From Agent.BTZ to ComRAT v4: A ten‑year journey – 10 minute mail

Turla has updated its ComRAT backdoor and now uses the Gmail web interface for Command and Control

ESET researchers have found a new version of one of the oldest malware families run by the Turla group, ComRAT. Turla, also known as Snake, is an infamous espionage group that has been active for more than ten years. We have previously described many campaigns attributed to this group.

ComRAT, also known as Agent.BTZ and to its developers as Chinch, is a Remote Access Trojan (RAT) that became infamous after its use in a breach of the US military in 2008. The first version of this malware, likely released in 2007, exhibited worm capabilities by spreading through removable drives. From 2007 to 2012, two new major versions of the RAT were released. Interestingly, both employed the well-known Turla XOR key:

1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s

Until mid-2017, the Turla developers made a few changes to ComRAT, but these variants were apparently still derived from the same code base.

Then, in 2017, we noticed that a very different version of ComRAT had been released. This new version used a completely new code base and was far more complex than its predecessors. Here are the main characteristics of this malware family:

  • ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020.
  • We identified at least three targets: two Ministries of Foreign Affairs and a national parliament.
  • ComRAT was used to exfiltrate sensitive documents. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.
  • ComRAT is a complex backdoor developed in C++.
  • ComRAT uses a Virtual FAT16 File System formatted in FAT16.
  • ComRAT is deployed using existing access methods, such as the PowerStallion PowerShell backdoor.
  • ComRAT has two Command and Control channels
    • HTTP: It uses exactly the same protocol as ComRAT v3
    • Email: It uses the Gmail web interface to receive commands and exfiltrate data
  • ComRAT can perform many actions on the compromised computers, such as executing additional programs or exfiltrating files.

Attribution to Turla

Based on the victimology and the TTPs, we believe that ComRAT is used exclusively by Turla. There are a few elements linking ComRAT v4 to Turla:

  • It uses the same internal name, Chinch, as the previous versions
  • It uses the same custom C&C protocol over HTTP as ComRAT v3
  • A part of the network infrastructure is shared with another Turla malware family, Mosquito
  • It was dropped by, or has dropped other, Turla malware families:
    • A customized PowerShell loader
    • The PowerStallion backdoor
    • The RPC backdoor

Insight into attacker’s activity

During our investigation, we were able to gain insights about what Turla operators were doing on the compromised machines.

The main use of ComRAT is stealing confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents. Figure 1 is the redacted SQL command.

Figure 1. SQL command to dump documents from the central database (partially redacted)

These documents were then compressed and exfiltrated to a cloud storage provider such as OneDrive or 4shared. Cloud storage is mounted using the net use command as shown in Figure 2.

Figure 2. Command to mount a OneDrive folder using net use (partially redacted)

In addition to document stealing, the operators also run many commands to gather information about the Active Directory groups or users, the network, or Microsoft Windows configurations such as the group policies. Figure 3 is a list of commands executed by Turla operators.

Figure 3. Basic recon of the compromised machine

Finally, we also noticed that Turla operators are aware of and try to evade security software. For instance, they regularly exfiltrate security-related log files in order to understand whether their malware samples have been detected. This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.

Technical analysis

According to its compilation timestamp, which is likely genuine, the first known sample of ComRAT v4 was compiled in April 2017. The most recent iteration of the backdoor we’ve seen was, to the best of our knowledge, compiled in November 2019.

Based on ESET telemetry, we believe that ComRAT is installed using an existing foothold such as compromised credentials or via another Turla backdoor. For instance, we’ve seen ComRAT installed by PowerStallion, their PowerShell-based backdoor we described in 2019.

The ComRAT installer is a PowerShell script that creates a Windows scheduled task and fills a Registry value with the encrypted payload.

ComRAT v4 has several components:

  • an orchestrator, injected into explorer.exe. It controls most of ComRAT functions including the execution of backdoor commands.
  • a communication module (a DLL), injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
  • a Virtual FAT16 File System, containing the configuration and the logs files.

Figure 4 is an overview of ComRAT’s architecture.

Figure 4. Summary of ComRAT architecture

ComRAT v4 has two different C&C channels: HTTP (known internally as legacy), which (surprise surprise) uses the HTTP protocol, and email (known internally as mail), which uses the Gmail web interface.

In the latter mode and using cookies stored in the configuration, it connects to the Gmail web interface in order to check the inbox and download specific mail attachments that contain encrypted commands. These commands are sent by the malware operators from another address, generally hosted on a different free email provider such as GMX.

A detailed technical analysis of all ComRAT’s components is available in the white paper.

Conclusion

ComRAT v4 is a totally revamped malware family released in 2017. Its developers took inspiration from other Turla backdoors, such as Snake, to build a very complex piece of malware.

Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain. We also noticed that this new version abandoned the use of COM object hijacking for persistence, the method that gave the malware its common name.

We found indications that ComRAT v4 was still in use at the beginning of 2020, showing that the Turla group is still very active and a major threat for diplomats and militaries.

A full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and in our GitHub repository.

For a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions related to the subject, contact us at [email protected].

MITRE ATT&CK techniques

Tactic Id Name Description
Execution T1086 PowerShell A PowerShell script is used to install ComRAT.
Persistence T1053 Scheduled Task ComRAT uses a scheduled task to launch its PowerShell loader.
Defense Evasion T1027 Obfuscated Files or Information The ComRAT orchestrator is stored encrypted and only decrypted at execution.
T1055 Process Injection The ComRAT orchestrator is injected into explorer.exe . The communication DLL is injected into the default browser.
T1112 Modify Registry The ComRAT orchestrator is stored encrypted in the Registry.
Discovery T1016 System Network Configuration Discovery Operators execute ipconfig and nbstat .
T1033 System Owner/User Discovery Operators execute net user .
T1069 Permission Groups Discovery Operators execute net group /domain .
T1082 System Information Discovery Operators execute systeminfo .
T1083 File and Directory Discovery Operators list the content of several directories. Example: dir /og-d “%userprofile%AppDataRoamingMicrosoftWindowsRecent*.*” .
T1087 Account Discovery Operators execute net user and net group .
T1120 Peripheral Device Discovery Operators execute fsutil fsinfo drives to list the connected drives.
T1135 Network Share Discovery Operators execute net view .
Collection T1213 Data from Information Repositories The Operators use a custom tool to exfiltrate documents from an internal central database.
Command and Control T1024 Custom Cryptographic Protocol ComRAT uses RSA and AES to encrypt C&C data.
T1043 Commonly Used Port ComRAT uses ports 80 and 443.
T1071 Standard Application Layer Protocol ComRAT uses HTTP and HTTPS.
T1102 Web Service ComRAT can be controlled via the Gmail web UI.
Exfiltration T1002 Data Compressed The documents are compressed in a RAR archive.
T1022 Data Encrypted The RAR archive is encrypted with a password.
T1048 Exfiltration Over Alternative Protocol Data is exfiltrated to cloud storage, mounted locally using the net use command.



Matthieu Faou


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations’ Networks – Disposable mail news

Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Insidious Android malware gives up all malicious features but one to gain stealth – 10 minute mail

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version

Functionality

After starting, DEFENSOR ID requests the following permissions:

  • allow modify system settings
  • permit drawing over other apps, and
  • activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.


 

Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database – see Figure 6.

Figure 6. The banking app test: the credentials as entered (left) and as available in the database (right)

Second, we wrote a test message in an email client. We saw the message uploaded to the attackers’ server within a second – see Figure 7.

Figure 7. The email message test: the message as written (left) and as available in the database (right)

Third, we documented the trojan retrieving the Google Authenticator 2FA code.

Figure 8. The software generated 2FA code as it appeared on the device’s display (left) and as available in the database (right)

Along with the malicious DEFENSOR ID app, another malicious app named Defensor Digital was discovered. Both apps shared the same C&C server, but we couldn’t investigate the latter as it had already been removed from the Google Play store.

Indicators of Compromise (IoCs)

Package Name Hash ESET detection name
com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A
com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access    T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play.
T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application.
Discovery T1418 Application Discovery Sends list of installed apps on device.  
Impact   T1516 Input Injection Can enter text and perform clicks on behalf of user.
Collection T1417 Input Capture Records user input data.
Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C&C.



Lukas Stefanko


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

No “Game over” for the Winnti Group – 10 minute mail

The notorious APT group continues to play the video game industry with yet another backdoor

In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.

In at least one case, the malware operators compromised a victim’s build system, which could have led to a supply-chain attack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised, which could have allowed the attackers to, for example, manipulate in-game currencies for financial gain.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software industry, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and Winnti malware.

About the “Winnti Group” naming:

We have chosen to keep the name “Winnti Group” since it’s the name first used to identify it, in 2013, by Kaspersky. Since Winnti is also a malware family, we always write “Winnti Group” when we refer to the malefactors behind the attacks. Since 2013, it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group.

Attribution to the Winnti Group

Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the C&C domains used by PipeMon were used by Winnti malware in previous campaigns mentioned in our white paper on the Winnti Group arsenal. Besides, Winnti malware was also found in 2019 at some of the companies that were later compromised with PipeMon.

In addition to Winnti malware, a custom AceHash (a credential harvester) binary found at other victims of the Winnti Group, and signed with a well-known stolen certificate used by the group (Wemade IO), was also used during this campaign.

