McMcbrad
Level 23
- Oct 16, 2020
- 1,252
In the end of November an interesting piece of malware caught my attention, whilst browsing one of the popular threat hunting portals, namely any.run. Seeing a Remote Access Trojan on this portal is already quite exciting by itself, as I have spoken to attackers before and they have told me that they upload the malware there to test it. It is very much likely that a RAT sample obtained from this portal is fresh and hot, still not analysed by anyone.
The malware in question did not arrive as a file, but rather as a link (the portal supports analyses of both files and links). It operated by abusing LOLBins - with the introduction of AI, reputation, signature control and other means in legacy AV software, attackers are looking to escape the land of standard executable files. Scripts suffice, as there is usually a smaller arsenal of technologies working to identify their malicious intent. Many of these technologies can be evaded with techniques, such as adding unnecessary filler or when maintaining persistency, choosing wisely where the content will be stored, be it in a folder or registry. There are paths to which Antivirus Software is more sensitive and paths which may not trigger a detection at all. It's all a matter of trial + error and is worth doing when your financial gains depend on it.
Here is the moment to say that I am not a threat analyst myself - my threat hunting habits are mainly a hobby, but also allow me to know what's out there and roll out the needed policies to secure the systems under my control. However, I'll keep this report as scientific and proven as possible.
What did I discover originally?
Let's start by talking about what I discovered back in November.
It all started with a malicious PowerPoint Presentation.
The domain 111().90().149().229 served three *.txt files.
1.txt with MD5 c0c6f84a6d417937a9ba559edcaf5e65b560b4e2bbc0ca5243021dd0ca839c4c - fileless Tesla abusing .Net framework executable msbuild.exe
2.txt with MD5 49c48b2136689ebbb8af64d9fd97b6d7e8cd99391691fd01f63abfe4d4cd1fc5 - fileless Tesla abusing cvtres.exe, again a .Net framework executable.
Third file named cobalt.txt with MD5 e68607822020f6cf0853cf5906e498bf3973e1c74a3c1709cefcc7ad998654dd was an AMSI bypass, possibly derived from a pentester's GitHub account:
github.com
PowerShell AMSI Bypass possibly derived from GitHub indicates that the attacker is not really that technical and sophisticated, but can rather find exactly what he needs, when he needs it.
Together with that, there was an obfuscated JavaScript with MD5 83b6296df14f6e0d55983b59bf843a45c64ac4c84661dd25404af31255b87aff named main.txt, which served as the attack initialiser.
A second JS with MD5 65895651e1c64fec37e7143c713618f51daa66553377440234f78a190e069bff served to maintain persistency on the machine.
The infection chain was as follows:
This was just one piece of a puzzle that I thought was solved, but then I noticed that other RATs have also been distributed and some variables haven't even been changed.
This is when I discovered an opendir serving as a malware repository, which was located at onedrive.linkpc.net (now defunct).
A copy of the harvested content is available here: Free Automated Malware Analysis Service - powered by Falcon Sandbox
The repository was jam packed with more than 100 scripts, all built around the same concept:
The IP address doesn't belong to a VPN provider, so it's either a victim's machine or a not-so-smart attacker's home IP.
Attacker is attempting to compromise a decoy email on daily bases and makes a single attempt to compromise a decoy discord account
Example of first stage script:
Example of second-stage script, type 1:
Second-stage script, type 2 can easily be identified by this last line, which attackers haven't modified throughout the variations.
Needless to mention again, this attack doesn't shine with extreme sophistication. It follows basic antivirus evasion practices, which according to the VT detection on every script from the opendir and malspam campaigns, are truly effective, at least on static scan. To name these practices, one of them is fragmentation - the process of spreading one malicious intent across various files, and constant changes - just a change in one of the RAT server settings will result in an entirely new file. It may be difficult for security researchers to write an effective signature due to the possibility of false positives.
It also seems like apart from time, there is almost no other investment. Payloads are mostly hosted in opendirs and low-quality free domains serve as C&C, which indicates lack of own infrastructure.
This attack is built up around effective cost-cutting, by using well-researched, simple techniques.
Connections to Individuals. Coincidence or a Piece of The Puzzle?
In my research I came across an individual that goes by the alias "Ahmed Crypt" https://www.youtube.com/c/DevPlus/videos.
He has been active for years, in fact his first video and Facebook post date back to 3 years ago. He has been creating AV software bypass videos and incidentally, also distributes RATs.
In a post from May 2020, he shares the exact same code which is in many of the scripts
He also provides a tool that allows the RunPE + RAT server to be converted to byte code.
