di_blog_post

Deep Instinct prevents more advanced threats than any EPP or EDR in the world.

Deep Instinct Blog: Breaking News and Updates

Prevention Platform

Prevention for Applications

Prevention for Storage

Prevention for Endpoints

Products

Data Security

Prevent Ransomware

Prevent Zero-Day Attacks

Improve EPP Efficacy

Extend & Enhance EDR

Stop Fileless Attacks

Solutions

Deep Learning in Cybersecurity

Our Customers

+ MS Defender

VS Traditional Antivirus

Why Deep Instinct

About Deep Instinct

Newsroom

Careers

Contact Us

Company

Asset Library

Blog

Videos

Training

Resources

Request Demo

Customer Portal

Integrations and Compliance

Quick links

Threat Research

Voice Of SecOps

Events & Webinars

Leadership Team

Board of Directors

Partners

Login

content_block

Perspective & Findings

<h4>Don’t Let Application File Uploads Become Malware Downloads</h4>

file-upload-security-blog.jpg

Recent Blog Posts

Listing preview

Perspective & Findings

image_media_card

Recent Blog Posts

listing_preview

BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game

Who is the only NEW vendor in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms?

ChatGPT and Malware: Making Your Malicious Wishes Come True

Top-3 Drawbacks of Content Disarm + Reconstruction (CDR) for Malware Prevention

LSASS Memory Dumps are Stealthier than Ever Before

LSASS memory dumps

Trending at Deep Instinct

carousel_cards

blog-image-muddyc2go.jpg

The contents of this blog post were originally scheduled to be presented during an upcoming cybersecurity conference. However, interest in this topic has heightened due to the war in Israel and a suspected ongoing attack against Israeli targets. As such, we have decided to publish the relevant findings from the presentation now.<h5>Executive Summary:</h5><ul><li>Deep Instinct’s Threat Research team has identified a previously unreported C2 framework suspected to be in use by MuddyWater</li><li>The C2 framework may have been in use by the MuddyWater group since at least 2020</li><li>The framework’s web component is written in the Go programming language – hence the name we gave it: MuddyC2Go</li><li>MuddyWater seems to have stopped using PhonyC2 and is now using MuddyC2Go instead</li></ul><h5>Background</h5>In June 2023, we published a report about <a href="https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" target="_self">PhonyC2</a>, a custom C2 framework used by the MuddyWater APT group.While analyzing previous PhonyC2 infrastructure, Deep Instinct uncovered anomalies that indicated MuddyWater might be using an additional C2 framework.At that time, we lacked sufficient evidence to support this claim. However, after we published our PhonyC2 research, we observed two IP addresses previously related to MuddyWater, one of those addresses which was hosting PhonyC2 had switched to a different C2 framework delivering a PowerShell payload.This behavior heightened suspicions of a new C2 framework. However, without seeing and observing the initial payload, those IP addresses could have been internal tests by MuddyWater before fully deploying the C2.Recently, Deep Instinct observed similar C2 activity on a different cluster of IP addresses that has not been associated previously with MuddyWater.This new activity’s initial payload confirmed our assessment that this activity is related to MuddyWater.<h5>Current MuddyWater Activity Using MuddyC2Go</h5><a href="https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks" target="_self">Previous research</a> has shown typical MuddyWater TTPs include spear-phishing emails containing archives or links to archives that include various legitimate remote administration tools.If the receiving target opens the file inside the archive, it installs a remote administration tool that allows the attacker to execute additional tools and malware, including MuddyWater’s PhonyC2.Deep Instinct observed the following changes in recent activity:<ul><li>The archives are now password protected. This is done to evade email security solutions that scan files inside archives without a password.</li><li>Instead of using a remote administration tool where an operator executes a PowerShell script to connect to MuddyWater’s C2, a new executable is now being sent. This executable contains an embedded PowerShell script that automatically connects to MuddyWater’s C2, eliminating the need for manual execution by the operator.