The certificate used to sign the PipeMon installer, modules and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

Interestingly, PipeMon modules are installed in %SYSTEM32%spoolprtprocsx64; this path was also used in the past to drop the second stage of the trojanized CCleaner.

Additionally, compromising a software developer’s build environment to subsequently compromise legitimate application is a known modus operandi of the Winnti Group.

Targeted companies

Companies targeted in this campaign are video game developers, producing MMO games and based in South Korea and Taiwan. In at least one case, the attackers were able to compromise the company’s build orchestration server, allowing them to take control of the automated build systems. This could have allowed the attackers to include arbitrary code of their choice in the video game executables.

ESET contacted the affected companies and provided the necessary information to remediate the compromise.

Technical analysis

Two different variants of PipeMon were found at the targeted companies. Only for the more recent variant were we able to identify the first stage which is responsible for installing and persisting PipeMon.

First stage

PipeMon’s first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. The launcher writes the RARSFX to setup0.exe in a directory named with a randomly generated, eight-character, ASCII string located in the directory returned by GetTempPath. Once written to disk, the RARSFX is executed with CreateProcess by providing the decryption password in an argument, as follows:

setup0.exe -p*|T/PMR{|T2^LWJ*

Note that the password is different with each sample.

The content of the RARSFX is then extracted into %TMP%RarSFX0 and consists of the following files:

  • CrLnc.dat – Encrypted payload
  • Duser.dll – Used for UAC bypass
  • osksupport.dll – Used for UAC bypass
  • PrintDialog.dll – Used for the malicious print processor initialization
  • PrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll
  • setup.dll – Installation DLL
  • setup.exe – Main executable

Note that in the event of a folder name collision, the number at the end of the RarSFX0 string is incremented until a collision is avoided. Further, not all these files are necessarily present in the archive, depending on the installer.

Once extracted, setup.exe is executed without arguments. Its sole purpose is to load setup.dll using LoadLibraryA. Once loaded, setup.dll checks whether an argument in the format –x:n (where n is an integer) was provided; the mode of operation will be different depending on the presence of n. Supported arguments and their corresponding behavior are shown in Table 1. setup.exe is executed without arguments by the RARSFX, and checks whether it’s running with elevated privileges. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of:

  • C:WindowsSystem32spoolprtprocsx64DEment.dll
  • C:WindowsSystem32spoolprtprocsx64EntAppsvc.dll
  • C:WindowsSystem32spoolprtprocsx64Interactive.dll

depending on the variant. Note that we weren’t able to retrieve samples related to Interactive.dll.

Table 1. setup.exe supported arguments and their corresponding behavior.

Command line argument value Behavior
-x:0 Load the payload loader.
-x:1 Attempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install the payload loader; otherwise, restart setup.exe with the –x:2 argument using parent process spoofing.
-x:2 Attempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install the payload loader.

This loader is stored encrypted within setup.dll, which will decrypt it before writing it to the aforementioned location.

Persistence using Windows Print Processors

The location where the malicious DLL is dropped was not chosen randomly. This is the path where Windows Print Processors are located and setup.dll registers the malicious DLL loader as an alternative Print Processor by setting one of the following registry values:

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = “DEment.dll”

or

HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processorslltdsvc1Driver = “EntAppsvc.dll”

depending on the variant. Note the typo in PrintFiiterPipelineSvc (which has no impact on the Print Processor installation since any name can be used).

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.

This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.

Additionally, the encrypted payload, CrLnc.dat, extracted from the RARSFX is written to the registry at the following location, depending on the installer:

  • HKLMSOFTWAREMicrosoftPrintComponentsDC20FD7E-4B1B-4B88-8172-61F0BED7D9E8
  • HKLMSOFTWAREMicrosoftPrintComponentsA66F35-4164-45FF-9CB4-69ACAA10E52D

This encrypted registry payload is then loaded, decrypted and executed by the previously registered Print Processor library. The whole PipeMon staging and persistence is shown in Figure 1.

Figure 1. PipeMon staging and persistence

PipeMon

We named this new implant PipeMon because it uses multiple named pipes for inter-module communication and according to its PDB path, the name of the Visual Studio project used by its developer is “Monitor”.

As mentioned previously, two different PipeMon variants were found. Considering the first variant, we couldn’t retrieve the installer; thus, we don’t know for sure the persistence technique that was used. But considering that this first variant of PipeMon was also located in the Print Processor directory, it’s likely that the same persistence mechanism was used.

Original variant

PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is located in the Print Processors directory. The modules are stored encrypted on disk at the same location with inoffensive-looking names such as:

  • banner.bmp
  • certificate.cert
  • License.hwp
  • JSONDIU7c9djE
  • D8JNCKS0DJE
  • B0SDFUWEkNCj.logN

Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea.

The modules are RC4 encrypted and the decryption key Com!123Qasdz is hardcoded into each module. Win32CmDll.dll decrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module will ensure that the Communication module is running and reload it if necessary. An overview of how PipeMon operates is shown in Figure 2.

Win32CmDll.dll first tries to inject the ManagerMain and GuardClient modules into a process with one of the following names: lsass.exe, wininit.exe or lsm.exe. If that fails, it tries to inject into one of the registered windows services processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky) or dllhost.exe. As a last option, if everything else failed, it tries to use the processes taskhost.exe, taskhostw.exe or explorer.exe.

The process candidates for Communication module injection must be in the TCP connection table with either 0.0.0.0 as the local address, or an ESTABLISHED connection and owning a LOCAL SERVICE token. These conditions are likely used to hide the Communication module into a process that is already communicating over the network so that the traffic from the Communication module would seem inconspicuous and possibly also whitelisted in the firewall. If no process meets the previous requirements, the ManagerMain module tries to inject the Communication module into explorer.exe. Processes belonging to the Windows Store Apps and processes named egui.exe (ESET) and avpui.exe (Kaspersky) are ignored from the selection.

Table 2. PipeMon module descriptions and their respective PDB paths

Module Name Description PDB Path
Win32CmdDll Decrypts and loads the ManagerMain and GuardClient modules. S:MonitorMonitor_RAWLauncherx64ReleaseWin32CmdDll.pdb
S:MonitorMonitor_RAWlibsx64ReleaseWin32CmdDll.pdb
GuardClient Periodically checks whether the Communication module is running and loads it if not. S:MonitorMonitor_RAWClientx64ReleaseGuardClient.pdb
ManagerMain Loads Communication module when executed. Contains encrypted C&C domain which is passed to the Communication module via named pipe.
Can execute several commands based on the data received from the Communication module (mostly system information collecting, injecting payloads).
S:MonitorMonitor_RAWClientx64ReleaseManagerMain.pdb
Communication Responsible for managing communication between the C&C server and individual modules via named pipes. S:MonitorMonitor_RAWClientx64ReleaseCommunication.pdb
F:PCCtrunkCommunicationClientx64ReleaseCommunication.pdb

Additional modules can be loaded on-demand using dedicated commands (see below), but unfortunately, we weren’t able to discover any of them. The names of these modules are an educated guess based on the named pipes used to communicate with them:

  • Screen
  • Route
  • CMD
  • InCmd
  • File

Inter-module communication

Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving. Table 3 lists the communication channels and their corresponding named pipes.

Table 3. PipeMon communication channel and their respective named pipes

Communication channel Named pipe
Communication, Screen \.pipeScreenPipeRead%CNC_DEFINED%
\.pipeScreenPipeWrite%CNC_DEFINED%
Communication, Route \.pipeRoutePipeWriite%B64_TIMESTAMP%
Communication, ManagerMain \.pipeMainPipeWrite%B64_TIMESTAMP%
\.pipeMainPipeRead%B64_TIMESTAMP%
GuardClient, ManagerMain \.pipeMainHeatPipeRead%B64_TIMESTAMP%
Communication, InCmd \.pipeInCmdPipeWrite%B64_TIMESTAMP%
\.pipeInCmdPipeRead%B64_TIMESTAMP%
Communication, File \.pipeFilePipeRead%B64_TIMESTAMP%
\.pipeFilePipeWrite%B64_TIMESTAMP%
GuardClient, Communication \.pipeComHeatPipeRead%B64_TIMESTAMP%
Communication, CMD \.pipeCMDPipeRead
\.pipeCMDPipeWrite

The %CNC_DEFINED% string is received from the C&C server and %B64_TIMESTAMP% variables are base64-encoded timestamps such as the ones shown in Table 4.

Table 4. Example timestamps used with named pipes

%BASE64_TIMESTAMP% Decoded timestamp
MjAxOTAyMjgxMDE1Mzc= 20190228101537
MjAxOTA1MjEyMzU2MjQ= 20190521235624
MjAxOTExMjExMjE2MjY= 20191121121626

Figure 2. PipeMon IPC scheme (original PipeMon variant)

C&C communication

The Communication module is responsible for managing communications between the C&C server and the other modules via named pipes, similar to the PortReuse backdoor documented in our white paper on the Winnti arsenal.

Its C&C address is hardcoded in the ManagerMain module and encrypted using RC4 with the hardcoded key Com!123Qasdz. It is sent to the Communication module through a named pipe.

A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib’s Deflate implementation.


Figure 3. C&C message and beacon formats

To initiate communication with the C&C server, a beacon message is first sent that contains the following information:

  • OS version
  • physical addresses of connected network adapters concatenated with %B64_TIMESTAMP%
  • victim’s local IP address
  • backdoor version/campaign ID; we’ve observed the following values
    • “1.1.1.4beat”
    • “1.1.1.4Bata”
    • “1.1.1.5”
  • Victim computer name

The information about the victim’s machine is collected by the ManagerMain module and sent to the Communication module via the named pipe. The backdoor version is hardcoded in the Communication module in cleartext.

The format of the beacon message is shown in Figure 3 and the supported commands are shown in Table 5.

Table 5. List of commands

Command type Command argument Description
0x02 0x03 Install the File module
0x03 0x03 Install the CMD module
0x03 0x0B Install the InCmd module
0x04 0x02 Queue command for the Route module
0x04 0x03 Install the Route module
0x05 * Send victim’s RDP information to the C&C server
0x06 0x05 Send OS, CPU, PC and time zone information to the C&C server
0x06 0x06 Send network information to the C&C server
0x06 0x07 Send disk drive information to the C&C server
0x07 * Send running processes information to the C&C server
0x09 * DLL injection
0x0C 0x15 Send names of “InCmd” pipes and events to the C&C server
0x0C 0x16 Send name of “Route” pipe to the C&C server
0x0C 0x17 Send names of “File” pipes to the C&C server

* The argument supplied for this command type is ignored

Updated variant

As mentioned earlier, the attackers also use an updated version of PipeMon for which we were able to retrieve the first stage described above. While exhibiting an architecture highly similar to the original variant, its code was likely rewritten from scratch.

The RC4 code used to decrypt the modules and strings was replaced by a simple XOR with 0x75E8EEAF as the key and all the hardcoded strings were removed. The named pipes used for inter-module communication are now named using random values instead of explicit names and conform to the format \.pipe%rand%, where %rand% is a pseudorandomly generated string of 31 characters containing only mixed case alphabetic characters.

Here, only the main loader (i.e. the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6.

Table 6. Updated modules

Module name Description
CoreLnc.dll Loaded by the malicious Print Processor. Responsible only for loading the Core.dll module embedded in its .data section.
Core.dll Loads the Net.dll module embedded in its .data section. Handles commands from the C&C server and communications between individual modules and the C&C server through named pipes.
Net.dll New Communication module. Handles the networking.

Module injection is not performed using the reflective loading technique with an export function anymore; custom loader shellcode is used instead and is injected along with the module to be loaded.

The C&C message format was changed as well, and is shown in Figure 4.


Figure 4. Previous (top) and updated (bottom) C&C message format

Interestingly, the backdoor’s configuration is encrypted and embedded in the loader DLL. The configuration contains:

  • Name of the registry value
  • Campaign identifier
  • C&C IP addresses or domain names
  • Timestamp (in FILETIME format) corresponding to the date from which to start using a second C&C domain marked with ‘#’ in the configuration.

An example of a configuration dump embedded in the loader DLL is shown in Figure 5. Configurations extracted from several loader DLLs are shown in Table 7.

Figure 5. Example of decrypted configuration (with few zero-bytes removed because of image size)

Table 7. Configuration extracted from several loaders

Loader SHA-1 Campaign ID Payload registry name C&C IP/domains Alternative domain activation timestamp
6c97039605f93ccf1afccbab8174d26a43f91b20 KOR2 DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 154.223.215.116
ssl2.dyn-tracker.com
#client.gnisoft.com
0x01d637a797cf0000 (Monday, June 1, 2020 12:00:00am)
97da4f938166007ce365c29e1d685a1b850c5bb0 KOR DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 203.86.239.113 ssl2.dyn-tracker.com #client.gnisoft.com 0x01d637a797cf0000 (Monday, June 1, 2020 12:00:00am)
7ca43f3612db0891b2c4c8ccab1543f581d0d10c kor1 DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 203.86.239.113
www2.dyn.tracker.com (note the typo here: dyn.tracker instead of dyn-tracker) #nmn.nhndesk.com
0x01d61f4b7500c000 (Friday, May 1, 2020 12:00:00am)
b02ad3e8b1cf0b78ad9239374d535a0ac57bf27e tw1 A66F35-4164-45FF-9CB4-69ACAA10E52D ssl.lcrest.com

Stolen code-signing certificate

PipeMon modules and installers are all signed with the same valid code-signing certificate that was likely stolen during a previous campaign of the Winnti Group. The certificate’s owner revoked it as soon as they were notified of the issue.

Figure 6. Code-signing certificate used to sign PipeMon first stage and modules before (top) and after (bottom) revocation.

We found on a sample sharing platform other tools signed with this certificate, such as HTRan, a connection bouncer, the WinEggDrop port scanner, Netcat, and Mimikatz which may have been used by the attackers as well.

Furthermore, a custom AceHash build signed with a Wemade IO stolen certificate already mentioned in our previous white paper and usually used by the Winnti Group was found on some machines compromised with PipeMon.

Conclusion

Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.

We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog. For any inquiries, contact us at [email protected]. The IoCs are also available at our GitHub repository.

Indicators of Compromise

ESET detection names

Win64/PipeMon.A
Win64/PipeMon.B
Win64/PipeMon.C
Win64/PipeMon.D
Win64/PipeMon.E

Filenames

100.exe
103.exe
Slack.exe
setup.exe
%SYSTEM32%spoolprtprocsx64DEment.dll
%SYSTEM32%spoolprtprocsx64EntAppsvc.dll
%SYSTEM32%spoolprtprocsx64Interactive.dll
%SYSTEM32%spoolprtprocsx64banner.bmp
%SYSTEM32%spoolprtprocsx64certificate.cert
%SYSTEM32%spoolprtprocsx64banner.bmp
%SYSTEM32%spoolprtprocsx64License.hwp
%SYSTEM32%spoolprtprocsx64D8JNCKS0DJE
%SYSTEM32%spoolprtprocsx64B0SDFUWEkNCj.log
%SYSTEM32%spoolprtprocsx64K9ds0fhNCisdjf
%SYSTEM32%spoolprtprocsx64JSONDIU7c9djE
%SYSTEM32%spoolprtprocsx64NTFSSSE.log
AceHash64.exe
mz64x.exe

Named pipes

\.pipeScreenPipeRead%CNC_DEFINED%
\.pipeScreenPipeWrite%CNC_DEFINED%
\.pipeRoutePipeWriite%B64_TIMESTAMP%
\.pipeMainPipeWrite%B64_TIMESTAMP%
\.pipeMainPipeRead%B64_TIMESTAMP%
\.pipeMainHeatPipeRead%B64_TIMESTAMP%
\.pipeInCmdPipeWrite%B64_TIMESTAMP%
\.pipeInCmdPipeRead%B64_TIMESTAMP%
\.pipeFilePipeRead%B64_TIMESTAMP%
\.pipeFilePipeWrite%B64_TIMESTAMP%
\.pipeComHeatPipeRead%B64_TIMESTAMP%
\.pipeCMDPipeRead
\.pipeCMDPipeWrite

Registry

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = “DEment.dll”

HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processorslltdsvc1Driver = “EntAppsvc.dll”

HKLMSOFTWAREMicrosoftPrintComponentsDC20FD7E-4B1B-4B88-8172-61F0BED7D9E8
HKLMSOFTWAREMicrosoftPrintComponentsA66F35-4164-45FF-9CB4-69ACAA10E52D

Samples

First stage

4B90E2E2D1DEA7889DC15059E11E11353FA621A6
C7A9DCD4F9B2F26F50E8DD7F96352AEC7C4123FE
3508EB2857E279E0165DE5AD7BBF811422959158
729D526E75462AA8D33A1493B5A77CB28DD654BC
5663AF9295F171FDD41A6D819094A5196920AA4B

PipeMon

23789B2C9F831E385B22942DBC22F085D62B48C7
53C5AE2655808365F1030E1E06982A7A6141E47F
E422CC1D7B2958A59F44EE6D1B4E10B524893E9D
5BB96743FEB1C3375A6E2660B8397C68BEF4AAC2
78F4ACD69DC8F9477CAB9C732C91A92374ADCACD
B56D8F826FA8E073E6AD1B99B433EAF7501F129E
534CD47EB38FEE7093D24BAC66C2CF8DF24C7D03

PipeMon encrypted binaries

168101B9B3B512583B3CE6531CFCE6E5FB581409
C887B35EA883F8622F7C48EC9D0427AFE833BF46
44D0A2A43ECC8619DE8DB99C1465DB4E3C8FF995
E17972F1A3C667EEBB155A228278AA3B5F89F560
C03BE8BB8D03BE24A6C5CF2ED14EDFCEFA8E8429
2B0481C61F367A99987B7EC0ADE4B6995425151C

Additional tools

WinEggDrop

AF9C220D177B0B54A790C6CC135824E7C829B681

Mimikatz

4A240EDEF042AE3CE47E8E42C2395DB43190909D
FD4567BB77F40E62FD11BEBF32F4C9AC00A58D53

Netcat

751A9CBFFEC28B22105CDCAF073A371DE255F176

HTran

48230228B69D764F71A7BF8C08C85436B503109E

AceHash

D24BBB898A4A301870CAB85F836090B0FC968163

Code-signing certificate SHA-1 thumbprints

745EAC99E03232763F98FB6099F575DFC7BDFAA3
2830DE648BF0A521320036B96CE0D82BEF05994C

C&C domains

n8.ahnlabinc[.]com
owa.ahnlabinc[.]com
ssl2.ahnlabinc[.]com
www2.dyn.tracker[.]com
ssl2.dyn-tracker[.]com
client.gnisoft[.]com
nmn.nhndesk[.]com

C&C IP addresses

154.223.215[.]116
203.86.239[.]113

Tactic ID Name Description
Persistence T1013 Port Monitor PipeMon uses a persistence technique similar to Port Monitor based on Print Processors.
Privilege Escalation T1134 Access Token Manipulation The PipeMon installer tries to gain administrative privileges using token impersonation.
T1088 Bypass User Account Control The PipeMon installer uses UAC bypass techniques to install the payload.
T1502 Parent PID Spoofing The PipeMon installer uses parent PID spoofing to elevate privileges.
Defense Evasion T1116 Code Signing PipeMon, its installer and additional tools are signed with stolen code-signing certificates.
T1027 Obfuscate Files or Information PipeMon modules are stored encrypted on disk.
T1112 Modify Registry The PipeMon installer modifies the registry to install PipeMon as a Print Processor.
T1055 Process Injection PipeMon injects its modules into various processes using reflective loading.
Discovery T1057 Process Discovery PipeMon iterates over the running processes to find a suitable injection target.
T1063 Security Software discovery PipeMon checks for the presence of ESET and Kaspersky software.
Collection T1113 Screen Capture One of the PipeMon modules is likely a screenshotter.
Command and Control T1043 Commonly Used Ports PipeMon communicates through port 443.
T1095 Custom Command and Control Protocol PipeMon communication module uses a custom protocol based on TLS over TCP.
T1032 Standard Cryptographic Protocol PipeMon communication is RC4 encrypted.
T1008 Fallback Channels The updated PipeMon version uses a fallback channel once a particular date is reached.



Mathieu Tartare and Martin Smolár


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims’ Networks – Disposable mail news

‘Human-operated ransomware’ has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to ‘PwndLocker’, another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company’s corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets’ networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims’ online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn’t have a website to publish victims’ stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Sophos found the group abusing NSIS installers and deploying remote access tools (RATs) – Disposable mail news


Security Researchers at Sophos have found the hacking group that hacked industrial companies using NSIS installers in order to deploy remote access tools (RATs) and info- stealing malwares.

The hacking group was “RATicate’s” which has been targeting companies from Europe, the Middle East, and the Republic of Korea in not one but five campaigns between November 2019 and January 2020. But Sophos researchers suspect that this group was behind other past attacks too.

These targeted companies were from the industrial sector, particularly companies focused on manufacturing to investment firms and internet companies. Namely,

  • “an electrical equipment manufacturer in Romania; 
  •  a Kuwaiti construction services and engineering company;
  •  a Korean internet company; 
  • a Korean investment firm;
  • a British building supply manufacturer; 
  • a Korean medical news publication; 
  • Korean telecommunications and electrical cable manufacturer; 
  • a Swiss publishing equipment manufacturer; 
  • a Japanese courier and transportation company.” 

( as reported by bleeping computer in their blog)

 Two Infection Chains 

The hackers used two infection chains to infect the computers by using phishing emails to deploy payloads but with a small difference.

  •  The first chain had ZIP, UDF, and IMG attachments carrying NSIS (Nullsoft Scriptable Install System) installers. 
  •  The second chain had XLS and RTF docs that downloaded the payload from a remote server to the user’s machine. 

“We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks,” Sophos reports.

NSIS installers hid the dropped malware by spamming and dropping junk files like images, source code files, shell scripts, and Python binaries.

“During the analysis of the samples we collected—conducted both manually and with the aid of sandboxing tools—we found several different families of RATs and info stealers,” Sophos explains.

“These included Lokibot, Betabot, Formbook, and AgentTesla. But all of them followed the same multi-stage unpacking process when executed.”

 One Actor-Multiple Campaign 

Sophos found that this group RATicate was the key player behind five sequential campaigns between November 2019 and January 2020 using similar payloads and commands.

 The security researchers “found that some of the different payloads from each campaign (mostly Betabot, Lokibot, AgentTesla, and Formbook) shared the same C&C,” suggesting the same threat group.

“There was also a distinct clustering of the campaign timelines—there was never any overlap between them, suggesting that they were operated serially by the same threat actors.”

“Some of the infrastructures were also shared across multiple campaigns, which also suggests the same actor was involved across all of them,” states Sophos.

Now, the RATicates have found a new lure and payload – using COVID-19 to trick people into installing malwares in their systems.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia – 10 minute mail

ESET researchers dissect a backdoor deployed in attacks against multiple government agencies and major organizations operating in two critical infrastructure sectors in Asia

In this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that has been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple instances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several important companies in the telecommunications and gas industries, and governmental entities.

Moreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin against Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s Vicious Panda against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s toolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of Kaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological notion, but also to have at least phonemic agreement.

Clustering

First let’s discuss the clustering of Mikroceen, which is a simple RAT, and show our reasons for thinking reports from Kaspersky, Palo Alto Networks and Checkpoint write about the same specific malware family (among other malicious tools mentioned). Figure 1 provides a comparison of the decryption loop that is used for configuration data consisting of the C&C domain, a name and a password associated with each sample of the RAT. The loop is practically the same and it is implemented in three copies in a row. Checkpoint also discussed the similarities of the HTTP headers in the data sections between BYEBY and Vicious Panda, and a shared logging message V09SS0lO that base64 decodes to WORKIN. The encoded string is also present in Microcin.

Figure 1. Part of the code used to decipher internal data; the exported DLL name is at the bottom

In the section Attackers’ arsenal below we also compare the command grammars of the RAT’s features and typical error messages that are logged during execution with its previous instances. To support the evidence, the preferred provider of the attackers’ infrastructure and the most typical malware simultaneously found on the compromised networks. All these clues should evoke strong confidence that it’s the same malware family.

Timeline & victimology

Figure 2 sketches the evolution how the threat was tracked in time. As we mentioned earlier, the Central Asian region joined Russia, Belarus and Mongolia as areas with victims of Mikroceen intrusions. These victims were not desktop users, but endpoints in corporate networks where a higher level of security is expected.

Figure 2. Timeline of events related to Mikroceen

Figure 3. The recent campaigns in Central Asia surrounded by the previously reported ones

Attackers’ arsenal

Let us describe the tools the attackers used in their campaign in Central Asia. Unfortunately, we were unable to discover how they got into the compromised networks.

RAT (client-side backdoor)

Once the intruders establish a foothold on a victim machine, the code in Figure 4 serves to install the RAT on the system. Note the parameter start= auto, which establishes the malware’s persistence after a reboot.

Figure 4. Installation batch code

As we mentioned earlier, each bot comes with configuration data: C&C, client name and client password. The name of the bot appears in the server-side interface. What is quite unusual is that an operator needs to authenticate by entering the client’s password in order to control the client. We can only speculate about the purpose, but it could serve as protection against botnet takeover, in case a competing actor or law enforcement seize their infrastructure. So, we see that certain effort was put on the security of the client-server connection. Moreover, the client can connect directly to the C&C server or route the traffic via a proxy, which could be useful – especially in corporate networks. The connection is further secured by a certificate and this is a feature that distinguishes Mikroceen from the legion of backdoors we have seen since previously.

Mikroceen uses the same basic features as already described Palo Alto Networks about BYEBY. The grammar of commands is quite specific, because each command is truncated to 6 letters and then base64 encoded. That results an 8-letter incomprehensible word in the code. While in previous cases the encoding was straightforward, in the campaign in Central Asia there’s additional unknown encryption layer added. The connection of the 8-letter words with the commands in that case was done by agreement on the code level.

Command Microcin, BYEBY, Vicious Panda Mikroceen
hello! aGVsbG8h AmbZDkEx
GOODBY R09PREJZ eYTS5IwW
BYE BY QllFIEJZ bo7aO8Nb
DISCON RElTQ09O 6GEI6owo
LIST D TElTVCBE Ki0Swb7I
STARTC U1RBUlRD h71RBG8X
COMMAN Q09NTUFO 5fdi2TfG
TRANSF + (UPLOAD, DOWNLO) VFJBTlNG + (VVBMT0FE, RE9XTkxP) J8AoctiB + (QHbU0hQo, hwuvE43y)
EXECUT RVhFQ1VU gRQ7mIYr

Table 1. Command grammar of various instances of the RAT

During execution, the client logs debug messages in a temporary file. This varies among various Mikroceen instances. Table 2 provides a comparison of these messages from case to case and gives additional evidence that links the instances of Mikroceen.

  Microcin BYEBY Vicious Panda Mikroceen
32-bit 64-bit
Folder % CSIDL_COMMON_DOCUMENTS% %TEMP% % CSIDL_COMMON_DOCUMENTS% %TEMP% %TEMP%
Filename 7B296FB0.CAB vmunisvc.cab 5E8C6FF0.CAB 7B296FB0.CAB W52G86ST.TMP
Keywords at main V09SS0lO
U3RhcnQ=
V09SS0lO
U3RhcnQ=
V09SS0lO
U3RhcnQ=
V09SS0lO GvFa8Sei
Keyword at connect ZGlyZWN0 ZGlyZWN0 ZGlyZWN0 wfZ155bJ wfZ155bJ

Table 2. Logging messages in a temporary file

Simultaneously occurring malware

The previous reports always mention a wide arsenal of tools that are used in the attacks. In our case it was the same – not just Mikroceen, but other malware as well. Here are the three most important tools we observed in the compromised networks.

Lateral movement via Mimikatz

The attackers used their implementation of Mimikatz, delivered via a two-stage mechanism: the first stage was a dropper usually called installer.exe or Yokel64.exe, which dropped the main payload with an indicative external DLL name mktz64.dll in the second stage. While Mikroceen has never come with debug information, here we can see the string E:2018_MimHashmimikatzBinmktzx64.pdb

Figure 5. A PDB string in the Mimikatz payload

Mimikatz is an open source project by French security researcher Benjamin Delpy, developed since 2007. It’s a robust tool that, among other things, can bypass various Windows authentication schemes, basically by dumping credential data from the Windows Local Security Account database. It’s mainly used by red teams in IT security but also misused across the spectrum of APT actors, e.g. Lazarus Group, Telebots, Okrum etc. After running it in a test virtual environment, its output is (the incorrect spaces before the commas are in the original):

Lateral movement via WMI

The attackers use an additional tool to spread in the hosting network. This time they leverage Windows Management Instrumentation (WMI). All relevant data is needed as the file’s name, as during the execution it expects @@,,,.exeIn the first step, a console to a remote computer is established, where the connection is identified by and authenticated with (, ). Afterwards, proxy security is set to the strict level, which means arguments of each remote procedure call are encrypted and the server’s access to local resources is allowed. Then WMI is used again to retrieve the Win32_Process class, which in turn is used to create a process with given parameters. When all the work is done, the tool terminates itself.

Gh0st RAT

This infamous, old RAT was created around 2008. In this instance it was found as rastls.dll on the compromised systems, while the exported DLL name is usually svchost.dll. It tries to connect with https://yuemt.zzux[.]com:443, which resolves to an IP address in China. This is an exception with no explanation, because the server doesn’t belong to any of the C&C providers used by Mikroceen. From our point of view, it seems redundant to use this additional backdoor, whose capacity is fully provided by Mikroceen itself.

To recognize this backdoor, one observes the string Gh0st within the binary. The character string uwqixgze} is used as a placeholder for the C&C domain.­

Figure 6. Gh0st RAT malware (fragment)

C&C panel (server-side interface)

The previous reports already mention the poor operational security of the attackers (their open directories were observed by Kaspersky and Checkpoint), and the actors behind continue to leak tools not necessarily leveraged on the victims’ side. We were able to get our hands on an older version of RAT’s control panel.  On the lower part of Figure 7 there’s a graphical interface through which all bots are commanded. It is very minimalistic, which may be due to an older version from 2017, but still, just compare it with the greater than 10-year-old panel of Gh0st RAT. There’s not much improved since, visually or functionally, so the introduction of SSL connections seems like the main shift between the projects (the text box for “CN Name” on the figure). It seems that the operators of the botnet are content customers of Vultr services, a child company of Choopa LLC, as their operational infrastructure is mostly hosted there, and this was also observed in the Vicious Panda campaign by Checkpoint. This is a bullet-proof provider, documented by researchers from Cisco as early as 2015.


Figure 7. Interfaces for controlling bots: Gh0st RAT (2008) vs. Mikroceen’s interface (2017)

Conclusion

We have presented the analysis of a custom implementation of a client-server model developed for spying purposes. The malware developers put great effort into the security and robustness of the connection with their victims and the operators managed to penetrate high-profile corporate networks. Moreover, they have a larger toolset of attack tools at their disposal and their projects are under constant development, mostly visible as variations in obfuscation.

Indicators of Compromise (IoCs)

Here are the hashes of samples described in the article. Additional IoCs collected from the attacks can be found on ESET’s GitHub or Avast’s GitHub.

SHA Timestamp Description ESET detection name
d215bb8af5581b31f194248fc3bd13d999a5991c 2016-06-29 00:34:42 Microcin (Kaspersky)
7771e1738fc2e4de210ac06a5e62c534
Win32/Mikroceen.A
7a63fc9db2bc1e9b1ef793723d5877e6b4c566b8 2017-07-06 08:15:31 BYEBY (PANW) 383a2d8f421ad2f243cbc142e9715c78f867a114b037626c2097cb3e070f67d6 Win32/Mikroceen.B
2f80f51188dc9aea697868864d88925d64c26abc 2017-01-28 11:33:43 Vicious Panda (Checkpoint) Win32/Mikroceen.C
302cf1a90507efbded6b8f53e380591a3eaf6dcb 2019-04-25 01:15:40 Mikroceen 32-bit Win32/Mikroceen.H
21ffd24b8074d7cffdf4cc339d1fa8fe892eba27 2018-12-10 07:46:25 Mikroceen 64-bit Win64/Mikroceen.C
5192023133dce042da8b6220e4e7e2e0dcb000b3 2019-03-11 12:14:09 Mimikatz Win64/Riskware.Mimikatz.AQ
c18602552352fee592972603262fe15c2cdb215a 2015-03-16 03:29:39 Lateral Movement via WMI Win32/HackTool.Agent.NEZ
4de4b662055d3083a1bccf2bc49976cdd819bc01 2015-12-31 03:10:15 Gh0st RAT Win32/Farfli.CSY

References

  • Vasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin: “Microcin malware”, Kaspersky Labs 2017-9-25
  • Josh Grunzweig, Robert Falcone: “Threat Actors Target Government of Belarus Using CMSTAR Trojan”, September 2017
  • Checkpoint Research: “Vicious Panda: The COVID Campaign”, 2020-03-12
  • SecDev Group & Citizenlab, “Tracking GhostNet: Investigating a Cyber Espionage Network”, March 2009,
  • Dhia Mahjoub, Jeremiah O’Connor, Thibault Reuille, Thomas Mathew: “Phishing, Spiking, and Bad Hosting”, Cisco Umbrella Blog, 2015-09-14
  • “Mimikatz: A little tool to play with Windows security”
  • Peter Kálnai, Anton Cherepanov. “Lazarus KillDisks Central American casino”, WeLiveSecurity.com, April 2018
  • Anton Cherepanov, Robert Lipovský: “New TeleBots backdoor: First evidence linking Industroyer to NotPetya”, WeLiveSecurity.com, October 2018
  • Zuzana Hromcová: “Okrum: Ke3chang group targets diplomatic missions”, WeLiveSecurity.com, July 2019
  • Avast Threat Intelligence, GitHub repository
  • ESET Threat Intelligence, GitHub repository

MITRE ATT&CK techniques

Tactic ID Name Description
Execution T1035 Service Execution The RAT is configured to run as a service at startup via sc.exe.
T1059 Command-Line Interface The RAT can execute a command line.
T1064 Scripting The attackers used batch scripts for malware installation and execution.
T1105 Remote File Copy The RAT can download files to the victim’s machine
T1106 Execution through API The RAT launches the Windows console via CreateProcess.
Persistence T1050 New Service The RAT is executed automatically
Defense Evasion T1136 Masquerading The RAT disguises itself as various types of legitimate services.
T1140 Deobfuscate/Decode Files or Information The commands of the RAT and some of its components are encoded/encrypted.
Discovery T1082 System Information Discovery The RAT sends information, like the version of the operating system to be displayed, in operator’s panel.
T1016 System Network Configuration Discovery The RAT collects network information, including host IP address and proxy information.
T1033 System Owner/User Discovery The RAT sends information, like the username to be displayed, in operator’s panel.
Credential Access T1103 Credential Dumping Mimikatz is used in the attack.
Command and Control T1032 Standard Cryptographic Protocol The RAT uses SSL for encrypting C2 communications.
T1043 Commonly Used Port The RAT uses port 443.
T1071 Standard Application Layer Protocol The RAT uses the Schannel implementation of SSL.
T1001 Data Obfuscation The RAT’s interface controls the client with obfuscated commands.
T1030 Proxy Connection The RAT has a proxy option that masks traffic between the malware and the remote operators.
Exfiltration T1041 Exfiltration Over Command and Control Channel The operator of the RAT can download any desired file from a victim.
Collection T1113 Screen Capture The RAT can capture the victim’s screen.



Peter Kálnai


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks – 10 minute mail

ESET researchers uncover several instances of malware that uses various attack vectors to target systems isolated by an air gap

ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.

We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.

The current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe this scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the low visibility of victims could also be due to the nature of targeted systems being in air‑gapped networks.

Shared artifacts were found alongside the Retro backdoor. This malware has been associated with Darkhotel, a notorious APT group known to have conducted cyber-espionage operations since at least 2004, having targeted government entities in China and Japan in the past.

Attack vectors

Along with the discovery of the different instances of Ramsay, we found they were leveraged using a series of attack vectors. These are:

Figure 1. Overview of discovered Ramsay versions

Malicious documents dropping Ramsay version 1

This attack vector consists of malicious documents exploiting CVE-2017-0199 intended to drop an older version of Ramsay.  

This document delivers an initial Visual Basic Script, shown in the screenshot below as OfficeTemporary.sct, that will extract within the document’s body the Ramsay agent, masquerading as a JPG image by having a base64-encoded PE under a JPG header.

ID Index OLE Object
0 0x80c8 Format_id: 2 (Embedded)
Class name: ‘Package’
Data size: 8994
OLE Package object:
Filename: u‘OfficeTemporary.sct’
Source path: u‘C:\Intel\OfficeTemporary.sct’
Temp path = u:‘C\Intel\OfficeTemporary.sct’
MD5 = ‘cf133c06180f130c471c95b3a4ebd7a5’
EXECUTABLE FILE
1 0xc798 Format_id: 2 (Embedded)
Class name: ‘OLE2Link’
Data size: 2560
MD5 = ‘daee337d42fba92badbea2a4e085f73f’
CLSID: 00000300-0000-0000-C000-000000000046
StdOleLink (embedded OLE object – known related to CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174.
Possibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)

Table 1. OLE object layout contained within Ramsay version 1 RTF file as seen by oletools

We noticed that the specific Ramsay instance dropped by these documents showed low complexity in its implementation and lacked many of the more advanced features seen leveraged by later Ramsay versions.

Several instances of these same malicious documents were found uploaded to public sandbox engines, labeled as testing artifacts such as ‘access_test.docx’ or ‘Test.docx’ denoting an ongoing effort for trial of this specific attack vector.

Based on the low complexity of the Ramsay agent delivered, the threat actors may be embedding this specific instance within these malicious documents for evaluation purposes.

Decoy installer dropping Ramsay version 2.a

We found one instance uploaded to VirusTotal of Ramsay masquerading as a 7zip installer.

The reason we named this malware Ramsay was due to some of the strings contained in this binary, such as the following:

Figure 2. Strings containing “Ramsay”

This version of Ramsay shows a clear refinement of its evasion and persistence tactics along with the introduction of new features such as a Spreader component and a rootkit; the Spreader component is documented more thoroughly in this part of the Capabilities section.

Malicious documents dropping Ramsay version 2.b

This attack vector consists of the delivery of a different malicious document abusing  CVE-2017-11882. This document will drop a Ramsay Installer named lmsch.exe as shown in Table 1.

ID Index OLE Object
0 0x80c8 Format_id: 2 (Embedded)
Class name: ‘Package’
Data size: 644790
OLE Package object:
Filename: u‘lmsch.exe’
Source path: u‘C:\fakepath\lmsch.exe’
Temp path = u:‘C:\fakepath\lmsch.exe’
MD5 = ‘27cd5b330a93d891bdcbd08050a5a6e1’
1 0xc798 Format_id: 2 (Embedded)
Class name: ‘Equation.3’
Data size: 3584
MD5 = ‘5ae434c951b106d63d79c98b1a95e99d’
CLSID: 0002CE02-0000-0000-C000-000000000046
Microsoft Equation 3.0 (Known related to CVE-2017-11882 or CVE-2018-0802)
Possibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)

Table 2. OLE object layout contained within Ramsay version 2.b RTF file as seen by oletools

The Ramsay version leveraged by this document is a slightly modified version of Ramsay version 2.a, with the main difference of not leveraging the spreader component. The functionality of the remaining components is the same in regard to Ramsay version 2.a.

Client Execution of Infected Files

As previously mentioned, Ramsay Version 2.a delivers a Spreader component that will behave as a file infector, changing the structure of benign PE executable files held within removable and network shared drives in order to embed malicious Ramsay artifacts triggered on host file execution.

The Spreader is highly aggressive in its propagation mechanism and any PE executables residing in the targeted drives would be candidates for infection.

Based on compilation timestamps among the components of the various versions of Ramsay found, we can estimate the following development timeline of this framework:

Figure 3. Estimation of Ramsay’s development timeline

The analysis of the different compilation timestamps found across different components implies that this framework has been under development since late 2019, with the possibility of currently having two maintained versions tailored based on the configuration of different targets.

Persistence mechanisms

Based on its version, Ramsay implements various persistence mechanisms of different complexity. Some of these persistence mechanisms are the following:

The Windows operating system provides the functionality to allow custom DLLs to be loaded into the address space of almost all application processes via AppInit DLL registry key. This technique is not particularly complex; it is implemented in early Ramsay versions and is common in other malware families.

  • Scheduled Task via COM API

Scheduled tasks enable administrators to run tasks or “jobs” at designated times rather than every time the system is booted or the user logs in. This feature can be implemented via the Windows COM API, which the first versions of Ramsay have tailored. Based on the high ratio of similarity with Carberp’s implementation, it’s highly probable that Ramsay’s implementation was adapted from Carberp’s publicly available source code.

More mature versions of Ramsay denote an increase in complexity of its persistence techniques, which include a technique sometimes referred to as “Phantom DLL Hijacking”.

Phantom DLL Hijacking abuses the fact that many Windows applications use outdated dependencies not strictly necessary for the functionality of the application itself, allowing the possibility of leveraging malicious versions of these dependencies.

Two services will be targeted in order to enforce this technique. These are:

  • WSearch (Windows Search) hijacking msfte.dll:

Figure 4. Hijacking of Microsoft Search Service msfte.dll

  • MSDTC (Microsoft Distributed Transaction Coordinator) service hijacking an oracle dependency seen below as oci.dll:

Figure 5. Hijacking of MSDTC service dependency oci.dll

This persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert.

Capabilities

Ramsay’s architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by supplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as providing overall behavioral and system statistics of each compromised system. The realization of these actions is possible due to the following capabilities:

  • File collection and covert storage

The primary goal of this framework is to collect all existing Microsoft Word documents within the target’s filesystem. The overall collection stages are shown in Figure 6:

 

Figure 6. Mechanism of document collection

Word documents will first be collected and stored in a preliminary collection directory. The location of this directory may vary depending on the Ramsay version. Two of the directories we observed being used for this purpose were %APPDATA%MicrosoftUserSetting and %APPDATA%MicrosoftUserSettingMediaCache.

Depending on the Ramsay version, file collection won’t be restricted to the local system drive, but also will search additional drives such as network or removable drives:

Figure 7. Hex-Rays output of procedure to scan removable drives for collection

Figure 8. Hex-Rays output of procedure to scan network drives for collection

Collected documents are encrypted using the RC4 Stream Cipher Algorithm.

The RC4 key used to encrypt each file will be a computed MD5 hash of a randomly generated sequence of 16 bytes, salted with 16 bytes hardcoded in the malware sample. The first 16 bytes of the buffer where the encrypted file will be held will correspond to the actual RC4 key used:

Figure 9. Hex-Rays output of RC4 key generation and storage

Collected files under the preliminary collection directory will be compressed using a WinRAR instance that Ramsay Installer drops. This compressed archive will be saved within the preliminary collection directory and then generate a Ramsay container artifact:

Figure 10. Hex-Rays output of Ramsay container generation

As shown in the previous screenshot, these Ramsay containers contain a magic value at the beginning of the file, along with a Hardware Profile GUID denoting an identifier of the victim’s machine; an additional XOR-based encryption layer will be applied to the generated compressed archive. The following diagram shows the structure of these artifacts:

Figure 11. Ramsay Container Structure<{i>

Ramsay implements a decentralized way of storing these artifacts among the victim’s file system by using inline hooks applied on two Windows API functions, WriteFile and CloseHandle.

The hooked WriteFile procedure’s main purpose is to save the file handle of the subject file to write and install another hook in the CloseHandle API function. The CloseHandle hooked procedure will then check whether the subject file name has a .doc extension; if that’s the case, it will then append at the end of the subject document the Ramsay container artifact followed by a stream of 1024 bytes denoting a Microsoft Word document footer.

This is done as an evasion measure in order to provide a means to hide the embedded artifact within the subject document from the naked eye:

Figure 12. Hex-Rays output of code for appending Word document footer at the end of the target document

Ramsay containers appended to Word documents will be marked in order to avoid redundant artifacts being appended to already affected documents and the preliminary storage directory will be cleared in order to generate a brand-new Ramsay artifact in intervals.

Even though affected documents will be modified, it won’t impact their integrity; each affected Word document remains fully operational after artifact appending has taken place.

Exfiltration of these artifacts is done via an external component that we haven’t been able to retrieve. However, based on the decentralized methodology Ramsay implements for storage of collected artifacts, we believe this component would scan the victim’s file system in search for the Ramsay container’s magic values, in order to identify the location of artifacts to exfiltrate.

Unlike most conventional malware, Ramsay does not have a network-based C&C communication protocol nor does any attempt to connect to a remote host for communication purposes. Ramsay’s control protocol follows the same decentralized philosophy implemented for collected artifact storage.

Ramsay will scan all the network shares and removable drives (excluding A: and B: drives usually reserved for floppy disks) for potential control files. First, Ramsay looks for Word documents and also, in more recent versions, for PDFs and ZIP archives:

Figure 13. Hex-Rays output of Ramsay Scan procedure for Control File retrieval

These files are parsed for the presence of a magic marker specific to the control file format. More specifically, Ramsay looks for any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the other is dynamically generated based on the compromised victim’s machine. If any of the subject identifiers are found, parsing for a command signature will be attempted.

Figure 14. Hex-Rays output of Ramsay Control File Parsing

The search for these two GUID instances implies that Ramsay’s control documents can be deliberately crafted to be “victim agnostic”, capable of deploying the same control document instance across a number of victims by leveraging a “global” GUID within control documents. On the other hand, control documents can be crafted by embedding a specific GUID intended to be delivered exclusively on a single victim’s machine. This indicator of Ramsay’s control protocol implementation implies that its backend counterpart may be somewhat automated.

Ramsay control protocol supports three different commands:

Signature Command
Rr*e#R79m3QNU3Sy File Execution
CNDkS_&pgaU#7Yg9 DLL Load
2DWcdSqcv3?(XYqT Batch Execution

Table 3. Ramsay’s control commands

After a given command signature is retrieved, the contained artifact to execute will be extracted within the control document’s body to then be restored, modifying the subject control document to its original form after command execution.

