kalpanastickerbindi[.]com/1.jpg and reflectively load the contents and execute the program starting at function EntryPoint (indicating the downloaded data is a .NET Assembly binary)

After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps://rastamosue[.]memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.

AMSI is a scanning tool that is designed to scan scripts for potentially malicious code after a scripting engine attempts to run the script. If the content is deemed malicious, AMSI will tell the scripting engine (in this case PowerShell) to not run the code.

RAR Contents

Contained within the RAR file were the following files:

Files	Description
Dharna.7z	File contains the encrypted IDAT Loader config
Guar.xslx	File contains random bytes, not used during infection
Run.exe	Renamed WebEx executable file, used to sideload DLL WbxTrace.dll
Msvcp140.dll	Benign DLL read by Run.exe
PtMgr.dll	Benign DLL read by Run.exe
Ptusredt.dll	Benign DLL read by Run.exe
Vcruntime140.dll	Benign DLL read by Run.exe
Wbxtrace.dll	Corrupted WebEx DLL containing IDAT Loader
WCLDll.dll	Benign WebEx DLL read by Run.exe

After analysis of the folder contents, Rapid7 determined that one of the DLLs, wbxtrace.dll, had a corrupted signature, indicating that its original code was tampered with. After analyzing the modified WebEx DLL, wbxtrace.dll, Rapid7 determined the DLL contained suspicious functions similar to the IDAT Loader.

Upon extracting the contents of the RAR file to the directory path C:\ProgramData\cr, the PowerShell script executes the run.exe executable.

The IDAT Loader

During execution of run.exe (a legitimate renamed WebEx executable), the executable sideloads the tampered WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded, the DLL executes a section of new code containing the IDAT Loader, which proceeds to read in contents from within dharna.7z.

After reading in the contents from dharna.7z, the IDAT Loader searches for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99, which are used as the decryption key for decrypting the rest of the contents. Contained within the decrypted contents are additional code, specific DLL and Executable file paths as well as the final encrypted payload that is decrypted with a 200 byte XOR key.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code. This strategy enables the loader to evade antivirus detections and successfully load the final stage, SecTop RAT into the newly created process, msbuild.exe.

We recently developed a configuration extractor capable of decrypting the final payload concealed within the encrypted files containing the IDAT (49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.

After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.

Rapid7 Customers

Attacker Technique - Advanced Installer .MSI Executable Spawns Powershell
Suspicious Process - Execution From Root of ProgramData
Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
Suspicious Process - explorer.exe in Non-Standard Location

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Execution	Command and Scripting Interpreter: PowerShell (T1059.001)	1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scripts
Execution	Native API (T1106)	The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Execution	User Execution: Malicious File (T1204.002)	User executes the binary Room_Planner-x86.msix
Defense Evasion	Masquerading: Match Legitimate Name or Location (T1036.005)	Malicious MSIX masquerades as legitimate Room Planner installer
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	gpg.exe used to decrypt cr.tar.gpg
Defense Evasion	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	run.exe loads a malicious wbxtrace.dll
Defense Evasion	Reflective Code Loading (T1620)	PowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpg
Defense Evasion	Process Injection (T1055)	IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion	Process Injection: Process Doppelgänging (T1055.013)	IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow

IOCs

IOC	Sha256	Notes
Room_Planner-x86.msix	6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23	Initial installer containing PowerShell scripts
1.ps1	928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23	Dropped and executed by the Room_Planner-x86.msix
wbxtrace.dll	1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845	Malicious DLL executed by run.exe, the renamed Cisco Webex binary
Dharna.7z	B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2	Encrypted payload decrypted by wbxtrace.dll
read-holy-quran[.]group/ld/cr.tar.gpg		Hosts GPG file containing RAR file
kalpanastickerbindi[.]com/1.jpg		Hosts .NET executable downloaded from API Bot PowerShell script
91.215.85[.]66		SecTop RAT domain

References

Article	URL
MSIX installer malware delivery on the rise across multiple campaigns	https://redcanary.com/blog/msix-installers/
Process Doppelgänging	https://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1	https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers	https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
Stories from the SOC Part 1: IDAT Loader to BruteRatel	https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

Stories from the SoC Part 1: IDAT Loader to BruteRatel

Posted 12 months ago by Tom Elkins

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.

At the time, the loader was seen being distributed via a FakeUpdates campaign. In two recent investigations, Rapid7’s Managed Detection & Response (MDR) observed the loader being used again. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. The incidents discussed in the series stem from opportunistic infections, wherein threat groups utilize malvertising and drive-by downloads in order to have their initial malicious payloads executed by users.

This first installment focuses on an incident triggered by a user downloading an application, which subsequently triggered the execution of the IDAT Loader and the BruteRatel C4 (BRC4) framework following initial access to a compromised asset.

Technical Analysis

Stage 1: The drive by

In a recent incident, Rapid7 observed a user navigate to a website that hosted popular Korean shows. Upon attempting to watch the video, the website redirected the user through various websites before ultimately directing the users browser into downloading a supposed application named AppFile_v1.1.exe. Threat actors utilize website redirection in order to make it difficult for network technologies to scan links for malicious content.

