2024-8-8 21:0:0 Author: feeds.fortinet.com(查看原文) 阅读量:21 收藏
Affected platforms: Microsoft Windows
Impacted parties: Any organization
Impact: Attackers gain control of the infected systems
Severity level: High
This past April, FortiGuard Labs uncovered a sophisticated attack that leveraged multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt. However, this attack campaign didn’t end with VenomRAT, as the subsequently loaded plugin continued to deploy various types of malware into the victim’s environment.
We recently identified a phishing campaign that also employs multiple layers of evasion techniques to deploy various malware into an infected environment. This campaign was aimed at employees and posed as a customer requesting a service. The email uses urgent language to deceive a victim into clicking a malicious attachment, initiating a series of harmful activities and deploying several types of malware. All the malware in this attack uses the same packing and obfuscation techniques, including a Python obfuscator, ‘Kramer,’ a shellcode generator, 'donut,' and a shellcode loader, 'laZzzy,' to conceal itself from detection. The deployed malware includes XWorm, Venom RAT, AsyncRAT, and PureHVNC. Figure 1 shows the attack chain.
This threat report describes how this attack is delivered and analyzes the PureHVNC malware used in this campaign.
Initial Access
The attack campaign starts with an email, shown in Figure 2. It implies that the inquiry email is from a customer and urges the recipient to open the attachment. This typical phishing email tactic uses job-related information and urgent language to deceive recipients into opening attachments or clicking links.
Figure 2: The phishing e-mail.
The attachment is an HTML file that uses the “search-ms” functionality to query the “e_Statement” LNK file on remote file shares, as shown in Figure 3. Once the user opens the HTML file and clicks on “Open” to allow Windows Explorer to open, the malicious LNK file is shown in Windows Explorer and lures the user into executing it using a PDF icon.
Figure 3: HTML invoking “search-ms” URI protocol handler.
The LNK file contains a command to run a remote batch file using conhost.exe as the parent process. The attacker attempts to leverage the built-in Windows binary 'conhost.exe' for indirect execution to evade detection, as shown in Figure 4.
new.bat
This is an obfuscated batch file that hides the script by combining encoding tricks and string obfuscation. The file looks like UTF-16 encoding with Chinese characters because the bytes (FF FE) at the beginning can mislead a file editor into incorrectly detecting the encoding. Next, it performs a large number of character replacement operations with the specific charset. The de-obfuscation process is shown in Figures 5 and 6.
Figure 5: Converting the contents of the Batch File by removing FF FE.
Figure 6: De-obfuscating the Batch file by replacing characters.
The script begins by opening a decoy PDF file from the same remote file share. Next, it downloads two ZIP files via PowerShell, extracts all the content—including the Python Environment—into the folder "%USERPOFILE%\Downloads\Python," sets the folder to hidden, and then runs the malicious Python program in sequence.
Next, the decoy PDF is re-opened, initiating a persistence routine to download a second batch file and move it to the startup folder. The second ZIP file, used by the startup batch and containing several Python programs similar to those in the previous ZIP, is extracted to the “%USERPOFILE%\Downloads\Print” folder. Before completing all tasks, any unnecessary programs from subsequent tasks are removed.
Python Shellcode Loader
Each Python file is quite similar, as shown below. First, it imports a Base64 module to decode shellcode data and then decrypts it using an RC4 algorithm with a specific key. Finally, the code executes shellcode using an imported “ctypes” module. It should be noted that the RC4 key varies in each Python file.
Figure 7: One of the Python files
By tracking the same series of samples, we discovered a new Python shellcode loader. It's a compiled version of a Python file with an additional obfuscation layer added.
The obfuscator, named "Kramer," is available on GitHub, as shown in Figure 8. It obfuscates a Python file by encrypting the source code using an addition operation with a randomly generated key. The resulting obfuscated Python program combines the encrypted data with functions that limit the use of print and input commands, decode the encryption data, and execute the original source code. Finally, the program is compiled into a .pyc file and renamed with a .py extension.
Figure 8: Python obfuscator ‘Kramer’
By extracting the key and encrypted data and following the decode function defined in the code, we obtained the source code. In this version, the code structure is similar, but the function names and variables are not obfuscated.
Figure 9: De-obfuscating a new python shellcode loader
Shellcode Generator - Donut
The first shellcode primarily functions to decrypt and execute the next stage while bypassing AMSI/WLDP based on its configuration. The hack tool, "donut," produces the shellcode, as shown in Figure 10. Once the decryption routine is completed, the decrypted data in memory reveals the flag, the APIs used for bypass mechanisms, and the entire PE file for the next stage, as seen in Figure 11.
