An infostealer comes to town: Dissecting a highly evasive malware targeting Italy

By Cluster25 Threat Intel Team
December 22, 2022

Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT).  Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).

Even if the majority of the attacks seem to have impacted Italy, the network-based visibility over the malicious infrastructure C25 can dispose of about this event suggests similar implants impacted Germany and Turkey as well. More precisely Cluster25 observed around 100+ telemetry hits on Italy (with a single confirmed impacted entity operating in transportation sector) and a few dozen on Turkey and Germany (information is updated until Dec. 19, 2022, while the first hit on Italy has been registered on Dec. 06, 2022)

Some vendor refers to this event / actor as Alibaba2044 according to the name of a GitHub account used as one of the drop-points in the infection chain.

The final payload spread through the infection chain uses a complex level of obfuscation and packing techniques to hinder the analysis, that also makes difficult the attribution of the malware to a specific family. Some security firms identified it as the commercial infostealer known as PureLogs. As per  internal classification, the final payload overlapped with a .NET RAT / InfoStealer known as zgRAT.

The following report provides further details about the execution of the campaign, also giving more information about the threat actor’s TTPs and the observed samples.

INSIGHTS

The first stage of the attacks is executed through a phishing email that contains a malicious link that prompts the victim to download a .ZIP archive. Two of the analyzed attacks used the domains  dl[.]dropboxusercontent[.]com and downloadpdf-fattura[.]de as initial drop-points:

The ZIP is password protected (the password to extract its content is reported in the phishing email) and contain Windows Shortcut (LNK) files and Batch scripts (BAT). In one of the analyzed campaigns, a ZIP file contained the files named Fattura 06-12-2022.lnk and Fattura_IT9032003.bat.

The LNK executes the following PowerShell command, that downloads and executes an HTA file from a second drop-point. 

The HTA file executes a PowerShell command that writes two files in the directory C:\ProgramData\. The first one has the filename image.png and contains an image of a fake invoice that is later opened and shown to the user as bait, similar to the following:

The second is the BAT file Fattura_IT9032003.bat, which has the same name and content of the one contained in the ZIP file. This one deobfuscates and executes the following command, which downloads another ZIP from GitHub:

The GitHub account used to download the second stage is named NET-FrameWork-x64, while the ZIP archive has the name NETFramework.zip and contains the executable file start.exe, which is a legit PowerShell executable that is later renamed and copied to the path C:\ProgramData\Fattura_IT9032003.bat.exe (the files attributes are also changed to make it hidden).

This file is used to run the following command, that downloads a third ZIP archive (wininfo64.zip) from another GitHub profile (alibaba2044), and finally decompresses it to obtain and run the executable file lib32.exe :

The BAT script, before completing its execution, deletes the PowerShell executable from the directory C:\ProgramData. The file lib32.exe is a malicious 64-bit PE executable written in Microsoft .NET. Cluster25 also observed other campaigns that spread the latter executable in a different way, with the help of a loader program that is responsible to unpack the malware and perform different kinds of anti-analysis techniques. 

To spread the loader the threat actor used a chain of phishing emails, LNK, BAT and CAB files (that may be used instead of the HTA file described above) similar to the one previously reported. At the end of the chain, a Microsoft .NET 64-bit PE (one sample showed the filename Solby.exe) is executed. The analysis of its code revealed a function named Array, in the class Trak, that deciphers a DLL file using a hardcoded key in memory and a XOR cycle.

The DLL, also written in .NET, is loaded using the method Load from the class Assembly and then a method with an obfuscated name is called in the loaded library. 

The malware also uses an anti-tampering protection mechanism, similar to the one performed by the open-source protector for .NET applications ConfuserEx: a method executed in .cctor, which is called before any other method in the DLL, is responsible to modify the code in order to correctly reconstruct the methods to be executed.

The reconstructed code also exploits another anti-analysis technique, consisting in the obfuscation mechanism performed through code-flattening. Moreover, the malware uses dynamic calls to the needed function using wrapper methods with random names.

The first called method in the DLL allocates an array of 188 bytes, that is then passed to the GZipStream function to decompress it, obtaining a Json file of 31 elements:

The entries of the Json file include the name of the original executable (Solby.exe) and the strings “Xtxcunvjl” (which will be used to create a Mutex) and “Itself”, which in other analyzed sample was substituted with “AppLaunch” (that will be used as executable name to launch a new malware process). The remaining elements are binary values, digits, null values and nested lists of similar elements.

The JSON file is passed to the JsonConvert.DeserializeObject method to deserialize it. The malware proceeds by performing an evasion technique similar to the one observed in other malware as IceXLoader: it retrieves the host and the user names to check if it is running in an Windows Defender emulator, where the mentioned values are respectively "hal9th” and "johndoe”.

The latter string values are encrypted in the binary and used after a loop of different operations, including XORs and shifts.

Similarly, this happens for the string "start-sleep -seconds {0}”, which is then encoded in base64 and used to start a new process with PowerShell. The resulting command that is executed is the following, which just suspends the execution of PowerShell for 37 seconds:

Then, another anti-analysis check is performed by decrypting the string "SbieDll.dll”, which is the name of the Sandboxie User Mode DLL, and by iterating through the process modules to check if it is loaded in order to discover if the malicious program is being analyzed.

If this is not the case, the malware proceeds making a query using the ManagementObjectSearcher and the decrypted string "select * from Win32_BIOS”, where the value of the “Version” substring is selected. The malware also retrieves the serial number of the infected system, which is then concatenated with the version value to form a new string.

