Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.

Thursday, November 7, 2024 06:00

*   Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.  
*   Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary. 
*   We also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY. 
*   The attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s data to an attacker-controlled Azure storage blob.  
*   The timeline of the attacker’s activity, from the initial compromise stage until the deployment of ransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17 days.  
*   Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators’ tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries. 

**Who is Interlock? **

Interlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting and double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the time of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according to the data leak site disclosure, indicating their targeting is opportunistic. 

Like other ransomware players in the big-game hunting space, Interlock also operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims' communications, and the email address, “interlock@2mail\[.\]co”.   

In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain. 

**Recent attack methodologies **

Throughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by the attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s environment for approximately 17 days, from the initial compromise until deployment and execution of the Interlock ransomware. 

**Initial access **

The attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the victim was prompted to download from a compromised legitimate news website.  When clicked, the fake browser updater executable “upd\_2327991.exe” was downloaded onto the victim machine from a second compromised URL of a legitimate retailer. 

**Execution **

Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.  

Sample PowerShell command that downloads the RAT. 

The RAT executes the command “cmd.exe /c systeminfo" and collects information from victim machine, listed below:

Host Name

Time Zone

OS Name

Total Physical Memory

OS Version

Available Physical Memory

OS Manufacturer

Virtual Memory

OS Configuration

Max Size

OS Build Type

Virtual Memory: Available

Registered Owner

Virtual Memory: In Use

Registered Organization

Page File Location(s)

Product ID

Domain

Original Install Date

Logon Server

System Boot Time

Hotfix(s)

System Manufacturer

Network Card(s)

System Model

Connection Name

System Type

Status

Processor(s)

DHCP Enabled

BIOS Version

DHCP Server

Windows Directory

IP address(es)

System Directory

Hyper-V Requirements

Boot Device

System Locale

Then, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the command and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online\[.\]shop”, sends the encrypted data stream of victim machine information to the C2 server, and waits to receive the response.  

The RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which downloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts them with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file that is run using the LOLBin “rundll32.exe”.  

A sample PowerShell command that downloads and runs the Keylogger. 

**Defense Evasion **

Talos IR observed that EDR was disabled on some of the compromised servers in the victim environment during the investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged an EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the EDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some of the compromised systems.  

**Credential Access **

The credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser profiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks files to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries to collect the login information of victims’ online accounts along with the associated account URLs. Finally, the data is written to a file “chrgetpdsi.txt” in the user profile temporary folder.  

The keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine keyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was downloaded.  

**Discovery **

The attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method used to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was used to obtain accounts with higher privileges. 

(('AD\_Computers: {0}' -f (\[adsiSearcher\]'(ObjectClass=computer)').FindAll().count)  
(\[adsisearcher\]'(&(objectCategory=user)(servicePrincipalName=\*))').FindAll() 

**Lateral Movement **

Talos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised credentials to move between systems.  Further analysis showed that the attacker has also used AnyDesk and possibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised machines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped and executed on the infected machines. 

Sample RDP command executions observed during our analysis and with the redacted IP address details are shown below. 

mstsc /v 10.\*.\*.\* 
.\\conhost.exe -d \\10.\*.\*.\*\\e$ 

**Collection and Exfiltration  **

The attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and AzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the attacker used storage-explorer to navigate and identify sensitive information in the victim network and executed AzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to confirm how the storage-explorer and AzCopy were delivered to the victim machine. 

**Impact **

The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!\_\_README\_\_!.txt” file in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the attacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects (GPOs), a Windows utility that allows users to manage Windows operating systems and applications.  

In the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected machines. They also demand a response within 96 hours or else they threaten to release the victim's data on their leak site and notify the media outlets, which could lead to financial and reputational damage.  

The ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss the ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric characters generated for each victim. 

**Interlock ransomware analysis **

Talos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable (ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.   

The Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The ransomware appears on the victim’s machines in a packed executable format with the custom unpacker code located in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during the runtime of the ransomware. 