Binary Analysis: Shaking off the Rust

After initial analysis of the binary AppFile_v1.1.exe, Rapid7 determined the program was written in Rust.

During execution, the program will query the name of the executable. If the executable’s name matches AppFile_v1.1.exe, the program will continue. Most sandboxes will rename the files (sometimes based on the hash) of submitted programs. This technique helps to evade sandboxes, ensuring the malicious functions are not run. If the program name does not match its original intended name, the program will quit and display an error message, showing an image that a web page could not be loaded.

Next, the program will check to see if it resides within a debugger by querying the function IsDebuggerPresent. If the check passes, it will decrypt a hard-coded string that resolves to “Normal”. If not, the program will decrypt another hard-coded string that resolves to “Debugger” and then exit.

Once the anti-debug check passes, the program retrieves an encrypted string and XOR decrypts it, revealing the URL hxxps://cdn-network-services-001[.]com/update/minor/1/release.json.

The program will then perform anti-analysis techniques, specifically querying for the username and open process and comparing them to a list of known sandbox usernames and tools. The list of usernames and processes are also XOR-encrypted and are decrypted at runtime. Based on Open Source Intelligence, we determined that another malware known as Serpent Stealer contained a similar table of user names. See Appendix A below for the complete list.

If any of the checks fail, the program will exit and display the message box. If the checks pass, the program will then utilize Rust library tokio-1.32.0/src/net/tcp/stream.rs in order to read in data from the decrypted URL and store the contents in memory.

Upon initial analysis, the downloaded data appeared to be encoded. Subsequently, the data is passed into a function tasked with decoding it. The decoding process involves reading each byte and subtracting the hexadecimal value 32.

After the downloaded data is decoded, the program XOR decrypts another string, revealing a path to the executable C:\Windows\system32\werfault.exe. Using syscalls, the program then does the following:

After analysis of the decoded binary, we determined that it was another executable written in Rust. The program's executable contains a zip archive within the .rdata section. During execution, the program generates a folder with a randomly generated name in the %TEMP% directory and extracts the contents of the archive into this newly created folder.

The archive contained a DLL, msidcrl40.dll, an executable named live.exe and an encrypted file, dynatron.mdb. Initial analysis of the DLL msidcrl40.dll showed that the DLL’s signature was corrupted, indicating the DLL was tampered with. Further analysis showed that the DLL contained code related to the IDAT Loader.

IDAT Loader

After the rust program drops the contents of the zip archive, it then proceeds to execute the binary live.exe, which sideloads the DLL, msidcrl40.dll, containing the IDAT Loader code.

After the binary live.exe loads the DLL msidcrl40.dll, the DLL executes the function containing the IDAT Loader. The IDAT then reads in encrypted contents contained within the file dynatron.mdb, searching for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents, the loader will then decompress the contents using RtlDecompressBuffer and execute additional code into a newly created process, cmd.exe.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code.

The code contained within cmd.exe is responsible for decrypting the final payload and injecting it into a newly created process, msbuild.exe.

Using our IDAT Loader config extractor, we were able to extract the final payload and determined that it was SecTop RAT. During execution of the SecTop RAT, we observed that it communicated with the IP address 152.89.217[.]215.

Post-Exploitation: BRC4 Deployment

After the SecTop RAT was executed successfully, Rapid7 observed follow-on activity in which the threat actor executed another version of the IDAT loader from within the folder path C:\ProgramData\. We observed the following related files were dropped by the threat actor into C:\ProgramData:

After analysis of the files, we determined that rvm.exe was a renamed executable rvmsetup.exe, a legitimate tool that is a part of the VMWare Tools toolset. The binary is used to join a VMWare source virtual machine to an active directory domain. We also observed that the binary vmtools.dll had a corrupted signature, indicating the binary’s code was tampered with. We observed that the DLL vmtools.dll contained code related to the IDAT Loader.

During execution of the executable, rvm.exe, the program loads vmtools.dll. After vmtools.dll is loaded, the DLL is directed to execute a function that contains the IDAT Loader. The IDAT Loader proceeds to read in contents from within spank.mpg, searching for the same offset, 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents within spank.mpg, the IDAT Loader spawns a new process, cmd.exe, injecting additional code that is responsible for decrypting the final payload and injecting it into a newly created process, explorer.exe.

Using our static config extractor, we extracted the final payload, a 64-bit executable. During initial analysis of the final payload, we observed that the program utilized the API functions VirtualAlloc and VirtualProtect. During execution of the program, it utilized VirtualAlloc to read in and store additional code, including encrypted data, into a new region of memory. The program then called upon the function VirtualProtect, changing the newly allocated region of memory (containing the new code) to be executable. We also observed the 64 bit executable (obtained from the IDAT Loader python script) had the capability to perform process hollowing by starting a new process, notepad.exe, and injecting the code into the newly created process.

The newly allocated code was responsible for decrypting the encrypted data using RC4, copying the decrypted code into an allocated memory buffer via VirtualAlloc, and setting the memory buffer to have executable permission using VirtualProtect. Rapid7 determined the decrypted code was a Brute Ratel C4 (BRC4) “badger”.

