In this blog we will deep dive into a malware campaign crafted specifically for the Israeli audience: Red Deer. We’ve been tracking the activity of the campaign for the past year and noticed minor shifts in the TTPs of the actor that will be explained in this blog.
The name chosen for this operation is “Red Deer” because the threat actor behind this phishing email campaign was impersonating the Israeli postal company (“Israel Post”), whose logo is a red deer.
We will start by first breaking down an incident that occurred on June 27th, 2022:
The phishing mail is a classic attempt to apply social engineering pressure on the user, informing them of a package waiting for them and that they need to choose their preferred delivery method by opening the attachment.
The attachment is an .html file which by default will be opened on the user’s browser.
“HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects.”
Once the html file is opened by the user, an ISO image file (with the extension type of .iso) will be downloaded automatically. This is part of a technique called HTML Smuggling.
*Note: we can see that the threat actor behind the attack has invested extra effort in implementing a well-designed phishing lure and even customizes the attached html file with the look-and-feel of Israel Post.
The .iso image contains an obfuscated Visual Basic script inside (.vbs):
The script will fetch and execute a remote file hosted on the threat actor’s server. In the script we can see that the file name of the fetched file is “UK.jpg”. When actually looking at the raw data of the file we can see that the file is actually a PowerShell script:
We won’t go deeper into analyzing the execution flow but this chain is part of the 3losh RAT which is a modified version of the AsyncRAT malware. It is interesting to point out that the extracted configuration of the RAT, AsyncRAT, has several fields that are worth looking into while trying to correlate different campaigns:
[Subject]
CN=AsyncRAT Server
[Issuer]
CN=AsyncRAT Server
[Serial Number]
00F796438609DCCBD17821B02F39FBAD
[Not Before]
4/25/2022 3:41:09 AM
[Not After]
12/31/9999 11:59:59 PM
[Thumbprint]
C0742FCFAC0826954D1FB66F1EAB22B391B17590
The version of the RAT: “| Edit 3LOSH RAT” is the signature left by the coder that can be used as a fingerprint.
To summarize the first incident, here is a short diagram showcasing the execution flow:
Over the past year we’ve observed additional incidents similar to the one we’ve analyzed above. Each time the threat actor slightly modified the execution flow. The below chain was observed in a campaign from October 17th, 2022:
In this particular campaign we see that the threat actor uses the same phishing and html attachment theme of impersonating Israel Post, but modified a few steps through the execution chain:
We can see that the same malware family is being used (AsyncRAT).Let’s take a look at the configuration:
[Subject]
CN=AsyncRAT Server
[Issuer]
CN=AsyncRAT Server
[Serial Number]
00F796438609DCCBD17821B02F39FBAD
[Not Before]
4/25/2022 3:41:09 AM
[Not After]
12/31/9999 11:59:59 PM
[Thumbprint]
C0742FCFAC0826954D1FB66F1EAB22B391B17590
The version of this AsyncRAT and the SSL Certificate are similar to the ones we saw in the first incident. We will discuss the SSL Certificate later in this blog.
Moving to our last incident, which occurred on May 17th, 2023, below you can view a diagram showcasing the execution flow of the incident:
In this incident we see that once again the actor changed some parts of the execution flow:
Let’s have a look at the malware configurations:
[Subject]
CN=AsyncRAT Server
[Issuer]
CN=AsyncRAT Server
[Serial Number]
00F796438609DCCBD17821B02F39FBAD
[Not Before]
4/25/2022 3:41:09 AM
[Not After]
12/31/9999 11:59:59 PM
[Thumbprint]
C0742FCFAC0826954D1FB66F1EAB22B391B17590
We can see that the version and the SSL certificate are the same across all the incidents we’ve shared so far.
The SSL certificate: “C0742FCFAC0826954D1FB66F1EAB22B391B17590” was found on all of the analyzedincidents .
SSL certificates are used to encrypt traffic between a client and a server. The fingerprint is a unique identifier for the certificate, which is used to verify the authenticity of the certificate upon connection established between the client and the server. One SSL certificate can be hosted on several IPs/Domains, meaning that the threat actor can maintain and work with only 1 operating server while creating multiple hosts.
By investigating the certificate on Censys we can find over 40 different IP addresses that have an open port hosting the SSL certificate:
In the 2nd and 3rd incident that were analyzed, we revealed that the servers hosting the masqueraded powershell scripts were opendirs. An opendir [open directory] is a directory that is accessible to the public without any authentication or authorization. With this information and other evidences that we found, we built the below query on Censys:
same_service(services.port="222" and services.service_name="HTTP" and services.http.response.html_title="Index of /" and services.http.response.headers.Server="Apache/2.4.5? (Win64)*")
This query gave us about 10 online opendirs (at the time of writing this blog):
Looking at the results and browsing to the opendirs we found several more samples that might be related to Red Deer. Some examples can be viewed below:
There was one particular IP that caught our attention more than the others: 38.242.242[.]149.
In the 3rd incident which occurred on May 17th, 2023, the server that hosted the powershell scripts was 45.80.158[.]65 on port 222. The C2 domain of the incident was mtest.loseyourip[.]com. We proactively fetched the script from 38.242.242[.]149 (rr.jpg) and extracted the final AsyncRAT configurations which had changed:
The C2 domain and the SSL certificate remain the same as the one from the 3rd incident (in May) but a quick IP resolve for the C2 domain will result with a different IP:
This confirms that we’re looking at the same threat actor! We checked the service modification history of that IP on Censys and the port 222 (opendir) was created exactly a week after the 3rd incident occurred:
Based on the TTPs, used tools and the execution chain that we’ve observed while analyzing all incidents we believe that the Aggah threat group is responsible for the Red Deer operation, the attribution to Aggah is based on:
Operation Red Deer has successfully unveiled a sustained and clandestine operation perpetuated by the Aggah threat group. This wide-reaching operation targeted numerous organizations from diverse industries, all united by their geographical location – Israel.
As the number of attacks grow and threats become more sophisticated, it’s crucial that organizations continually educate their employees about potential online hazards. This includes dangers present in content not only in English but also in local languages. Even seemingly innocent materials merit a second thought, by users to properly identify malicious intent.
In the cases we’ve researched, each individual incident comprised several sophisticated stages, often requiring active user involvement. Perception Point’s 7-layers of advanced detection engines intercepted these malicious emails before they reached the users’ mailboxes. These engines, powered by hundreds of proprietary and ML based algorithms, scan every email including embedded files and URLs, in unison in near real-time to prevent spam, phishing, BEC, malware, ransomware and zero-days. a.
Refer to this analysis to observe how the system dissected and identified all elements of the most recent incident:
Tactic | Technique ID | Name |
Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
Execution | T1059 | Command and Scripting Interpreter |
T1053 | Scheduled Task/Job | |
Persistence | T1547.001 | Registry Run Keys / Startup Folder |
Defense Evasion | T1027.006 | HTML Smuggling |
T1055 | Process Injection | |
T1497 | Virtualization/Sandbox Evasion | |
Exfiltration | T1041 | Exfiltration Over C2 Channel |