In a topic on another forum he shares that encryption has now being "exposed to Avast". After I shared all the malware with an Avast engineer on a personal chat, they developed behaviour-based detections, so Ahmed Crypter is not wrong.
In this video he demonstrates how the attack is built:
Another connection: in this Palo Alto article, an attack via an app named WindowsForms1 has the malware payload spread across 3 buttons. Similar video can be seen in Ahmed Crypter's YouTube channel and is quite old.
The Article names the attacker Subaath and it is believed that he is behind Aggah as well.
There are few possibilities here, the individual may either be part of Gorgon Group or he may have copied the code from their attacks. It is not impossible that the attacker may have browsed the hacker forums and obtained the basis of the evasive framework or Subaath could actually be the old alias of Ahmed Crypter. Either way, this connection can't be meaningless.
unit42.paloaltonetworks.com
Analyses of Previous Related Attacks and Connecting the Dots
Previous attacks with similar code have been uncovered number of times.
blog.360totalsecurity.com
In this blog post, 360 discusses a NJRAt distributed in the same means and with identical code, containing the $Cli444 and $Cli555 byte arrays.
Similar description from Talos:
blog.talosintelligence.com
In this blog post, Researcher Max Kersten discusses Azorult attack, utilising a very similar code.
www.gdatasoftware.com
In this blog post, malware analyst Karsten Hahn talks about Aggah/Hagga delivering RATs to German Users, which has been spotted first by G Data's DeepRay technology. The distribution and way of operation are identical to what I discovered.
The obfuscation layers, the injection and the abused LOLBin, mainly msbuild.exe, as well as the abuse of free hosting services all match.
Gorgon Group has previously been famous with the Master Mana botnet, delivering Azorult and RevengeRAT variants.
thenextweb.com
This may explain the similarities in the code between the Azorult attack described by Max Kersten and Aggah/Hagga's attacks.
The botnet is believed to have taken about $160 in investment, which matches the attacker's cost cutting strategy.
blog.prevailion.com
The reported C&C URLs in this post are:
hxxp://216[.]170[.]126[.]146/2ky/index.php <-- Similar to 216.170.126.123 from my samples
hxxp://216[.]170[.]126[.]146/ahsan/index.php
hxxp://23[.]249[.]163[.]135/index.php
hxxp://speeddfox[.]duckdns[.]org
hxxp://rgalldmn[.]duckdns[.]org
Further Gorgon Group malware analyses reveals same tactics, namely:
Similar methods are described in this Aggah/Hagga campaign article:
Gorgon Group and Aggah/Hagga in a Great Depth
unit42.paloaltonetworks.com
IOCs of the most recent variants
More C&C server and malware: VirusTotal
The malware in question did not arrive as a file, but rather as a link (the portal supports analyses of both files and links). It operated by abusing LOLBins - with the introduction of AI, reputation, signature control and other means in legacy AV software, attackers are looking to escape the land of standard executable files. Scripts suffice, as there is usually a smaller arsenal of technologies working to identify their malicious intent. Many of these technologies can be evaded with techniques, such as adding unnecessary filler or when maintaining persistency, choosing wisely where the content will be stored, be it in a folder or registry. There are paths to which Antivirus Software is more sensitive and paths which may not trigger a detection at all. It's all a matter of trial + error and is worth doing when your financial gains depend on it.
Here is the moment to say that I am not a threat analyst myself - my threat hunting habits are mainly a hobby, but also allow me to know what's out there and roll out the needed policies to secure the systems under my control. However, I'll keep this report as scientific and proven as possible.
What did I discover originally?
Let's start by talking about what I discovered back in November.
It all started with a malicious PowerPoint Presentation.
The domain 111().90().149().229 served three *.txt files.
1.txt with MD5 c0c6f84a6d417937a9ba559edcaf5e65b560b4e2bbc0ca5243021dd0ca839c4c - fileless Tesla abusing .Net framework executable msbuild.exe
2.txt with MD5 49c48b2136689ebbb8af64d9fd97b6d7e8cd99391691fd01f63abfe4d4cd1fc5 - fileless Tesla abusing cvtres.exe, again a .Net framework executable.
Third file named cobalt.txt with MD5 e68607822020f6cf0853cf5906e498bf3973e1c74a3c1709cefcc7ad998654dd was an AMSI bypass, possibly derived from a pentester's GitHub account:
S3cur3Th1sSh1t/Amsi-Bypass-Powershell
This repo contains some Amsi Bypass methods i found on different Blog Posts. - S3cur3Th1sSh1t/Amsi-Bypass-Powershell
github.com
PowerShell AMSI Bypass possibly derived from GitHub indicates that the attacker is not really that technical and sophisticated, but can rather find exactly what he needs, when he needs it.