Figure 10: The syntax for donut.
Figure 11: Decryption routine and decrypted data.
Shellcode Loader - laZzzy
The second stage is a PE file that uses the Microsoft Management Console (MMC) icon, a built-in Windows program, to disguise itself as a regular application while functioning as an injector. This injector includes detailed debug information. As the program runs, each step of the injection process is displayed on the command line, as shown in Figure 12.
Figure 12: Debug information on the command line
We observed that a shellcode loader named "laZzzy" is publicly available on GitHub. It incorporates various execution techniques commonly used by malware and appears to be utilized in this stage for shellcode decryption, injection, and execution.
Ultimately, the program uses the target and execution techniques selected by the attacker to inject the shellcode into notepad.exe and executes the shellcode via Early Bird APC Queue, as shown in Figure 13.
Figure 13: The Shellcode is written to Notepad's memory space.
The third stage involves a shellcode within notepad.exe, which is identical to the code found in the first shellcode. After decryption and bypassing AMSI/WLDP, the final payload is executed.
In the next section, we will focus on PureHVNC, one of the malware identified in this attack campaign, along with additional plugins downloaded by the malware.
PureHVNC
We observed an unusual malware packed and obfuscated in the Remote Access Trojans (RAT) used in this attack campaign. It’s a .NET application containing a substantial block of built-in data. Its primary function is to decrypt its payload using the AES algorithm and then decompress it with the Gzip method. Once the DLL payload is extracted and loaded into memory, it employs its hard-coded class and method names to execute the payload's entry point, as shown in Figure 14.
Figure 14: The primary function and the encrypted data
DLL Payload is protected by .NET Reactor, as seen in Figure 15. We partially de-obfuscated the program and renamed the functions. Its entry point was very easy to understand. After creating a mutex, the core function is then executed.
Figure 15: DLL is protected by .NET Reactor
In its core functionality, the program initially extracts the hardcoded configuration by performing base64 decoding followed by gzip decompression. Based on the flags in the configuration, it either sets the registry run key using PowerShell or prevents the system from sleeping by utilizing the Win32 API function, “SetThreadExecutionState,” as seen in Figure 16.
Figure 16: Initial setup according to the configuration
Next, it attempts to communicate with the C2 server specified in the extracted configuration. Once the connection is established, it begins gathering victim information and reporting it to the C2 server, as shown in Figure 17. It abuses the Windows Management Instrumentation (WMI) system to gather information about the victim's system environment, including installed antivirus products, system and camera details, and user information. The VictimID is generated from the processor ID, disk serial number, memory serial number, and username.
Figure 17: Information collected from the victim’s computer is sent to C&C server
Additionally, the program searches for the paths of various extensions and applications based on a predefined list, as shown in Figures 18 and 19. Some applications also check the registry path to verify their installation. This list specifically targets crypto wallets, password managers, two-factor authenticators, and popular communication programs.
Figure 18: Extension list and targeted browser folder
Figure 19: Targeted applications
After all the specified information is collected, it is sent to the C2 server to await further plugin loading. Figure 20 illustrates a method for handling incoming data from the C2 server after it has been preprocessed using gunzip and deserialization. When the program receives the plugin, it writes the plugin data and ID into the Windows Registry under the affected user’s HKEY_CURRENT_USER\Software\{VictimID}. The plugin data is then extracted, loaded into memory, and executed.
Figure 20: A method for handling Plugin
Our analysis identified some details that helped us pinpoint the malware family. The same information appeared in the subsequently downloaded plugin, as seen below.
Figure 21: The code refers to the PureHVNC Library.
In the following sections, we’ll elaborate on the plugins provided by the PureHVNC C2 server, which are obfuscated using the .NET Reactor.
Plugin 1 - PluginRemoteDesktop
The initial plugin we received from the threat actor is a DLL file named “PluginRemoteDesktop.” As Figure 22 shows, its entry method is executed with the binary as a parameter to provide the module with C2 information. After extracting the C2 details, it communicates with the C2 server and executes the Remote Desktop function.
Figure 22: Entry point of PluginRemoteDesktop
Figure 23 shows one of the mouse-controlled functions and the APIs used by the RemoteDesktop program.
Figure 23: The mouse-controlled functions and APIs.
Plugin 2 – PluginExecuting
PluginExecuting is a module responsible for executing additional files, updating the program, and even uninstalling malware. It follows a process similar to that of PluginRemoteDesktop at the entry point, using the C2 information extracted from parameters to communicate with the C2 server. It then waits to receive a packet to trigger the execution of the core function.
The core function acts as a handler to process different commands based on their type. It supports six types of command, as illustrated in Table 1.