</li></ul>Let’s examine several examples of this new C2 framework.<h5>July 2023 – Attack Against Jordanian Company</h5>Deep Instinct identified a file named “offtec.exe” which is an executable. Offtec is also the name of a Jordanian company.When executed, it runs a PowerShell script which connects to a MuddyC2Go server located at the IP address 45.150.64[.]239.The executable was built using PowerGUI from Quest Software. This tool allows the user to generate an executable that runs an embedded PowerShell script that is provided by the user.<figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 1: PowerGUI logo" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt2e55ad6e0e12cbe2/654af2a5b42e39040a69a428/fig1-PowerGUI-Logo.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 1: PowerGUI logo</figcaption></figure>After communicating with the C2, the communication is switched to dynamic DNS using the address “microsoftfice.ddns[.]net”The response from the C2 is again a PowerShell script that runs every 10 seconds and waits for commands from the operator using the C2:<figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="blt0f5f4af3edeedf94" alt="Figure 2: Part of the PowerShell code sent from the C2" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt0f5f4af3edeedf94/654af2a5b42e39040a69a424/fig2-Powershell-C2-Code.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 2: Part of the PowerShell code sent from the C2</figcaption></figure><h5>September 2023 – Attacks Against an Iraqi Telecommunications Provider</h5>In September, Deep Instinct identified additional variants of executables created with PowerGUI. The executables have been spread via password-protected RAR archives.The archives were uploaded from Iraq and their file name included the word “Korek.”<figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="bltaca79be7f5b4795d" alt="Figure 3: KorekPro file on VT" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltaca79be7f5b4795d/654af2a5b3460c040a0b095a/fig3-KorekPro-VT.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 3: KorekPro file on VT</figcaption></figure><a href="https://en.wikipedia.org/wiki/Korek_Telecom" target="_blank">Korek</a> is an Iraqi-Kurdish mobile phone operator. MuddyWater targeted Korek in <a href="https://mp-weixin-qq-com.translate.goog/s/NN_iRvwA6yOHFS9Z3A0RBA?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp" target="_blank">2019</a>.In this attack, the C2 IP addresses and dynamic DNS were different: ghostrider.serveirc[.]com<h5>October 2023 – “Swords of Iron” War</h5>While Iranian involvement in the war is still being investigated, on October 11, the fourth day of the war, Deep Instinct identified a scan of the MuddyC2Go URL from Israel in VirusTotal.Because the URL is unique and responded with PowerShell, it likely indicates there was a recent attack against an Israeli target by MuddyWater. This is also supported by our recent discovery of <a href="https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps" target="_self">another active campaign</a> from MuddyWater against Israeli targets.Deep Instinct could not identify an associated PowerGUI executable for this attack, although there could have been a different initial access vector to the attack that didn’t rely on social engineering.The C2 IP address that was used this time is 94.131.109[.]65.<h5>Attribution</h5>While investigating the PhonyC2 framework (written in Python) and its infrastructure, Deep Instinct identified servers responding with a generic “web.go” header. This header suggests MuddyWater is using a web application written in the Go programming language.In 2022, Mandiant <a href="https://www.mandiant.com/resources/blog/telegram-malware-iranian-espionage" target="_blank">reported</a> that MuddyWater wrote malware using Go, showing they are capable of using this language. However, the malware is “client-side,” whereas the C2 framework is “server-side.” As such, they are likely unrelated.Deep Instinct was able to find traces of a Go-based C2 framework used by MuddyWater dating back to the beginning of 2020.Deep Instinct identified 162.223.89[.]11 as the first IP address publicly attributed to MuddyWater using MuddyC2Go.Both <a href="https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions" target="_blank">SecureWorks</a> and <a href="https://blog.talosintelligence.com/iranian-apt-muddywater-targets-turkey/" target="_blank">Talos</a> reported a malicious Excel file (63e404011aeabb964ce63f467be29d678d0576bddb72124d491ab5565e1044cf) in January and February. When this file is opened, the malicious execution chain eventually leads to the C2 server 162.223.89[.]11.In May 2020, this IP address was <a href="https://www.virustotal.com/gui/url/dfe4269ae77af4ebd2f20156c7d1fb0eff05af17c25de4acadfda1b8f64e352f/details" target="_blank">observed</a> using MuddyC2Go.The IP address 109.201.140[.]103 has not been previously associated with MuddyWater. However, multiple scans from January, including one from Egypt, which aligns with MuddyWater’s interests and timeframe of above reports, contains unique URLs that are used by MuddyC2Go. Additionally, there is <a href="https://www.virustotal.com/gui/url/44b00e2d17de6df7ff6bcd27cff9f932e6c41052e3dce4603a55cbf41e153aca/details" target="_blank">scan</a> for a file named ssf.zip on this IP. Secure Sockets Funneling (SSF) was mentioned in the SecureWorks report as a tool used by MuddyWater.SSF is a tool that has been <a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east" target="_blank">reported</a> by multiple security vendors to be part of MuddyWater’s arsenal.In February 2022, CISA <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a" target="_blank">published</a> indicators that signal MuddyWater activity, including the IP address 164.132.237[.]65.In March 2022, this address was <a href="https://www.virustotal.com/gui/url/39e38246cd33cd971ad6760207ad8faa7384536ef4a8cc487bcc4d4bc2d75390/details" target="_blank">observed</a> to be a MuddyC2Go server. It was previously <a href="https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant" target="_blank">associated</a> with PowGoop.In April 2022, the IP address 141.95.177[.]130 was <a href="https://www.virustotal.com/gui/url/4a503712ccf32917b95fea40eb9d2ddc2f7c4e51552beb4cc179a6f1dd650f10/details" target="_blank">observed</a> hosting MuddyC2Go. Additionally, the passive DNS of this IP resolved to jbf1.nc1310022a[.]biz, a pattern that was already observed with PhonyC2 servers. A year later, in April 2023, Group-IB <a href="https://www.group-ib.com/blog/muddywater-infrastructure/" target="_blank">associated</a> this IP address to MuddyWater via a specific ETag header that was used in numerous MuddyWater servers.In the same report, Group-IB identified an LNK <a href="https://www.virustotal.com/gui/file/2528838a609aa143769efb37dff45af723868d4ed33eb1ce0e2d6ce64b2a1507/relations" target="_blank">file</a> from October 2022 that was communicating with the IP address 91.121.240[.]108. The <a href="https://www.virustotal.com/gui/url/c644ec1f939c1f072e7384ef6804f0a432f81b3c78acf8e0e9eedd44d6d0d55b/details" target="_blank">responses</a> from this IP indicate that it was MuddyC2Go. In addition, the LNK file was inside an archive named “request-for-service-no10102022.zip” The naming convention is very <a href="https://www.virustotal.com/gui/file/1670a59f573037142f417fb8c448a9022c8d31a6b2bf93ad77a9db2924b502af/details" target="_blank">similar</a> to the naming convention MuddyWater used in their <a href="https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks" target="_self">Syncro campaign</a>.Both Group-IB and Deep Instinct have <a href="https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" target="_self">linked</a> the IP address 137.74.131[.]18 to MuddyWater. Deep Instinct initially observed PhonyC2 at this address, and after our publication, MuddyWater switched to MuddyC2Go on this IP address. Additionally, the IP address 137.74.131[.]20—which was previously reported by Group-IB —also started to host MuddyC2Go.<h5>Conclusion</h5>Due to the leak of PhonyC2 source code, MuddyWater stopped using the framework and switched to using a Go-based C2 framework. Since the actual source code of the new framework is not available, the full capabilities are unknown. However, based on past leaks and associated known activity, this is another framework that generates PowerShell payloads that MuddyWater uses in the “Actions on Objectives” phase in the “<a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html" target="_blank">Cyber Kill Chain</a>.” PowerShell has always been the bread and butter of MuddyWater operations.We recommend disabling PowerShell if it is not needed. If it is enabled, we recommend close monitoring of PowerShell activity.While it is not trivial to fingerprint the MuddyC2Go framework, as it looks like any other generic web application written in Go, Deep Instinct managed to identify previous attacks dating back to 2020 due to unique URL patterns generated by the framework.Currently, Deep Instinct has identified all known active MuddyC2Go servers hosted at “Stark Industries,” a VPS provider known to host malicious activity. Deep Instinct identified additional suspected MuddyC2Go servers hosted at Stark Industries without any malicious activity or known URL pattern.Additional IOCs and information regarding Iranian Threat Actors can be found in our <a href="https://github.com/deepinstinct/Israel-Cyber-Warfare-Threat-Actors" target="_blank">Git</a>.<h5>IOCs:</h5>Network<table style="width: 100%;"><thead class="bg-grey"><tr><th>IP Address</th><th>Description</th></tr></thead><tbody><tr><td>91.121.61[.]76</td><td>MuddyC2Go (2020)</td></tr><tr><td>109.201.140[.]103</td><td>MuddyC2Go (2020)</td></tr><tr><td>162.223.89[.]11</td><td>MuddyC2Go (2020)</td></tr><tr><td>164.132.237[.]65</td><td>MuddyC2Go (2022)</td></tr><tr><td>141.95.177[.]130</td><td>MuddyC2Go (2022) – (jbf1.nc1310022a[.]biz)</td></tr><tr><td>91.121.240[.]108</td><td>MuddyC2Go (2022)</td></tr><tr><td>137.74.131[.]18</td><td>MuddyC2Go (2023) – (qjk2.6nc051221c[.]co)</td></tr><tr><td>137.74.131[.]20</td><td>MuddyC2Go (2023)</td></tr><tr><td>45.150.64[.]239</td><td>MuddyC2Go (2023) – (microsoftfice.ddns[.]net)</td></tr><tr><td>95.164.46[.]35</td><td>MuddyC2Go (2023) – (ghostrider.serveirc[.]com)</td></tr><tr><td>45.67.230[.]91</td><td>MuddyC2Go (2023) – (Stark Industries)</td></tr><tr><td>94.131.109[.]65</td><td>MuddyC2Go (2023) – (Stark Industries)</td></tr><tr><td>95.164.46[.]199</td><td>MuddyC2Go (2023) – (Stark Industries</td></tr><tr><td>185.248.144[.]158</td><td>Suspected MuddyC2Go (2023) – (Stark Industries) – (mbcaction.hopto[.]org)</td></tr><tr><td>94.131.98[.]14</td><td>Suspected MuddyC2Go (2023) – (Stark Industries)</td></tr><tr><td>45.150.64[.]23</td><td>Suspected MuddyC2Go (2023) – (Stark Industries)</td></tr><tr><td>45.150.64[.]39</td><td>Suspected MuddyC2Go (2023) – (Stark Industries)</td></tr><tr><td>95.164.38[.]99</td><td>Suspected MuddyC2Go (2023) – (Stark Industries)</td></tr></tbody></table>File<table style="width: 100%;"><thead class="bg-grey"><tr><th>MD5</th><th>Description</th></tr></thead><tbody><tr><td>34212eb9e2af84eceb6a8234d28751b6</td><td>PowerShell response from 137.74.131[.]18</td></tr><tr><td>3c6486dfb691fc6642f1d35bdf247b90</td><td>PowerShell response from 137.74.131[.]18</td></tr><tr><td>55b99af81610eb65aabea796130a0462</td><td>PowerShell response from 137.74.131[.]18</td></tr><tr><td>d7ca8f3b5e21ed56abf32ac7cb158a7e</td><td>PowerShell response from 137.74.131[.]18</td></tr><tr><td>d3a2dee3bb8fcd8e8a0d404e7d1e6efb</td><td>PowerShell response from 137.74.131[.]20</td></tr><tr><td>4a70b1e4cb57c99502d89cdbbed48343</td><td>PowerShell response from 137.74.131[.]20</td></tr><tr><td>f08aa714fd59b68924843cbfddac4b15</td><td>PowerShell response from 137.74.131[.]20</td></tr><tr><td>db0e68d7d81f5c21e6e458445fd6e34b</td><td>offtec.exe (C2: 45.150.64[.]239)</td></tr><tr><td>dbcc0e9c1c6c1fff790caa0b2ffc2fe5</td><td>PowerShell script embedded in offtec.exe</td></tr><tr><td>e07adc4ee768126dc7c7339f4cb00120</td><td>PowerShell response from 45.150.64[.]239</td></tr><tr><td>feede05ba166a3c8668fe580a3399d8f</td><td>Performance.rar – Password protected archive</td></tr><tr><td>9894b84916f9264d897fe3b4a83bc608</td><td>KorekFile.rar – Password protected archive</td></tr><tr><td>9957250940377b39e405114f0a2fe84b</td><td>Performance/KorekFile.exe (C2: 95.164.46[.]35)</td></tr><tr><td>245c3ed373727c21ad9ee862b767e362</td><td>PowerShell script embedded in Performance/KorekFile</td></tr><tr><td>22971759adf816c6fb43104c0e1d89d6</td><td>PowerShell response from 95.164.46[.]35</td></tr><tr><td>5e0cc23a6406930a40696594021edb5f</td><td>KorekPro.rar – Password protected archive</td></tr><tr><td>79a638b2f2cc82bfe137f1d12534cda5</td><td>d.exe (C2: 95.164.46[.]35)</td></tr><tr><td>fc523904ca6e191eb2fdb254a6225577</td><td>PowerShell script embedded in d.exe</td></tr><tr><td>b867ec1cef6b1618a21853fb8cafd6e1</td><td>PowerShell response from 45.67.230[.]91</td></tr><tr><td>57641ce5af4482038c9ea27afcc087ee</td><td>PowerShell response from 94.131.109[.]65</td></tr><tr><td>fe5f94e5df19d95df26aaf774daad9df</td><td>PowerShell response from 95.164.46[.]199</td></tr></tbody></table>

MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel

MuddyWater Unleashed a New Social Engineering Campaign Against Israel During the Israel-Hamas War.

blog-muddywater-en-able.jpg

<h5>Executive summary:</h5><ul><li>Deep Instinct’s Threat Research team has identified a new campaign from the “MuddyWater” group</li><li>The campaign has been observed attacking two Israeli targets</li><li>The campaign exhibits updated TTPs to previously reported MuddyWater activity</li></ul><figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 1: Campaign overview " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt6790e59d9363b777/65426ffc4ed3b2001a90c710/fig1-muddywater-campaign-overview.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 1: Campaign overview</figcaption></figure><h5>Introduction</h5><a href="https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks" target="_self">Previous</a> research showed that MuddyWater has sent spear-phishing emails, starting back in 2020, with direct links, as well as PDF, RTF, and HTML attachments containing links to archives hosted on various file-sharing platforms.Those archives contained installers for various legitimate remote administration tools.Before launching the new campaign during the Israel-Hamas war, MuddyWater <a href="https://twitter.com/k3yp0d/status/1719269176101990574" target="_blank">reused</a> previously known remote administration tools, utilizing a new file-sharing service called “<a href="https://www.storyblok.com/" target="_blank">Storyblok</a>.”On October 30th Deep Instinct identified two archives hosted on “Storyblok” containing a new multi-stage infection vector. It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing <a href="https://www.n-able.com/features/advanced-monitoring-agent" target="_blank">Advanced Monitoring Agent</a>, a remote administration tool.This is the first public report about MuddyWater utilizing this remote administration tool.<h5>The Multi-stage Social Engineering Campaign</h5>While Deep Instinct could not verify the spreading mechanism of the new campaign, it most likely starts with a spear-phishing email, similar to previous campaigns.The content of the email lures the victim into downloading an archive hosted at “a.storyblok[.]com”In this analysis, we examine the “defense-video.zip” file.When the archive is extracted, several folders must be navigated until a LNK shortcut, which looks like another folder named “Attachments,” is found:<figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 2: LNK Shortcut" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blte46c4bf1b082e1d5/65427050a67ffd001b94e1c9/fig2-muddywater-hidden-lnk-shortcut.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 2: LNK Shortcut</figcaption></figure>However, there are additional hidden folders and files extracted from the archive:<figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 3: Hidden folders" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltad15ce5115cba266/654270aa2149b10407ad84f5/fig3-muddywater-hidden-folders.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 3: Hidden folders</figcaption></figure>When the victim opens the LNK file, the infection chain starts.By examining the LNK file, we can see that it executes an executable from one of the hidden directories:<figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 4: LNK command line arguments" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt64dfe55de3f736ef/654270df7265fb04074f77da/fig4-muddywater-lnk-command-line-arguments.