Together with that, there was an obfuscated JavaScript with MD5 83b6296df14f6e0d55983b59bf843a45c64ac4c84661dd25404af31255b87aff named main.txt, which served as the attack initialiser.
A second JS with MD5 65895651e1c64fec37e7143c713618f51daa66553377440234f78a190e069bff served to maintain persistency on the machine.
The infection chain was as follows:
This was just one piece of a puzzle that I thought was solved, but then I noticed that other RATs have also been distributed and some variables haven't even been changed.
This is when I discovered an opendir serving as a malware repository, which was located at onedrive.linkpc.net (now defunct).
A copy of the harvested content is available here: Free Automated Malware Analysis Service - powered by Falcon Sandbox
The repository was jam packed with more than 100 scripts, all built around the same concept:
- A downloader serves as a first stage. This is mostly a VBS file. Throughout the versions it has not morphed much, apart from the directory where the script will create a copy of itself to maintain persistence.
- At the second stage, the downloader obtains a PowerShell script, which doesn't drop a file anywhere. The script itself follows this concept:
- An array is created with a process hollowing module, converted to some type of code. It was mostly byte code in a byte array, but other types of encodings were also used.
- A second array is created with the RAT server, converted to a code as well.
- At the final stage the process hollowing module is called with 2 parameters - process to turn into a puppet and code to inject (this is the code from the second variable).
- Throughout the different versions this framework almost didn't evolve. The only changes were in the RAT server - mainly Bladabindi/NJRat, but it seems that at one point the attackers settled for AsyncRAT, which is understandable - it's a lot more function-rich.
- The script is usually stored as a *.jpg file (example hxxps://z.zz.ht/nbfSN.jpg)
- At the third stage the attacker will exfiltrate data of interest. What the individual/group is interested in, is mainly browser-stored credentials and by creating decoy accounts I was able to see what they want. This is Discord (probably to compromise the account for their botnet purposes) and emails - the attacker is desperately trying to get into a fake email I created. Once again he shows lack of knowledge by attempting to log-in to my email with the stolen passwords from countries like Nigeria - I live in the UK. Obviously this will trigger a block, even if the password is correct. After I changed the password, they attempt to log-in every day with a wrong one. Though I left a Revolut virtual CC in browser, there is no evidence attackers are interested in that.
Attacker is attempting to compromise a decoy email on daily bases and makes a single attempt to compromise a decoy discord account
Example of first stage script:
Example of second-stage script, type 1:
Second-stage script, type 2 can easily be identified by this last line, which attackers haven't modified throughout the variations.
[Reflection.Assembly]::Load($Cli555).GetType('k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('cvtres.exe',$Cli444))
Needless to mention again, this attack doesn't shine with extreme sophistication. It follows basic antivirus evasion practices, which according to the VT detection on every script from the opendir and malspam campaigns, are truly effective, at least on static scan. To name these practices, one of them is fragmentation - the process of spreading one malicious intent across various files, and constant changes - just a change in one of the RAT server settings will result in an entirely new file. It may be difficult for security researchers to write an effective signature due to the possibility of false positives.
It also seems like apart from time, there is almost no other investment. Payloads are mostly hosted in opendirs and low-quality free domains serve as C&C, which indicates lack of own infrastructure.
This attack is built up around effective cost-cutting, by using well-researched, simple techniques.
Connections to Individuals. Coincidence or a Piece of The Puzzle?
In my research I came across an individual that goes by the alias "Ahmed Crypt" https://www.youtube.com/c/DevPlus/videos.
He has been active for years, in fact his first video and Facebook post date back to 3 years ago. He has been creating AV software bypass videos and incidentally, also distributes RATs.
In a post from May 2020, he shares the exact same code which is in many of the scripts
He also provides a tool that allows the RunPE + RAT server to be converted to byte code.
In a topic on another forum he shares that encryption has now being "exposed to Avast". After I shared all the malware with an Avast engineer on a personal chat, they developed behaviour-based detections, so Ahmed Crypter is not wrong.
In this video he demonstrates how the attack is built:
Another connection: in this Palo Alto article, an attack via an app named WindowsForms1 has the malware payload spread across 3 buttons. Similar video can be seen in Ahmed Crypter's YouTube channel and is quite old.
The Article names the attacker Subaath and it is believed that he is behind Aggah as well.