Among the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will attempt to scan for network shares and removable drives excluding A: and B: drives:

Figure 15. Hex-Rays output of spreader scanning routines

It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval. This assesses the relationship between Ramsay’s spreading and control capabilities showing how Ramsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.

The propagation technique mainly consists of file infection much like a prepender file infector in order to generate executables similar in structure to Ramsay’s decoy installers for every accessible PE file within the aforementioned targeted drives. The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution:

Figure 16. File structure changes during an infection and execution

All of the different artifacts involved in the infection stage are either within the context of the spreader or dropped previously by another Ramsay component. Some of the artifacts are parsed for the following tokens:

Figure 17. Hex-Rays output of tokens to search for different artifacts within the spreader context

After a given file has been infected, it will be marked by writing a specific token at the end of it in order to provide the spreader an identifier to prevent redundant infection.

In addition, some components of Ramsay have implemented a network scanner intended for the discovery of machines within the compromised host’s subnet that are susceptible to the EternalBlue SMBv1 vulnerability. This information will be contained within all logged information Ramsay collects and may be leveraged by operators in order to do further lateral movement over the network in a later stage via a different channel.

Further remarks

Ramsay’s version 2.a Spreader component was found to have reused a series of tokens seen before in Darkhotel’s Retro Backdoor. These tokens are the following:

Figure 18. Hex-Rays output of Token Reuse with Retro

Figure 19. Token Reuse on Retro URL Crafting

Ramsay serializes victims using the GetCurrentHwProfile API to then retrieve a GUID for the specific victim’s machine. This is also seen implemented in Retro. They both use the same default GUID in case the API call fails:

Figure 20. Ramsay and Retro GUID generation

Both Ramsay and Retro share the same encoding algorithm to encode the retrieved GUID.

Figure 21. Ramsay and Retro GUID encoding scheme

The GUID retrieved by GetCurrentHwProfile is specific for the system’s hardware but not for the user or PC instance. Therefore, it is likely that by just leveraging this GUID operators may encounter duplicates intended to serialize different victims.

The purpose of this scheme is to generate a GUID which is less likely to be duplicate-prone by ‘salting’ it with the machine’s ethernet adapter address. This implies that Retro and Ramsay share the same scheme to generate unique identifiers.

We also found similarities in the way Ramsay and Retro saved some of their log files, sharing a similar filename convention:

Figure 22. Some of Ramsay and Retro filename convention

Is important to highlight that among Retro’s documented techniques, it leverages malicious instances of msfte.dll, oci.dll and lame_enc.dll and via Phantom DLL Hijacking. As previously documented, Ramsay also uses this technique in some of its versions also using msfte.dll and oci.dll.

In addition, we also observed similarities among Ramsay and Retro in regards to the open-source tools used among their toolsets, such as leveraging UACMe for privilege escalation and ImprovedReflectiveDLLInjection for deploying some of their components.

Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.

Figure 23. Malicious document metadata showing the Korean word “title”

Conclusion

Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities.

Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications potentially being delivered via spear-phishing.

We interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors that would successfully intrude into targeted systems without the need to waste unnecessary resources.

Some stages of Ramsay’s framework are still under evaluation, which could explain the current low visibility of victims, having in mind that Ramsay’s intended targets may be under air-gapped networks, which would also impact victim visibility.

We will continue monitoring new Ramsay activities and will publish relevant information on our blog. For any inquiries, contact us as [email protected]. Indicators of Compromise can also be found in our GitHub repository.

Indicators of Compromise (IoCs)

SHA-1 ESET detection name Comments
f79da0d8bb1267f9906fad1111bd929a41b18c03 Win32/TrojanDropper.Agent.SHN Initial Installer
62d2cc1f6eedba2f35a55beb96cd59a0a6c66880 Win32/Ramsay.A Installer Launcher
baa20ce99089fc35179802a0cc1149f929bdf0fa Win32/HackTool.UACMe.T UAC Bypass Module
5c482bb8623329d4764492ff78b4fbc673b2ef23 Win32/HackTool.UACMe.T UAC Bypass Module
e7987627200d542bb30d6f2386997f668b8a928c Win32/TrojanDropper.Agent.SHM Spreader
3bb205698e89955b4bd07a8a7de3fc75f1cb5cde Win32/TrojanDropper.Agent.SHN Malware Installer
bd8d0143ec75ef4c369f341c2786facbd9f73256 Win32/HideProc.M HideDriver Rootkit
7d85b163d19942bb8d047793ff78ea728da19870 Win32/HideProc.M HideDriver Rootkit
3849e01bff610d155a3153c897bb662f5527c04c Win64/HackTool.Inject.A Darkhotel Retro Backdoor Loader
50eb291fc37fe05f9e55140b98b68d77bd61149e Win32/Ramsay.B Ramsay Initial Installer (version 2.b)
87ef7bf00fe6aa928c111c472e2472d2cb047eae Win32/Exploit.CVE-2017-11882.H RTF file that drops 50eb291fc37fe05f9e55140b98b68d77bd61149e
5a5738e2ec8af9f5400952be923e55a5780a8c55 Win32/Ramsay.C Ramsay Agent DLL (32bits)
19bf019fc0bf44828378f008332430a080871274 Win32/Ramsay.C Ramsay Agent EXE (32bits)
bd97b31998e9d673661ea5697fe436efe026cba1 Win32/Ramsay.C Ramsay Agent DLL (32bits)
eb69b45faf3be0135f44293bc95f06dad73bc562 Win32/Ramsay.C Ramsay Agent DLL (32bits)
f74d86b6e9bd105ab65f2af10d60c4074b8044c9 Win64/Ramsay.C Ramsay Agent DLL (64bits)
ae722a90098d1c95829480e056ef8fd4a98eedd7 Win64/Ramsay.C Ramsay Agent DLL (64bits)

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1091 Replication Through Removable Media Ramsay’s spreading mechanism is done via removable drives.
Execution T1106 Execution through API Ramsay’s embedded components are executed via CreateProcessA and ShellExecute .
T1129 Execution through Module Load Ramsay agent can be delivered as a DLL.
T1203 Exploitation for Client Execution Ramsay attack vectors exploit CVE-2017-1188 or CVE-2017-0199.
T1035 Service Execution Ramsay components can be executed as service dependencies.
T1204 User Execution Ramsay Spreader component infects files within the file system.
Persistence T1103 AppInit DLLs Ramsay can use this registry key for persistence.
T1050 New Service Ramsay components can be executed as service dependencies.
T1053 Scheduled Task Ramsay sets a scheduled task to persist after reboot.
Privilege Escalation T1088 Bypass User Account Control Ramsay drops UACMe instances for privilege escalation.
Defense Evasion T1038 DLL Order Hijacking Ramsay agents will masquerade as service dependencies leveraging Phantom DLL Hijacking.
T1107 File Deletion Ramsay installer is deleted after execution.
T1055 Process Injection Ramsay’s agent is injected into various processes.
T1045 Software Packing Ramsay installer may be packed with UPX.
Discovery T1083 File and Directory Discovery Ramsay agent scans for files and directories on the system drive.
T1135 Network Share Discovery Ramsay agent scans for available network shares.
T1057 Process Discovery Ramsay will attempt to find if host is already compromised by checking the existence of specific processes.
Lateral Movement T1210 Exploitation of Remote Services Ramsay network scanner may scan the host’s subnet to find targets vulnerable to EternalBlue.
T1105 Remote File Copy Ramsay attempts to infect files on network shares.
T1091 Replication Through Removable Media Ramsay attempts to infect files on removable drives.
Collection T1119 Automated Collection Ramsay agent collects files in intervals.
T1005 Data from Local System Ramsay agent scans files on system drive.
T1039 Data from Network Shared Drive Ramsay agent scans files on network shares.
T1025 Data from Removable Media Ramsay agent scans files on removable drives.
T1113 Screen Capture Ramsay agent may generate and collect screenshots.
Command and Control T1092 Communication Through Removable Media Ramsay agent scans for control files for its file-based communication protocol on removable drives.
T1094 Custom Command and Control Protocol Ramsay implements a custom, file-based C&C protocol.
Exfiltration T1002 Data Compressed Ramsay agent compresses its collection directory.



Ignacio Sanmillan


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Breaking news? App promises news feeds, brings DDoS attacks instead – 10 minute mail

After being targeted by an Android DDoS app, ESET seized the opportunity to analyze the attack and to help put an end to it

ESET researchers discovered a malicious Android app used for launching DDoS attacks. Thanks to the fact it was ESET’s website that was targeted, ESET researchers were able to identify the app, analyze it and report it to Google – who swiftly removed it from the Play store.

The attack targeting ESET’s global website, www.eset.com, occurred in January 2020. It lasted seven hours and was conducted using more than 4,000 unique IP addresses. Those were identified as malicious and blocked for the time of attack.

Our analysis showed the attack was carried out using thousands of instances of the “Updates for Android” app that was – at the time – available on the official Android app store. The app’s only malicious functionality relied on its ability to load JavaScript from an attacker-controlled server and execute it on the user device. This explains why the app made it onto the Play store.

The “Updates for Android” app was first uploaded to the Play store on September 9, 2019. The app’s original version lacked the functionality of loading JavaScript that was, ultimately, abused for carrying out the DDoS attack – it was added in the app’s most recent update two weeks prior to the attack. The app reached over 50,000 installs; we don’t know how many instances of the app were installed after the update or were updated to the malicious version. Based on our notice, Google swiftly removed the app from the Play store.

To garner its victims, and to pose legitimately, the app has a corresponding website, i-updater[.]com, that promotes itself as “daily news updates”. (The website is still live; there are no grounds for any takedown effort as the website itself is not malicious.)

Figure 1. The website promoting the malicious “Updates for Android” app

Functionality

The advertised functionality of the “Updates for Android” app, which is still available in unofficial app sources, is displaying a feed of daily news to the user.

Figure 2. The malicious app’s appearance on Google Play before its removal

Even if the app’s maliciousness is discounted, its name and also the name of its developer, “System apps”, are misleading. The app has nothing to do with any system or system updates.

To avoid suspicion, the app displays some news; however, its main functionality is to receive commands from a pre-defined website that serves as the Command and Control server (C&C). The malware pings the C&C every 150 minutes and provides its device ID – a measure that allows for each device being controlled individually.

Figure 3. List of commands that could be executed by the Updates for Android app

Figure 4. List of commands received from C&C

Malicious functionality

Based on the commands the app receives from the C&C, it can display ads in the user’s default browser (note: this functionality spans outside of the app), hide the presence of the app from the user by hiding the app’s icon, and execute arbitrary, remotely supplied JavaScript.

This last functionality was used for carrying out the DDoS attack on the ESET website.

The following information stems from the analysis of the samples used in the attack.

The malware would open a local file named new_method.html that the app carries in its assets. Its goal is to load remote JavaScript served by the C&C server.

Figure 5. The content of the new_method.html file

Based on the JavaScript code received by the app from its C&C, the device connects every second to the target website to flood it with traffic.

Figure 6. Code returned from the attacker’s server and executed by an infected device

The DDoS attack starts with the compromised device receiving a command to load the attacker’s script that specifies the targeted domain. Once the script is loaded, the device starts making requests to the targeted domain until it is served with another script by the C&C server which may contain a different target domain.

Since we started to monitor the website providing C&C functionality to the botnet, we witnessed another six scripts being served, each containing a different domain for the captive devices to attack. Those were notable news and ecommerce sites, most of them in Turkey. Since February 2, the script is empty, meaning the attackers tried to serve their botnet until two days after Google put the end to (most of) it.

Conclusion

The described method of DDoS attack depends on the number of infected devices available to the attackers. Out of the theoretical number of 50,000+, around 10% were actually involved in the attack.

The described attack shows that attackers may be patient and wait for an app’s user base to grow to the required size before they implement the malicious functionality into the app.

Detecting this kind of malicious functionality is not easy, as the very same technique (of course, without any malicious JavaScript being loaded) is used by dozens of legitimate Android software development kits and frameworks. This means that any plain detection based on such code would result in lots of false positives.

The fact that simple solutions are not viable, however, doesn’t mean the users of Android devices have no chance for protection. We have improved our detection mechanisms based on what we learned from this app’s features and behavior. Some of those improvements have been already implemented in the technologies we use for the protection of the Play store within the App Defense Alliance. Others are being implemented in other security layers in our endpoint security solution, including our machine learning-based detections.

Indicators of Compromise (IoCs)

Package Name Hash Detection
com.world.hello.myapplication 34A6BD8B96729B6F87EC5E4110E02BEE1C76F5A9 Trojan.Android/Hiddad.AJN

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play.
Persistence T1402 App Auto-Start at Device Boot The malware listens for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts.
Defense Evasion T1508 Suppress Application Icon The malware hides its icon from launcher.
Impact T1472 Generate Fraudulent Advertising Revenue The malware can display unwanted advertisement.
Command and Control T1436 Commonly Used Port The malware uses port 443 for its C&C communications.
T1437 Standard Application Layer Protocol The malware uses HTTPS for its C&C communications.



Lukas Stefanko


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Researchers Monitor Rise Of An Infostealer Dubbed As ‘Poulight’ That Most Likely Has A Russian Origin – Disposable mail news

In times where info-stealer is progressively becoming one of the most common threats, the Infostealer market has thus risen as one of the most lucrative for cyber crooks, for the data gathered from infected frameworks could be ‘resold’ in the cybercrime underground or utilized for credential stuffing attacks.

This class of malware is said to incorporate many well-known malware like Azorult, Tesla, and Hawkeye.

Recently over the two months, Researchers from Cybaze-Yoroi ZLab observed the evolution and the diffusion of an info stealer dubbed as Poulight that most probably has a Russian origin. First spotted by MalwareBytes specialists in middle March and indicators of compromise have been as of now shared among the security community.

The vindictive code has propelled further stealing capabilities and continues to evolve. 

Hash                                8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Threat                              Poulight Stealer
Brief Description             Poulight Stealer
Ssdeep                       1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:                                               GJeunoMXNQC+E5B/MuO0Ogt

Above is the sample information / Technical Analysis

Like a large portion of the malware of this particular family, it is created from a builder accessible to cyber-criminal groups that offer a ‘subscription plan’ for its “product”. The outcome is a .NET executable:

Static information about the binary file

A quirk of this sample is that it doesn’t have a minimal indication of obscurity; the analysis is very simple to depict the malware abilities/capabilities. When the malware is propelled, it plays out a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

This implemented evasion technique is one of the most exemplary ones, where, through the utilization of Windows Management Instrumentation (WMI) by executing the inquiry “Select * from Win32_ComputerSystem”.
Specifically, along these lines, a few checks of the most relevant tracks of virtualization are given, as:
• “vmware”
• “VIRTUAL”
 • “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”)

These checks are additionally recorded from the Al-Khaser or Pafish tools which are planned to be a test suite to distinguish malware analysis environments and intended to test the strength of the sandboxes.

At that point, the malware can continue with the infection beginning giving rise to another threat called “Starter”.

Figure 4: Loader module of the malware

The “Starter” class contains the routine to load the segments of the malware. Prior to that, there is the initialization of certain directories and files utilized to store the accumulated data from the victim machine. This activity is performed by the primary instruction “global:: Buffer.Start()”, the method is very simple and easy: a series of folders were created within Windows Special folders (AppData, Local AppData, Personal, Desktop) along these lines:

Figure 5: Creation of folders in the Windows Special Folders

From that point forward, the malware extracts the configuration document and its parameters from the asset named “String0”, a Base64 encoded string and through the following strategy they are then decoded:

Figure 6: Routine to extract the configuration file

The primary data tag “prog.params” is quickly recovered in the instruction “HandlerParams.Start()” which can be seen in Figure 4. Presently, a check of a previous infection is performed before beginning another one. The instruction “AntiReplaySender.CheckReplayStart()” (in figure 4) is assigned.

Figure 7: Check of a previous infection

The malware attempts to discover the id of the mutex. In the event that the file is available, the malware doesn’t execute itself some other time, else it composes this empty document to sign the infection is begun.

From that point forward, it transforms into the real vindictive main contained inside the “XS” class, as seen in figure 4. The primary bit of the code is the following:

Figure 8: Initialization of the mail module 

The first instruction is “Information.Start()” where all the data about the hardware and software of the host is collected along these lines:

Figure 9: Routine for retrieving the configuration of the victim machine

It is clearly evident that the malware utilizes both English and Russian dialects to log the data assembled. From that point onward, the stealer turns to count and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now as seen in figure 8, a ‘check’ on the third parameter is performed. On the off chance that it is equivalent to one; the “clippers” module is executed.

Figure 11: Routine to decode and execute an embedded component

As show in the above figure, this code can decode a component contained inside the “clbase” tag with the AES key stored within the “update” tag. Be that as it may, in the particular configuration there is no “clbase” field, so we don’t have any other component to install. The last instruction seen in Figure 8 is “CBoard.Start”, which works in the following way:

Figure 12: Routine to steal clipboard data

The subsequent stage is to accumulate all the sensitive data on the victim machine:

Figure 14: Detail of the stealing modules

The malware steals an immense amount of data:

  • Desktop Snapshot 
  • Sensitive Documents 
  • Webcam snapshot 
  • Filezilla credentials 
  • Pidgin credentials 
  • Discord Credentials 
  • Telegram 
  • Skype 
  • Steam 
  • Crypto Currencies 
  • Chrome chronology  

The most fascinating part is that the module “DFiles” instructed to steal sensitive documents. It begins with looking through the records with one of the accompanying extensions:

Figure 15: Routine to search the documents with specific extensions

Within the gathered files, the malware searches for the classic keywords showing that the content of the files conserves some valuable accreditations. The keywords are the accompanying:

Figure 16: List of keywords searched within the documents

Then the malware proceeds to gather all the data inside a unique data structure and sends it to the C2 retrieved in another resource named “connect”:

Figure 17: Routine to upload to the C2 the stolen information

At long last, it downloads and executes various components from the Internet. The parameters are recovered similarly observed in the past segment: a tag named “file” contains the component to download.

Figure 18: Routine to download other components from the Internet

Thus there is no doubt in the fact that Poulight stealer has a mind-boggling potential to steal delicate data and it ought not to be disregarded that later on, it may supplant other info stealers like Agent Tesla, remcos, etc.

In any case, the limitation of the embed is the absence of code obfuscation and data protection, however, this could be clarified due to the fact that, possibly, the malware is in its early stages of development.

Since now that the attackers likely will enhance these features, therefore, being aware of them is the best step forward for the users now. RN


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.