Command |
Details |
|---|---|
DownloadAndExecuteDisk |
Execute a downloaded file |
DownloadAndUpdate |
Remove the current module and execute the downloaded file. |
UninstallConnection |
Delete the registry entry HKEY_CURRENT_USER\Software\{VictimID}, and remove the malware if it is not located in the %WINDOWS% folder. |
RestartConnection |
Start a new instance of the current module and terminate the existing process. |
CloseConnection |
Terminate the current process. |
DownloadAndExecuteMemory |
Run the downloaded payload in the designated process. |
Table 1: Commands
PluginExecuting contains several important commands, particularly those related to downloading. Figure 24 illustrates the command used to create a hidden process that executes the downloaded file. These commands combine with a batch file to achieve both file deletion and execution, as shown in Figure 25.
Figure 24: Command related to downloading.
Figure 25: Batch File for file deletion and execution.
Additionally, the DownloadAndExecuteMemory command requires a binary and a target name as parameters. It injects the malicious binary into a specified target process using process hollowing and then resumes the injected process to execute the malicious code.
Figure 26: Execute malicious code using Process Hollowing.
Conclusion
Deploying multiple types of malware in an attack campaign is not unusual. In this case, the threat actor also uses complex, multilayer encryption to avoid detection across all the malware used in this campaign.
In this article, we uncovered a phishing campaign targeting employees that employs a multi-stage execution flow and utilizes public hacking tools to evade detection. We also focused on one obfuscated payload, "PureHVNC," detailing its functions and the additional plugins collected. Our observations indicate that it targets crypto wallets, password managers, and 2FA authenticators. Finally, it can carry out further attacks using its RemoteDesktop and Executing plugins.
Fortinet Protections
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
HTML/Phishing.3771!tr
LNK/Agent.1B2F!tr
BAT/Agent.PSCL!tr
Python/Agent.PSCL!tr
MSIL/Agent.DWN!tr
MSIL/Agent.CFQ!tr
MSIL/Agent.DWN!tr
MSIL/Bladabindi.SSNY!tr
MSIL/GenericKD.61253965!tr
MSIL/Agent.7C2C!tr
MSIL/Agent.PEP!tr.dldr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard antivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the document.
We also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity training. The training is designed to help users learn about today's threat landscape and introduces basic cybersecurity concepts and technology.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact the Global FortiGuard Incident Response Team.
IOCs
C2
drvenomjh[.]duckdns[.]org
vxsrwrm[.]duckdns[.]org
ncmomenthv[.]duckdns[.]org
ghdsasync[.]duckdns[.]org
anachyyyyy[.]duckdns[.]org
xoowill56[.]duckdns[.]org
URLs
hxxps://float-suppose-msg-pulling[.]trycloudflare[.]com/
Files
16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
062c5f5e9cdfd731912b262297e963b6d5e1b1d114184728065522f46a5eef2f
2b7ee0ccfa45d2f53098cd8aa4ce73cb00ace462d8490e6843bf05cd07854553
430300b8c527259805d29ab3fd150d9d297004ff77346cc07753290d84e77e95
503ce7bcefdffb96b5de78254f947598a410b86d3aaf597c7334e248c46dae5b
55134d705ccf881d011af949ad2fc0aa80dc7af50fa4a9db29b665647b869aec
561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441
6b4f058ba41e829ff993e61b288e55552af3d98f9cd62483eeff088b26f6ab9b
71b797032458aab9b4a1a203e7ca413f009af1961cffb98590e34f672574599a
7292316900a0971aec0a302bc3c6632902d820804ce3b2375a9953744cab1bd9
72ce64d50f9aa15b21631307d2143f426364634a7a2ee4b401ef76bd88c4ff3b
8bbdd3b41a03b86f246564a23e9acd48f74428f372c4bfb0a9a3af42511661c7
8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
90995c621718ae65ca0af4deb10a9cb895bd494df40a7b34031b17efcc63114a
b393323b9834656a2999198d4f02c1a159c6034d3c20c483d22a30aab3810c0c
b3bb7064af80abef417e6e7775a7e14b0bd27233fd66c2252e714a4dd2ee9c21
d4e8bf427c196d1d5ffca52a5af7162cc5cf4df730ee3fe65b4381ac79662a15
e5f7efb35b7316c7ace1c322559fa9a8680ddb1ac15bef7d17e5b84c767f5b75
95a33ba5550747baf72e39b020e6215b6047983eda17250408cd6f4c16a93089
1967661f7c32607f7cfcb9053aeb8dea0a9d8f49979e729be77a43628c91469f
7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c
441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650
如有侵权请联系:admin#unsafe.sh