There are few possibilities here, the individual may either be part of Gorgon Group or he may have copied the code from their attacks. It is not impossible that the attacker may have browsed the hacker forums and obtained the basis of the evasive framework or Subaath could actually be the old alias of Ahmed Crypter. Either way, this connection can't be meaningless.
Tracking Subaat: Targeted Phishing Attacks Point Leader to Threat Actor's Repository
Unit 42 tracks Subaat: a small phishing campaign targeting government organizations.
unit42.paloaltonetworks.com
Analyses of Previous Related Attacks and Connecting the Dots
Previous attacks with similar code have been uncovered number of times.
New-infection-chain-of-njRAT-variant
Recently, 360 Security Center has detected that a variant of the remote access tool njRAT is active. Compared with the early infection of the njRAT Trojan's executable program landing method.
Similar description from Talos:
Upgraded Aggah malspam campaign delivers multiple RATs
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
In this blog post, Researcher Max Kersten discusses Azorult attack, utilising a very similar code.
Spam campaign delivers Netwire RAT via paste.ee to German users
G DATA discovered an email spam campaign in Germany that delivers NetWire RAT via PowerShell in Excel documents. The emails mimick the German courier, parcel and express mail service DHL.
www.gdatasoftware.com
The obfuscation layers, the injection and the abused LOLBin, mainly msbuild.exe, as well as the abuse of free hosting services all match.
Gorgon Group has previously been famous with the Master Mana botnet, delivering Azorult and RevengeRAT variants.
MasterMana Botnet takes over your machine to empty your cryptocurrency wallet
Cybersecurity researchers have linked this botnet to the infamous hacking crew "Gorgon Group," which is known for attacks on governments worldwide.
thenextweb.com
The botnet is believed to have taken about $160 in investment, which matches the attacker's cost cutting strategy.
MasterMana BotNet
The MasterMana Botnet: Anatomy of the $160 Dollar Hack Authors: Danny Adamitis and Matt Thompson Introduction The team at Prevaili...
hxxp://216[.]170[.]126[.]146/2ky/index.php <-- Similar to 216.170.126.123 from my samples
hxxp://216[.]170[.]126[.]146/ahsan/index.php
hxxp://23[.]249[.]163[.]135/index.php
hxxp://speeddfox[.]duckdns[.]org
hxxp://rgalldmn[.]duckdns[.]org
Further Gorgon Group malware analyses reveals same tactics, namely:
- Document as an initial vector
- Obfuscated JavaScript at the second stage of the attack
- VBS downloader with similar means of obfuscation at the third stage
- Usage of bytecode/byte array and k.Hackitup, which is described in G Data blog post as well and is utilised in many of the scripts I discovered.
- Abuse of hosting services
Similar methods are described in this Aggah/Hagga campaign article:
The Evolution of Aggah: From Roma225 to the RG Campaign
The experts at Yoroi-Cybaze ZLab discovered a new wave of attacks linked to the cyber espionage campaign tracked as Roma225. Introduction Few months ago we started observing a cyber operation aiming to attack private companies in various business sectors, from automotive to luxury, education...
securityaffairs.co
Gorgon Group and Aggah/Hagga in a Great Depth
Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign
In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States...
unit42.paloaltonetworks.com
IOCs of the most recent variants
| SHA256/URL/IP | Threat Type | Distributed Trojan | SPAM Subject |
| 8a579350941b94276adcf61bc464622d81326d55e93e9819f0be7228c57a41d2 | VBS Downloader | AsyncRAT | Your order has been placed  |
| hxxps://z.zz.ht/ovtE8.jpg | Final Payload | AsyncRAT | Your order has been placed |
| 8a579350941b94276adcf61bc464622d81326d55e93e9819f0be7228c57a41d2 | VBS Downloader; Injection | AsyncRAT | Unknown |