When the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings, and Application programming interface (API) functions. After the initialization, it enumerates the logical disk drives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through “Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in them, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on encrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in the folders of the “C drive”.  

During this enumeration process, the ransomware excludes specific folders and file extensions on the victim machine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below, in the Interlock binary.

Folder exclusion list of Windows Interlock variant:

$Recycle.Bin

Windows

Boot

$RECYCLE.BIN

Documents and Settings

AppData

PerfLogs

WindowsApps

ProgramData

Windows Defender

Recovery

WindowsPowerShell

System Volume Information

Windows Defender Advanced Threat Protection

File extension exclusion list of Windows Interlock variant:

.bat

.bin

.cab

.cmd

.com

.cur

.diagcab

.diagcfg

.diagpkg

.drv

.hlp

.hta

.ico

.msi

.ocx

.psm1

.src

.sys

.ini

.url

.dll

.exe

.ps1

Thumbs.db

The Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting from the root directory, and encrypts the files excluding those that are in the file extension exclusion list hardcoded in the binary.

File extension exclusion list of Linux Interlock variant:

boot

.cfg

.b00

.v00

.v01

.v02

.v03

.v04

.v05

.v06

.v07

.t00

Interlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable cryptographic library for encryption.  The Windows Interlock ransomware variant uses the Cipher Block Chaining (CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses either CBC or RSA encryption technique. 

Encryption routine in Windows variant 

Encryption routine in ELF variant 

 

 

After encrypting each of the targeted files in the victim machine Interlock drops the ransom note “!\_\_README\_\_!.txt” file in each of the enumerated folders. 

Windows variant ransom note function 

ELF variant ransom note function 

 

 

We observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM daily on the victim machine as a SYSTEM user executing the configured command to run the ransomware, indicating the ransomware establishing the persistence.  

schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd "$Path of the Interlock binary" && "$command” /st 20:00 /ru system > nul

The ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the encryption binary on the victim machine.  To delete the encryption binary in the Windows variant, Interlock ransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications temporary folder with the file name “tmp41.wasd”.  

Then, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove() function to delete the encryption binary.  

The Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing the removeme function, which is an inline routine in the same encryptor binary.  

**Interlock TTPs overlap with Rhysida Ransomware **

Talos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from Rhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor binaries’ behaviors. 

We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory. 

Additionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY, based on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique. 

Finally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a helpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific and sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten, and attempt to intimidate the victim.  

Rhysida ransom note. 

Interlock ransom note. 

Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042. 

ClamAV detections are also available for this threat: 

Win.Ransomware.Interlock-10036524-0 

Unix.Ransomware.Interlock-10036662-0 

Win.Trojan.Kryptik-10036729-0 

Win.Downloader.Kryptik-10036730-0 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Unwrapping the emerging Interlock ransomware attack

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our

Thursday, October 31, 2024 11:29

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**NVIDIA Graphics remote out-of-bounds execution vulnerabilities**

_Discovered by Piotr Bania._

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:  
TALOS-2024-1955 (CVE-2024-0121)  
TALOS-2024-2012 (CVE-2024-0117)  
TALOS-2024-2013 (CVE-2024-0118)  
TALOS-2024-2014 (CVE-2024-0120)  
TALOS-2024-2015 (CVE-2024-0119)

**LevelOne wireless SOHO router vulnerabilities**

_Discovered by Patrick DeSantis and Francesco Benvenuto_.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Threat actors use copyright infringement phishing lure to deploy infostealers

This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.

Wednesday, October 30, 2024 06:00

In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). This remote access tool (RAT) gives operators reverse shell and file input/output (I/O) capabilities on a victim’s endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. 

**Key findings **

*   BugSleep implant implements a bespoke C2 protocol over plain TCP sockets. 
*   BugSleep operators have demonstrated multiple file-obfuscation techniques to avoid detection. 
*   BugSleep implements reverse shell, file I/O, and persistence capabilities on the target system. 

**Sending and receiving data **

This blog will use sample b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca for analysis. Two of the lowest functions in the C2 stack, referred to as SendSocket (FUN\_1400034c0) and ReadSocket (FUN\_140003390), are very light wrappers for the send and receive API functions and handle payload encryption. They include some error handling by attempting to send or receive data 10 times before failing.  

This protocol uses a pseudo-TLV (Type Length Value) structure with only two types: integer or string. Integers are sent as little-endian 4- or 8-byte values, and strings are prepended with the 4-byte value of its length. Payloads are then encrypted by subtracting a static value from each byte in the buffer (in this sample it is three).  

Type 

Value 

Plain text 

Cipher text 

IntegerMsg 

6 

06 00 00 00 

03 FD FD FD 

StringMsg  

Talos 

05 00 00 00 48 65 6C 6C 6F 

02 FD FD FD 51 5E 69 6C 70

_Figure 1: Example of data encryption used by BugSleep_

There are two main functions for handling C2 communications: C2Loop (FUN\_1400012c0) and CommandHandler (FUN\_1400028a0). C2Loop is responsible for setting up socket connections with the server and sending a beacon, while CommandHandler is responsible for processing and executing commands from the server. 

After setting up the socket connection, the implant beacons (FUN\_140003d80) to the C2 server for a command. The beacon is a StringMsg in the form ComputerName/Username. If the server responds with an IntegerMsg equal to 0x03, BugSleep will terminate itself. We suspect this is remnants of an old kill command or an emergency kill without the overhead of reading the real kill command later. 

Each BugSleep command is sent as an IntegerMsg after the beacon response. The following enumeration defines all the command IDs discovered. 

Figure 2: Command IDs used by implant 

**Phoning home **

The implant communicates using plain TCP sockets, which can be seen using a Netcat listener and Wireshark. 

Figure 3: BugSleep beacon as seen through Wireshark. 

Recalling the message encryption demonstrated in Figure 1, the beacon can be decrypted with a little bit of Python (Figure 4). This will be used again when building the rest of the C2 server.  

Figure 4: Decoding beacon data 

**Python C2 server **

With an understanding of the protocol basics, it is time to start building the C2 server. Full source code can be found here. 

**Beacon **

As mentioned earlier, the BugSleep beacon function sends a StringMsg and reads an IntegerMsg response from the server. Since the IntegerMsg returned can be anything but 0x03, we returned the length of the Computer Name/Username string received by the server.

Figure 5: Output from C2 server receiving beacon data 

**Ping command **

The simplest command to implement is the Ping command. It has the command ID of 0x63 (BugSleep subtracts one from whatever ID it receives). The code is simple: send back 4 bytes.  

Figure 6: Switch case for handling ping command 

Once the beacon comes in, the server is responsible for: 

1.  Sending 4 bytes for beacon response 
2.  Sending 4 bytes for Ping command ID 
3.  Reading 4 bytes of Ping data 

The ping command was observed sending back 4 bytes recently allocated on the heap, so it's not guaranteed to know what that data looks like. To validate things are really working, a breakpoint can be set in WinDbg and memory set manually before being sent. 

Figure 7: Confirming 0xdeadbeef written to memory is received by the server in a Ping command 

**File commands **

The next set of commands are responsible for downloading files onto the compromised system or uploading files to the C2 server (PutFile and GetFile, respectively). These commands are inverses of each other, so only the GetFile command will be discussed in detail. The methodology was to trace each call to SendSocket or ReadSocket and implement the response for that call in Python. In CommandHandler, the implant reads the length and value off the wire. This is the file to be retrieved.  

Figure 8: GetFile reading path string length and path string from socket 

The CmdGetFile function opens the target file and chunks it over the socket one page at a time. The list of SendSocket calls is as follows: 

Figure 9: SendSocket calls made by CmdGetFile function 

Figure 10: Example C2 server output from GetFile command 

The PutFile command differs slightly from the GetFile command with how it uses pointer math to process incoming pages. 

Figure 11: Tricky file pointer math 

This translates to each page starting with a 4-byte page number followed by 1020 bytes (or 0x3fc) of file data, which the GetFile command does not do; it sends full 1024-byte pages of file data without page numbers. 

**Reverse shell **

The last command is the reverse shell. This is the most complex because it requires many reads and writes over the socket. The disassembly is rather long and difficult to keep track of the socket calls, so we have omitted it. Effectively, the implant spawns a cmd.exe process (FUN\_1400016e0) and reads the command to execute from the socket. The shell command and its output are marshaled between the processes via pipes during the session. The complexity of this operation comes from BugSleep incrementally reporting return values from pipe API calls while attempting to read shell output (FUN\_140003840). The implant will enter this loop of reading commands and sending output until it receives the string “terminate\\n”.  

Figure 12: Example output from C2 server running the reverse shell command 

The rest of the commands are less complex but have been implemented and are viewable here. 

**Snort detection **

This server gives Talos the ability to emulate any number of conversations between BugSleep and its operators. This traffic is crucial for writing and validating our detections’ performance in the wild. 

The initial candidate for detection would be the beacon. It is the first opportunity to shut down communications, isolating any BugSleep instance from receiving commands. It was observed that each beacon has the form of <len><data>, where data is sub\_string(COMPUTER\_NAME + "/" + USERNAME, 3). This string is not long or static, which makes it a poor candidate for a fast\_pattern; however, recall that each beacon is prepended with a 4-byte length of this string. A Computer Name/Username string from any given victim is unlikely to be longer than 255 characters. This means most length fields are going to look like |XX 00 00 00| or |XX FD FD FD| when encoded. This could be a quick match, early in the stream, at a static offset, making it a decent fast\_pattern candidate. 

Figure 13: Detecting higher order encoded zero bytes of beacons sent from BugSleep 

 This will work but is likely to cause false-positives (FP) in the wild. Every sample of BugSleep was seen using port 443. The implant is also reaching outside the network to a C2 server, so traffic to be inspected by this rule can be reduced using the following header: 

Figure 14: Restricting rule to inspect traffic leaving the network to port 443 

The flow:to\_server,established option can be used to restrict Snort to data coming from a client over established TCP streams. The FP-rate on this rule still isn't great. Any TCP traffic leaving the network on port 443 with |FD FD FD| at offset 1 will alert. That might sound unique, but it does not indicate with confidence that the traffic is a BugSleep beacon. 

One powerful tool in Snort to add more logic or state to rules is flowbits. These allow a writer to have a sense of state within a stream across multiple rules. In this case, the beacons aren't enough to reliably alert on. What if we use flowbits to chain beacons with the commands being sent back? The commands themselves don't provide much content, as they are variable length non-deterministic strings (e.g., get, put, etc.) or a nondeterministic 4-byte integer (e.g., heartbeat, increment timeout, etc.). They do, however, all start with a 4-byte command ID. Setting a flowbit when a beacon leaves the network will allow another rule down the line to alert with higher confidence if it sees a command ID come back in the same stream. 

**Command rules **

The pcre rule option can be used to reduce 11 rules down to one. Like the beacon rule, the three zero bytes, encoded as |03|, can be used as a fast\_pattern. Once the rule has entered, the bugsleep\_beacon flowbit check can be performed to help the rule exit quickly in the event of a false positive. After the three |03| bytes are confirmed to be at offset five, a PCRE can verify one of the command IDs is present.  

Figure 15: Snort rule for detecting BugSleep command sent from C2 server 

**Sharp edges **

Sometimes, we are reminded that Snort can handle or interpret data differently than expected. Conveniently, this sample’s traffic was a perfect example and opportunity to peek under the hood and see what Snort sees. Originally, our beacon rule looked like this, trying to catch the encoded forward-slash that is always present in the Computer Name/Username string (encoded as a comma).  

Figure 16: Beacon rule attempting to catch forward-slash in Computer Name/Username string 

Recall that the implant will: 

1.  Connect to the server 
2.  Send a string length (4 bytes) 
3.  Send the PC/User string N bytes 
4.  Read 4 bytes back to ensure a response 
5.  Read 4-byte command ID and N command data bytes 
6.  Start sending command responses 

As Snort is reading data over the wire, it is interpreting it and sorting it into different buffers (pkt\_data, file\_data, js\_data, http\_\*, etc.). In this case, as TCP data is being chunked along the wire, Snort is looking at those individual TCP segments. Only after it has enough data will it flush into the larger "TCP stream" buffer so a rule can parse the entire stream sent from a client or server. 

Initially, the get command traffic was alerting while the put command traffic was not. Fortunately, Snort 3 comes with a tracing module to help debug these issues. The buffer option will print out Snort’s different buffers as they are filled and rule\_eval will trace the rule as it is evaluated. The following screenshots are output from individual runs of Snort against each PCAP. “snort.raw” represents an individual packet, while “snort.stream\_tcp” represents a reassembled TCP stream. 

At the start of the working GetFile command, the beacon size and data can be seen as two separate packets (Figure 17).  

Figure 17: Individual beacon packets being processed by Snort 

Further down, the reassembled TCP stream can be seen being inspected and alerted on. Moving from the top to bottom in Figure 18, the cursor position and state of the buffer can be observed changing as the rule is evaluated. At the end, the flowbit is set and made available for the command rule.

Figure 18: Snort trace output setting flowbit for BugSleep beacon 

Further down, the TCP stream for the command data is processed. The higher-order zeroes of the command are found, the flowbit checked, the PCRE performed, and the SID alerts as expected.  

Figure 19: Get file command rule alerts on traffic as expected 

When the results of the put file command traffic are inspected, a different behavior is observed. The individual packets for beacon length and beacon data are seen coming in; however, the first reassembled TCP stream that Snort is inspecting is the command being sent back to the implant. Figure 20 shows the command ID being found and then the flowbit check failing. 

Figure 20: Put file command traffic failing flowbit check 

Scrolling further in the log reveals the TCP stream for the beacon data is eventually populated and Snort sets the flowbit as expected. The stream for the command ID, however, has already passed and failed analysis because of the unset flowbit, resulting in no alert. The cause of this issue is the raw packets coming from the client not being reassembled into a TCP stream by the time the server packets are reassembled and inspected. This happens because Snort only reassembles when it has enough data, and 20 bytes is not enough yet. 

**The fix **

Unfortunately, the beacon rule must be tweaked so it can alert as soon as possible and not rely on the TCP reassembly. Recall that the beacon function invokes SendSocket twice, once for 4-length bytes and again for the beacon data. This means the first packet Snort sees will only be 4 bytes long. Adding “bufferlen:=4” restricts Snort to only look at 4-byte packets, significantly reducing any FP rate. Our solution ended up being this:  

Figure 21: Fixed beacon rule looking for 4-byte length segments 

 Now the rules work as expected!  

Figure 22: Snort output alerting on traffic from all BugSleep commands 

**Conclusion **

Since BugSleep is a new implant and weekly releases were observed being deployed, this protocol might change and bypass these rules. However, two things have been accomplished: 

1.  This variant will no longer communicate over our customers’ networks. 
2.  Attackers must invest development time and money to use BugSleep again. 

The published Snort SIDs covering this traffic are 63937 and 63938.  

**Indicators of compromise **

Hosts: 

*   1\[.\]235\[.\]234\[.\]202 
*   146\[.\]19\[.\]143\[.\]14 
*   46\[.\]19\[.\]143\[.\]14 
*   5\[.\]239\[.\]61\[.\]97 

Hashes 

The following Windows executables were collected during our research. Assuming these have not been manipulated, the compilation time for this set of binaries indicates weekly releases of BugSleep. 

SHA256 

Compile Time 

b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca 

Wed., May 8 00:55:53 2024 UTC 

94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472 

Wed., May 22 21:56:39 2024 UTC 

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e 

Fri., May 31 23:29:21 2024 UTC 

5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0 

Sun., Jul 07 21:09:49 2024 UTC 

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809 

Sat., Jul 15 09:15:20 2079 UTC

Writing a BugSleep C2 server and detecting its traffic with Snort

Can LLM tools actually help defenders in the cybersecurity industry write more effective detection content? Read the full research

Friday, October 25, 2024 10:09

Most users will associate large language models (LLMs) like ChatGPT with answering basic questions or helping to write basics lines of text.  

But could these tools actually help defenders in the cybersecurity industry write more effective detection content?  

Several security researchers from across Cisco recently looked into how LLMs, which have surged in popularity over the past year, could assist them in the detection research process. 

Part of their jobs is to try and perform test behavior that will trigger existing detection rules to check their effectiveness and try to emulate the behavior of a typical adversary — all in the name of updating that detection content to catch the latest tactics, techniques and procedures (TTPs). 

LLMs may be able to assist in this complex, time-consuming tax, as Darin Smith, Yuvi Meiyappan, Moazzam Khan and Ray McCormick write in this paper, which you can download below. 

Khan, a security researcher for Cisco, will be presenting the findings of this paper at the upcoming BSides Portland conference.

How LLMs could help defenders write better and faster detection

Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.

Thursday, October 24, 2024 06:00

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users' identities.  

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account--making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network. 

Watch the team discuss some of the major takeaways of the report, and recommendations for defenders

**Threats against identity **

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts.  

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user's credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations. 

**Ransomware **

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit. 

  
A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. 

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

**Looking forward:** While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor. 

****Targeting** **

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January - March), where the education and manufacturing companies were the most targeted. 

**  
**Initial access** **

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a _slight_ increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access. 

  
**Looking forward:** Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices. 

****Security weaknesses** **

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs. 

  
Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions. 

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking "uncategorized" websites in Cisco Umbrella’s "Web Content Categories" will help proactively mitigate suspicious or malicious activity. 

****Top-observed MITRE ATT&CK techniques** **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK appendix include:  

*   In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials. 
*   Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy. 
*   In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely. 

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Talos IR trends Q3 2024: Identity-based operations loom large

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

*   Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  
*   The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  
*   Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. 
*   We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

**Victimology **

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

**Actor uses Gophish to send phishing emails **

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex\[.\]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex\[.\]ru resolves to the IP address 34\[.\]236\[.\]234\[.\]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165\[.\]compute-1\[.\]amazonaws\[.\]com, during our analysis. We also observed that the same server 34\[.\]236\[.\]234\[.\]165 was reverse resolving to another domain e-connection\[.\]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34\[.\]236\[.\]234\[.\]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34\[.\]236\[.\]234\[.\]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

**Multi-modular Campaign delivers PowerRAT and DCRAT  **

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

**Maldoc-based infection delivers PowerRAT **

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document's default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine's current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” with the value “C:\\Users\\<Username>\\UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

**PowerRAT expands the attack vector for further infections  **

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32\_volume class of WMIobject.  The collected data is written to memory in the format <Computername\_Username\_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94\[.\]103\[.\]85\[.\]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5\[.\]252\[.\]176\[.\]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

**HTML-based infection delivers DCRAT **

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

**GOLoader downloads and runs the DCRAT **

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the folder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'

powershell -Command Add-MpPreference -ExclusionPath 'C:\\'

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

**Threat actor delivers DCRAT **

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

*   Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  
*   It has the capability of downloading and executing other files on the victim's machine. 
*   With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.  
*   The RAT can take screenshots and capture the keystrokes on the victim's machine. 
*   We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:\\Users\\admin\\Desktop\\zaHrebVC.log

C:\\Users\\admin\\Desktop\\HQLYdHol.log

C:\\Users\\admin\\Desktop\\qJutJUJW.log

C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe

C:\\ProgramData\\dllhost.exe

C:\\Users\\Default\\Pictures\\csrss.exe

C:\\Users\\Default\\Saved Games\\winlogon.exe

*   It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /f

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /f

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\Public\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\\Users\\All Users\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /f

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /f

schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

*   The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp\[://\]cr87986\[.\]tw1\[.\]ru/L1nc0In\[.\]php”.  

Sample of DCRAT configuration file. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

**IOCs **

IOCs for this research can be found in our GitHub repository here.

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.