The latter is checked against the decrypted string "VMware|VIRTUAL|A M I|Xen” to find a possible match which would reveal the execution of the malware under a virtualized environment.

A second check is performed by executing another query after decrypting the strings  "select * from Win32_ComputerSystem”, “manufacturer” and “Virtual Machine”, and the result of the query is matched against the string "Microsoft|VMWare|Virtual”. A third Anti-VM check involves the checking of the display resolution size.

If the checks reveal the execution under a virtual environment,  the malware decrypts the strings "Start-Sleep -s 10; Remove-Item -Path \"” and “-Force”. The string are concatenated with the path of the current process and encoded in base64 to build a PowerShell command that deletes the executable file.

Otherwise, if the checks fail, the malware continues its execution creating a Mutex using one of the strings contained in the configuration for its name (e.g. "Xtxcunvjl”). 

At this point it verifies if the file AppLaunch.exe exists at the path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\. If the file exists, the malware creates a suspended process launching the executable, otherwise it creates a suspended process launching a new copy of itself. In the new process the malware injects an executable that is unpacked from its memory, which the analysis revealed to be the same kind of malware seen in the previously mentioned infection chain (i.e. the sample named lib32.exe).

The injected executable decompresses a stream of data containing another executable, calling a method named Football. Other methods used in the code also reveal names generated from random words, like Pool, Soccer, Street, Football (or in other cases they contain totally random sequences of characters). 

The stream of data to be decompressed is stored in a resource of the executable named Ejefqnxog, retrieved through the method GetArray of the class Sport. Then, the obtained stream containing the second executable is passed to the method Soccer, where the Type object x9saOOgv3rSC1hZcTw.nvjp2iygSxrT1r7lBk is retrieved.

Finally, the method Street invokes the method yWIKu234nin from the newly retrieved class. One of the first dynamic methods to be called is the function GetCurrentDomain to get the context of execution, then the malware calls a function to decode the following base64 string:

The string, once decoded, is decompressed using the GZipStream object and the result is later deserialized.

The deserialized object contains the malware configuration, which includes  the IP addresses 195[.]201[.]23[.]210 and the TCP port 5596 (hex: {0x000015DC}). Other samples showed the usage of different TCP ports (e.g. 5699) while maintaining the same IP address. 

The configuration also contains the strings Default and 3b905c615bc3ee49fcb1b58c1aa34936. The latter string is used with the password-based key derivation function Rfc2898DeriveBytes.

The malware finally tries the connection to the Command-and-Control (C2) server. It also defines asynchronous functions to be called when inputs are received from the C2 server. The main malware thread, instead, continues its execution by entering into a cycle of Sleep functions. From this point on, the malware communicates with the C2 server acting as a pure information stealer. The information that could be retrieved from the victim regards data from browsers (e.g. Passwords, Cookies, History), crypto wallets and applications (e.g. FileZilla, Outlook, Thunderbird).

CONCLUSIONS

An Information Stealer is a particular piece of malware designed to gather information from a system. Such information is often a generous source of revenue for cybercriminals. In fact, the stolen information feeds a complex criminal ecosystem in which it could be used for multiple illegal activities and/or used as initial access for a cyber attack. Like other malware families, infostealers are continually evolving to become increasingly stealthy and undetectable.

MITRE ATT&CK MATRIX

INDICATORS OF COMPROMISE

rule AUI001_InfoStealer_85233_98005 {
meta:
author = "Cluster25"
description = "Detects final-stage payload of AUI001 InfoStealer RAT"
tlp = "white"
score = 100
strings:
$r1 = "Pool" fullword ascii
$r2 = "Soccer" fullword ascii
$r3 = "Street" fullword ascii
$r4 = "Football" fullword ascii
$g1 = "GZipStream" fullword ascii
$f1 = "get_Module" fullword ascii
$f2 = "Reverse" fullword ascii
$f3 = "BlockCopy" fullword ascii
$f4 = "ReadByte" fullword ascii
$s1 = "{11111-22222-10009-11112}" fullword wide
$s2 = "{11111-22222-50001-00000}" fullword wide
$s3 = { 4c 00 6f 00 63 00 61 00 74 00 69 00 6f 00 6e 00
        00 0b 46 00 69 00 6e 00 64 00 20 00 00 13 52 00
        65 00 73 00 6f 00 75 00 72 00 63 00 65 00 41 00
        00 11 56 00 69 00 72 00 74 00 75 00 61 00 6c 00
        20 00 00 0b 41 00 6c 00 6c 00 6f 00 63 00 00 0d
        57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00
        72 00 6f 00 63 00 65 00 73 00 73 00 20 00 00 0d
        4d 00 65 00 6d 00 6f 00 72 00 79 00 00 0f 50 00
        72 00 6f 00 74 00 65 00 63 00 74 00 00 0b 4f 00
        70 00 65 00 6e 00 20 00 00 0f 50 00 72 00 6f 00
        63 00 65 00 73 00 73 00 00 0d 43 00 6c 00 6f 00
        73 00 65 00 20 00 00 0d 48 00 61 00 6e 00 64 00
        6c 00 65 00 00 0f 6b 00 65 00 72 00 6e 00 65 00
        6c 00 20 00 00 0d 33 00 32 00 2e 00 64 00 6c 00
        6c }
condition:
uint16(0) == 0x5a4d and 
$g1 and 
(all of ($r*) or 
(all of ($f*) and 
2 of ($s*) ))
}