| 16a563ccae472f41b3068d04c75d6e7209f329b65c42069f97425a071f91787d | VBS Downloader; | AsyncRAT | Your order has been placed |
| hxxps://z.zz.ht/nbfSN.jpg | Final Payload | AsyncRAT | Your order has been placed |
| 6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 | VBS Downloader | Remcos RAT | Separate Remittance Advice: paper document no - 9604163 |
| ee6aa50f61c71ad0a85d0c60e8cec35c45b949da9e173d79cdcb9c7586ac4e12 | VBS Downloader | AsyncRAT | Your Spectrum Statement is Ready |
| ahmed21018.linkpc.net:6666 | C&C Server | AsyncRAT | Your Spectrum Statement is Ready |
| 8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2 | VBS Downloader | Quasar RAT | your order has been placed##675495 |
| 36baf9c7d6ed1aa739eb8bf2d3ad8eccc5419a6edd780b0738e2e33d55d9fe94 | VBS Downloader | Quasar RAT | your order has been placed##253554 |
| hxxps://z.zz.ht/nlOiE.jpg | Final Payload | Quasar RAT | your order has been placed##253554 |
| sdffgre.myq-see.com:9999 (51.89.204.178) | C&C Server | Quasar RAT | your order has been placed##253554 |
| 2f99e627f3cf5b119435e4e247366ccd20a0379c6fa47673cbd66976693ecee1 | VBS Downloader | Quasar RAT | your order has been placed##144484 |
| a357ad5f8ab84ea057de059887f90f11aa110ce9aa53d93d1bdb676c6d4e8659 | VBS Downloader | Quasar RAT | your order has been placed##515846 |
| 0089fe3a660c1a3fba7039e03482aed3b0a7d82b72e4c38e4b5da8612fe7247c | VBS Downloader | AsyncRAT | Your Spectrum Statement is Ready |
| clayroot2016.linkpc.net:6666 | C&C Server | AsyncRAT | Your Spectrum Statement is Ready |
| a412a3bdf6e8891fa60734b53430db5d0ac8dce28a764fd013dd767614790c45 | VBS Downloader | AsyncRAT | Your latest statement is now available. |
| saico015.linkpc.net | C&C Server | AsyncRAT | Your latest statement is now available. |
| 1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bd | VBS Downloader | AsyncRAT | Your latest statement is now availableh |
| hxxp://nyanxcat.online/Runpe/test/N1/Clean.txt | Final Payload | AsyncRAT | Your latest statement is now availableh |
| 6caf398dd07a03dc116fa8562b0daf0973d16309299cb9664d2efbc82bdb3069 | VBS Downloader | AsyncRAT | Your Spectrum Statement is ready |
| saico015.linkpc.net:6666 (168.119.170.202) | C&C Server | AsyncRAT | Your Spectrum Statement is ready |
| 55003a7b54c120f1a15f12fb4223a13cf4ac1469a9823f4ee3ba0f6794caefe1 | VBS Downloader | AsyncRAT | Your Spectrum Statement is Ready |
| clayroot2016.linkpc.net:6666 (135.181.96.16) | C&C Server | AsyncRAT | Your Spectrum Statement is Ready |
| c1112384f112be4ca371297019f4ca8d93d7b76e105014d1b9d54b18aced9124 | VBS Downloader | Quasar RAT | Your Payment Is Being Processed. |
| hxxps://raw.githubusercontent.com/githubuser2x/x/master/New.jpg | Final Payload | Quasar RAT | Your Payment Is Being Processed. |
| aptzebi.myq-see.com:5552 (172.98.72.144) | C&C Server | Quasar RAT | Your Payment Is Being Processed. |
| 1b666ae5d0a159ac2a7701642c95a277deb453b1b790b6573d8d7267adb37ccd | Maldoc | Remcos RAT | Not known |
| hxxp://vendorcreditglobal.online/find/puta.js | Obfuscated JS Loader | Remcos RAT | Not known |
| hxxp://vendorcreditglobal.online/file/mint.jpg | Final Payload | Remcos RAT | Not known |
| 1b666ae5d0a159ac2a7701642c95a277deb453b1b790b6573d8d7267adb37ccd | Maldoc | Remcos RAT | Not known |
| 80b29a57c1a22a86e60b96bf2a7d4c7fc4a6574a8e28b29491ab5ef6d6f7fa54 | Maldoc | Agent Tesla | Not known |
| hxxp://103.133.105.179/15/inc/9bc55352dda4bb.php | C&C Server | Agent Tesla | Not known |
| c9b4f67de9383ad6eca344cf2a4a893fb2ac973a86bda476e9a755ec6e3aa16f | Maldoc | Agent Tesla | Not known |
| hxxp://193.56.28.231/webpanel-master/inc/ | Opendir; Mana Panel; C&C | Agent Tesla; Others | Not known |
| cfd1cddf339116a293a9bd9c786e830ec03fdc0960e25ef006b2f47f37b00869 | Maldoc | Agent Tesla | Not known |
| hxxp://103.133.105.179/20/inc/3b3de011a25350.php | Opendir; Mana Panel; C&C | Agent Tesla; Others | Not known |
| hxxp://spongpoppp.myq-see.com/ | C&C | Not known | Not known |
More C&C server and malware: VirusTotal
Last edited:
