Cybercrime RATting the RAT: Deep Dive into Gorgon Group Modus Operandi

McMcbrad

Level 23
Oct 16, 2020
1,252
In the end of November an interesting piece of malware caught my attention, whilst browsing one of the popular threat hunting portals, namely any.run. Seeing a Remote Access Trojan on this portal is already quite exciting by itself, as I have spoken to attackers before and they have told me that they upload the malware there to test it. It is very much likely that a RAT sample obtained from this portal is fresh and hot, still not analysed by anyone.

The malware in question did not arrive as a file, but rather as a link (the portal supports analyses of both files and links). It operated by abusing LOLBins - with the introduction of AI, reputation, signature control and other means in legacy AV software, attackers are looking to escape the land of standard executable files. Scripts suffice, as there is usually a smaller arsenal of technologies working to identify their malicious intent. Many of these technologies can be evaded with techniques, such as adding unnecessary filler or when maintaining persistency, choosing wisely where the content will be stored, be it in a folder or registry. There are paths to which Antivirus Software is more sensitive and paths which may not trigger a detection at all. It's all a matter of trial + error and is worth doing when your financial gains depend on it.

Here is the moment to say that I am not a threat analyst myself - my threat hunting habits are mainly a hobby, but also allow me to know what's out there and roll out the needed policies to secure the systems under my control. However, I'll keep this report as scientific and proven as possible.

What did I discover originally?

Let's start by talking about what I discovered back in November.

It all started with a malicious PowerPoint Presentation.
The domain 111().90().149().229 served three *.txt files.
1.txt with MD5 c0c6f84a6d417937a9ba559edcaf5e65b560b4e2bbc0ca5243021dd0ca839c4c - fileless Tesla abusing .Net framework executable msbuild.exe
2.txt with MD5 49c48b2136689ebbb8af64d9fd97b6d7e8cd99391691fd01f63abfe4d4cd1fc5 - fileless Tesla abusing cvtres.exe, again a .Net framework executable.
Third file named cobalt.txt with MD5 e68607822020f6cf0853cf5906e498bf3973e1c74a3c1709cefcc7ad998654dd was an AMSI bypass, possibly derived from a pentester's GitHub account:
1612682656662.png

PowerShell AMSI Bypass possibly derived from GitHub indicates that the attacker is not really that technical and sophisticated, but can rather find exactly what he needs, when he needs it.

Together with that, there was an obfuscated JavaScript with MD5 83b6296df14f6e0d55983b59bf843a45c64ac4c84661dd25404af31255b87aff named main.txt, which served as the attack initialiser.
A second JS with MD5 65895651e1c64fec37e7143c713618f51daa66553377440234f78a190e069bff served to maintain persistency on the machine.

The infection chain was as follows:

New Microsoft PowerPoint Presentation.jpg


This was just one piece of a puzzle that I thought was solved, but then I noticed that other RATs have also been distributed and some variables haven't even been changed.
This is when I discovered an opendir serving as a malware repository, which was located at onedrive.linkpc.net (now defunct).
1612688919292.png
1612688934031.png
1612688948661.png

A copy of the harvested content is available here: Free Automated Malware Analysis Service - powered by Falcon Sandbox
The repository was jam packed with more than 100 scripts, all built around the same concept:
  • A downloader serves as a first stage. This is mostly a VBS file. Throughout the versions it has not morphed much, apart from the directory where the script will create a copy of itself to maintain persistence.
  • At the second stage, the downloader obtains a PowerShell script, which doesn't drop a file anywhere. The script itself follows this concept:
    • An array is created with a process hollowing module, converted to some type of code. It was mostly byte code in a byte array, but other types of encodings were also used.
    • A second array is created with the RAT server, converted to a code as well.
    • At the final stage the process hollowing module is called with 2 parameters - process to turn into a puppet and code to inject (this is the code from the second variable).
    • Throughout the different versions this framework almost didn't evolve. The only changes were in the RAT server - mainly Bladabindi/NJRat, but it seems that at one point the attackers settled for AsyncRAT, which is understandable - it's a lot more function-rich.
    • The script is usually stored as a *.jpg file (example hxxps://z.zz.ht/nbfSN.jpg)
  • At the third stage the attacker will exfiltrate data of interest. What the individual/group is interested in, is mainly browser-stored credentials and by creating decoy accounts I was able to see what they want. This is Discord (probably to compromise the account for their botnet purposes) and emails - the attacker is desperately trying to get into a fake email I created. Once again he shows lack of knowledge by attempting to log-in to my email with the stolen passwords from countries like Nigeria - I live in the UK. Obviously this will trigger a block, even if the password is correct. After I changed the password, they attempt to log-in every day with a wrong one. Though I left a Revolut virtual CC in browser, there is no evidence attackers are interested in that.
An article mentions Aggah partnership with an attacker in Lagos, Nigeria and continues to explain that he uses Chrome on Windows 10. This matches the information from the log-in attempt.
The IP address doesn't belong to a VPN provider, so it's either a victim's machine or a not-so-smart attacker's home IP.

1612691408035.png
1612691483183.png
1612691641228.png
1612691774655.png
1612691808969.png

Attacker is attempting to compromise a decoy email on daily bases and makes a single attempt to compromise a decoy discord account

Example of first stage script:
1612691921271.png


Example of second-stage script, type 1:
1612689473940.png
1612689521633.png
1612689556355.png


Second-stage script, type 2 can easily be identified by this last line, which attackers haven't modified throughout the variations.
[Reflection.Assembly]::Load($Cli555).GetType('k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('cvtres.exe',$Cli444))

Needless to mention again, this attack doesn't shine with extreme sophistication. It follows basic antivirus evasion practices, which according to the VT detection on every script from the opendir and malspam campaigns, are truly effective, at least on static scan. To name these practices, one of them is fragmentation - the process of spreading one malicious intent across various files, and constant changes - just a change in one of the RAT server settings will result in an entirely new file. It may be difficult for security researchers to write an effective signature due to the possibility of false positives.
It also seems like apart from time, there is almost no other investment. Payloads are mostly hosted in opendirs and low-quality free domains serve as C&C, which indicates lack of own infrastructure.
This attack is built up around effective cost-cutting, by using well-researched, simple techniques.

Connections to Individuals. Coincidence or a Piece of The Puzzle?

In my research I came across an individual that goes by the alias "Ahmed Crypt" https://www.youtube.com/c/DevPlus/videos.
He has been active for years, in fact his first video and Facebook post date back to 3 years ago. He has been creating AV software bypass videos and incidentally, also distributes RATs.
In a post from May 2020, he shares the exact same code which is in many of the scripts
1612707729910.png
1612707747774.png


He also provides a tool that allows the RunPE + RAT server to be converted to byte code.
1612707815446.png


In a topic on another forum he shares that encryption has now being "exposed to Avast". After I shared all the malware with an Avast engineer on a personal chat, they developed behaviour-based detections, so Ahmed Crypter is not wrong.
1612708007756.png

In this video he demonstrates how the attack is built:

Another connection: in this Palo Alto article, an attack via an app named WindowsForms1 has the malware payload spread across 3 buttons. Similar video can be seen in Ahmed Crypter's YouTube channel and is quite old.
The Article names the attacker Subaath and it is believed that he is behind Aggah as well.

There are few possibilities here, the individual may either be part of Gorgon Group or he may have copied the code from their attacks. It is not impossible that the attacker may have browsed the hacker forums and obtained the basis of the evasive framework or Subaath could actually be the old alias of Ahmed Crypter. Either way, this connection can't be meaningless.


Analyses of Previous Related Attacks and Connecting the Dots

Previous attacks with similar code have been uncovered number of times.
In this blog post, 360 discusses a NJRAt distributed in the same means and with identical code, containing the $Cli444 and $Cli555 byte arrays.

Similar description from Talos:

In this blog post, Researcher Max Kersten discusses Azorult attack, utilising a very similar code.

In this blog post, malware analyst Karsten Hahn talks about Aggah/Hagga delivering RATs to German Users, which has been spotted first by G Data's DeepRay technology. The distribution and way of operation are identical to what I discovered.
The obfuscation layers, the injection and the abused LOLBin, mainly msbuild.exe, as well as the abuse of free hosting services all match.

Gorgon Group has previously been famous with the Master Mana botnet, delivering Azorult and RevengeRAT variants.
This may explain the similarities in the code between the Azorult attack described by Max Kersten and Aggah/Hagga's attacks.

The botnet is believed to have taken about $160 in investment, which matches the attacker's cost cutting strategy.
The reported C&C URLs in this post are:
hxxp://216[.]170[.]126[.]146/2ky/index.php <-- Similar to 216.170.126.123 from my samples
hxxp://216[.]170[.]126[.]146/ahsan/index.php
hxxp://23[.]249[.]163[.]135/index.php
hxxp://speeddfox[.]duckdns[.]org
hxxp://rgalldmn[.]duckdns[.]org

Further Gorgon Group malware analyses reveals same tactics, namely:
  • Document as an initial vector
  • Obfuscated JavaScript at the second stage of the attack
  • VBS downloader with similar means of obfuscation at the third stage
  • Usage of bytecode/byte array and k.Hackitup, which is described in G Data blog post as well and is utilised in many of the scripts I discovered.
  • Abuse of hosting services

Similar methods are described in this Aggah/Hagga campaign article:

Gorgon Group and Aggah/Hagga in a Great Depth


IOCs of the most recent variants
SHA256/URL/IPThreat TypeDistributed TrojanSPAM Subject
8a579350941b94276adcf61bc464622d81326d55e93e9819f0be7228c57a41d2VBS DownloaderAsyncRATYour order has been placed ✅
hxxps://z.zz.ht/ovtE8.jpgFinal PayloadAsyncRATYour order has been placed ✅
8a579350941b94276adcf61bc464622d81326d55e93e9819f0be7228c57a41d2VBS Downloader; InjectionAsyncRATUnknown
16a563ccae472f41b3068d04c75d6e7209f329b65c42069f97425a071f91787dVBS Downloader;AsyncRATYour order has been placed ✅
hxxps://z.zz.ht/nbfSN.jpgFinal PayloadAsyncRATYour order has been placed ✅
6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6VBS DownloaderRemcos RATSeparate Remittance Advice: paper document no - 9604163
ee6aa50f61c71ad0a85d0c60e8cec35c45b949da9e173d79cdcb9c7586ac4e12VBS DownloaderAsyncRATYour Spectrum Statement is Ready
ahmed21018.linkpc.net:6666C&C ServerAsyncRATYour Spectrum Statement is Ready
8e9a3943e6d8e8409b427e7ad9f60e43164d8ea99ae2755df7804013508c15a2VBS DownloaderQuasar RATyour order has been placed##675495
36baf9c7d6ed1aa739eb8bf2d3ad8eccc5419a6edd780b0738e2e33d55d9fe94VBS DownloaderQuasar RATyour order has been placed##253554
hxxps://z.zz.ht/nlOiE.jpgFinal PayloadQuasar RATyour order has been placed##253554
sdffgre.myq-see.com:9999 (51.89.204.178)C&C ServerQuasar RATyour order has been placed##253554
2f99e627f3cf5b119435e4e247366ccd20a0379c6fa47673cbd66976693ecee1VBS DownloaderQuasar RATyour order has been placed##144484
a357ad5f8ab84ea057de059887f90f11aa110ce9aa53d93d1bdb676c6d4e8659VBS DownloaderQuasar RATyour order has been placed##515846
0089fe3a660c1a3fba7039e03482aed3b0a7d82b72e4c38e4b5da8612fe7247cVBS DownloaderAsyncRATYour Spectrum Statement is Ready
clayroot2016.linkpc.net:6666C&C ServerAsyncRATYour Spectrum Statement is Ready
a412a3bdf6e8891fa60734b53430db5d0ac8dce28a764fd013dd767614790c45VBS DownloaderAsyncRATYour latest statement is now available.
saico015.linkpc.netC&C ServerAsyncRATYour latest statement is now available.
1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bdVBS DownloaderAsyncRATYour latest statement is now availableh
hxxp://nyanxcat.online/Runpe/test/N1/Clean.txtFinal PayloadAsyncRATYour latest statement is now availableh
6caf398dd07a03dc116fa8562b0daf0973d16309299cb9664d2efbc82bdb3069VBS DownloaderAsyncRATYour Spectrum Statement is ready
saico015.linkpc.net:6666 (168.119.170.202)C&C ServerAsyncRATYour Spectrum Statement is ready
55003a7b54c120f1a15f12fb4223a13cf4ac1469a9823f4ee3ba0f6794caefe1VBS DownloaderAsyncRATYour Spectrum Statement is Ready
clayroot2016.linkpc.net:6666 (135.181.96.16)C&C ServerAsyncRATYour Spectrum Statement is Ready
c1112384f112be4ca371297019f4ca8d93d7b76e105014d1b9d54b18aced9124VBS DownloaderQuasar RATYour Payment Is Being Processed.
hxxps://raw.githubusercontent.com/githubuser2x/x/master/New.jpgFinal PayloadQuasar RATYour Payment Is Being Processed.
aptzebi.myq-see.com:5552 (172.98.72.144)C&C ServerQuasar RATYour Payment Is Being Processed.
1b666ae5d0a159ac2a7701642c95a277deb453b1b790b6573d8d7267adb37ccdMaldocRemcos RATNot known
hxxp://vendorcreditglobal.online/find/puta.jsObfuscated JS LoaderRemcos RATNot known
hxxp://vendorcreditglobal.online/file/mint.jpgFinal PayloadRemcos RATNot known
1b666ae5d0a159ac2a7701642c95a277deb453b1b790b6573d8d7267adb37ccdMaldocRemcos RATNot known
80b29a57c1a22a86e60b96bf2a7d4c7fc4a6574a8e28b29491ab5ef6d6f7fa54MaldocAgent TeslaNot known
hxxp://103.133.105.179/15/inc/9bc55352dda4bb.phpC&C ServerAgent TeslaNot known
c9b4f67de9383ad6eca344cf2a4a893fb2ac973a86bda476e9a755ec6e3aa16fMaldocAgent TeslaNot known
hxxp://193.56.28.231/webpanel-master/inc/Opendir; Mana Panel; C&CAgent Tesla; OthersNot known
cfd1cddf339116a293a9bd9c786e830ec03fdc0960e25ef006b2f47f37b00869MaldocAgent TeslaNot known
hxxp://103.133.105.179/20/inc/3b3de011a25350.phpOpendir; Mana Panel; C&CAgent Tesla; OthersNot known
hxxp://spongpoppp.myq-see.com/C&CNot knownNot known

More C&C server and malware: VirusTotal
 
Last edited:

McMcbrad

Level 23
Oct 16, 2020
1,252
New IOCs related to this threat:

SHA2/IP/URLThreat TypeAssociated TrojanSPAM Subject
9893ce76e1ce0d777eef70a4dd00cf837fce5bc534208990c8838983a4d14ff0VBS LoaderAsyncRATYour order has been placed ✅
hxxps://z.zz.ht/LpMd7.txtFinal PayloadAsyncRATYour order has been placed ✅
spongpoppp.myq-see.com:1177C&C ServerAsyncRATYour order has been placed ✅
157f5733aeb46953fefa26d493987715465c29e03e9c44f4daf7762b6dcfa85bVBS LoaderAsyncRATYour order has been placed ✅
7c4c3766022715b198976966a25f569a5dfadc330e445762ee56c3396e53927bVBS LoaderAsyncRATNot Known
c8b827adf538c6bd9929fa2b755a10646bdeb6f552d74c149e10a519c42ec28fVBS LoaderAsyncRATYour Spectrum Statement Is Available Now
hxxps://www.minpic.net/k/bje9/4j2hk/Final PayloadAsyncRATYour Spectrum Statement Is Available Now
ahmed21018.linkpc.net:6666 (173.234.155.108)C&C ServerAsyncRATYour Spectrum Statement Is Available Now
fe241d878ef5fc88311290d628ecd016e7c6b2e052bd98eccbb52c9076db64c5VBS LoaderAsyncRATNot Known
hxxps://z.zz.ht/aTo0A.txtFinal PayloadAsyncRATNot Known
hxxps://z.zz.ht/iTR2p.jpgFinal PayloadAsyncRAT
hxxps://z.zz.ht/UQY9h.txtFinal PayloadAsyncRAT
hxxps://z.zz.ht/iTR2p.jpgFinal PayloadAsyncRAT

Attackers obviously love reading up.

1613253127936.png

1613253155261.png
 
Last edited:
Top