Brute Ratel originated as a post-exploitation tool intended for penetration testers, designed to mimic adversary tactics as of December 2020. Its development aimed to replicate the functionality of established Command and Control (C2) software like Cobalt Strike, Mythic and Sliver. Following a successful compromise of a target, the attacker deploys the Brute Ratel "badger," tasked with establishing communication with the attacker's Command and Control domain.

During execution of the BRC4 program, we observed that it reached out to the domain updatenazure[.]com.

After the BRC4 program was executed, we observed the threat actor attempting to enumerate the domain controller by using the command nltest /dclist.

Rapid7 Customers

Network Discovery - Nltest Enumerate Domain Controllers
Suspicious Process - Execution From Root of ProgramData
Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
Suspicious Process - explorer.exe in Non-Standard Location

Appendix A: Known Sandbox Usernames and Analysis Tools

Usernames	Processes
hbyldjtckyn1	httpdebuggerui.exe
lubi53an14cu	immunitydebugger.exe
rgzcbuyrznreg	ksdumperclient.exe
8lnfaai9qdjr	httpanalyzerstdv7.exe
j6sha37ka	ida64.exe
keecfmwgj	32dbg.exe
pwouqdtdq	64dbg.exe
qmis5df7u	protection_id.exe
txwas1m2t	vmsrvc.exe
uox1tzamo	x32dbg.exe
rb5bnfur2	x64dbg.exe
cm0uegn4do	x96dbg.exe
douyo8rv71	prl_cc.exe
paul jones	windbg.exe
pxmduopvyx	scylla.exe
fnbdsldtxy	idau64.exe
gexwjqdjxg	idaq64.exe
gjam1nxxvm	idag64.exe
jcotj17dzx	taskmgr.exe
05kvauqkpqk5	procexp.exe
64f2tkiqo5k5h	procmon.exe
of20xqh4vl	fiddler.exe
harry johnson	dumpcap.exe
4tgiizslims	df5serv.exe
bvjchrpnsxn	ollydbg.exe
kfu0lqwgx5p	rdpclip.exe
nok4zg7zhof	vmusrvc.exe
ogjb6gqgk0o5	qemu-ga.exe
xplyvzr8sgc	vboxtray.exe
ykj0egq7fze	vmtoolsd.exe
ryjijkiroms	pestudio.exe
nzap7ubvas1	vmacthlp.exe
9yjcpseyimh	procexp64.exe
uhuqiuwoefu	wireshark.exe
6o4kyhhjxbir	prl_tools.exe
7wjlgx7pjlw4	importrec.exe
8nl0colnq5bq	vmwaretray.exe
g2dbyldgzz8yo	vmwareuser.exe
pqonjhvwexsst	xenservice.exe
rdhj0cnfevzxf	scylla_x86.exe
xmimmckziitdl	scylla_x64.exe
l3cnbb8ar5b8	vboxservice.exe
vzy4jmh0jw02
21zlucunfi85
sal.rosenburg
defaultaccount
wdagutilityaccount

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Initial Access	Drive-by Compromise (T1189)	Threat Actors utilize drive-by downloads in order to direct browsers to download their initial payloads without users consent
Execution	User Execution: Malicious File (T1204.002)	Users execute the binary AppFile_v1.1.exe
Execution	Native API (T1106)	The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Defense Evasion	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	run.exe loads a malicious wbxtrace.dll
Defense Evasion	Process Injection (T1055)	IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	msidcrl40.dll decrypts dynatron.mdb
Defense Evasion	Process Injection: Process Doppelgänging (T1055.013)	IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense Evasion	Masquerading (T1036)	dynatron.mdb file masqueraded to a .png file
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow

IOCs

IOC	Sha256	Notes
AppFile_v1.1.exe	A3A5E7011335A2284E2D4F73FD464FF129F0C9276878A054C1932BC50608584B	Rust Loader responsible for downloading IDAT Loader
msidcrl40.dll	02D5E281689EC2D4AB8AC19C93321A09113E5D8FA39380A7021580EA1887B7A5	Malicious DLL executed by live.exe
dynatron.mdb	C5C52331B208CAD19DC710786E26AC55090FFCA937410D76C53569D731F0BB92	Encrypted payload decrypted by msidcrl40.dll
vmtools.dll	BEFE0DF365F0E2DC05225470E45FDF03609F098A526D617C478B81AC6BB9147F	Malicious DLL executed by rvm.exe
spank.mpg	E05E561C5118EFDBCA113CA231C527B62E59A4BFFAE3BD374F7B4FCDD10E7D90	Encrypted payload decrypted by vmtools.dll
hxxps://cdn-network-services-001[.]com/update/minor/1/release.json		Downloads additional Rust binary containing IDAT Loader
152.89.217[.]215		SecTop RAT domain
updatenazure[.]com		BRC4 Domain

References

Article	URL
Uncovering the “Serpent”	https://malware.news/t/uncovering-the-serpent/76253
Process Doppelgänging	https://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1	https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
A Deep Dive Into Malicious Direct Syscall Detection	https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers	https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/