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 4: LNK command line arguments</figcaption></figure>The file “Diagnostic.exe” has been used in both archives Deep Instinct observed. The purpose of this file is to execute another executable called “Windows.Diagnostic.Document.EXE,” which is located in the hidden directory named “.end” under a “Windows.Diagnostic.Document” hidden directory.The file named “Windows.Diagnostic.Document.EXE” is a signed, legitimate installer for “Advanced Monitoring Agent.”In addition to executing the remote administration tool, “Diagnostic.exe” also opens a new Windows Explorer window of the hidden “Document” folder. This is done to fool the victim that opened the LNK file into thinking that it was indeed a folder.The decoy document is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from their <a href="https://www.gov.il/he/departments/news/disciplinary-treatment-statements-against-israel-wartime-news" target="_blank">website</a>.The memo describes what to do in case a government worker expresses opinions against the Israeli state on social networks:<figure style = "margin: auto; text-align: center;width: auto;"><img alt="Figure 5: Decoy document" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltc8cf7596101ee9db/654270fca184e7001b4f934b/fig5-muddywater-csc-decoy-document.png" height="auto" style="margin: auto;text-align: center;width: auto;" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 5: Decoy document</figcaption></figure><h5>Conclusion</h5>MuddyWater continues to attack Israeli targets in various ongoing campaigns.In this campaign, MuddyWater employs updated TTPs. These include a new public hosting service, employing a LNK file to initiate the infection, and utilizing intermediate malware that mimics the opening of a directory while executing a new remote administration tool.After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target.After the reconnaissance phase, the operator will likely execute PowerShell code which will cause the infected host to beacon to a custom C2 server.MuddyWater has used <a href="https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" target="_self">PhonyC2</a> in the past. However, Deep Instinct recently observed MuddyWater using a new C2 framework named MuddyC2Go – a detailed blog will be published soon, stay tuned.<h5>IOCs:</h5>File<table style="width: 100%;"><thead class="bg-grey"><tr><th>MD5</th><th>Description</th></tr></thead><tbody><tr><td>37c3f5b3c814e2c014abc1210e8e69a2</td><td>Archive containing Atera Agent</td></tr><tr><td>16923d827a440161217fb66a04e8b40a</td><td>Atera Agent Installer</td></tr><tr><td>7568062ad4b22963f3930205d1a14df7</td><td>Archive containing Atera Agent</td></tr><tr><td>39eea24572c14910b67242a16e24b768</td><td>Archive containing Atera Agent</td></tr><tr><td>2e09e53135376258a03b7d793706b70f</td><td>Atera Agent Installer</td></tr><tr><td>1f0b9aed4b2c8d958a9b396852a62c9d</td><td>Archive containing SimpleHelp</td></tr><tr><td>065f0871b6025b8e61f35a188bca1d5c</td><td>SimpleHelp Installer</td></tr><tr><td>146cc3a1a68be349e70b79f9115c496b</td><td>defense-video.zip</td></tr><tr><td>dd247ccd7cc3a13e1c72bb01cf3a816d</td><td>Attachments.lnk</td></tr><tr><td>8d2199fa11c6a8d95c1c2b4add70373a</td><td>Diagnostic.exe</td></tr><tr><td>04afff1465a223a806774104b652a4f0</td><td>Advanced Monitoring Agent Installer</td></tr><tr><td>6167f03c8b2734c20eb02d406d3ba651</td><td>Decoy Document (defense-video.zip)</td></tr><tr><td>e8f3ecc0456fcbbb029b1c27dc1faad0</td><td>attachments.zip</td></tr><tr><td>952cc4e278051e349e870aa80babc755</td><td>Decoy Document (attachments.zip)</td></tr></tbody></table>Network<table style="width: 100%;"><thead class="bg-grey"><tr><th>IP or URL</th><th>Description</th></tr></thead><tbody><tr><td>ws.onehub[.]com/files/7f9dxtt6</td><td>URL to Archive of Atera Agent</td></tr><tr><td>a.storyblok[.]com/f/253959/x/b92ea48421/form.zip</td><td>URL to Archive of Atera Agent</td></tr><tr><td>a.storyblok[.]com/f/255988/x/5e0186f61d/questionnaire.zip</td><td>URL to Archive of Atera Agent</td></tr><tr><td>a.storyblok[.]com/f/259791/x/94f59e378f/questionnaire.zip</td><td>URL to Archive of SimpleHelp</td></tr><tr><td>146.70.149[.]61</td><td>MuddyWater’s SimpleHelp server</td></tr><tr><td>146.70.124[.]102</td><td><a href="https://twitter.com/MichalKoczwara/status/1719294254206288001" target="_blank">Suspected MuddyWater’s SimpleHelp server</a></td></tr><tr><td>37.120.237[.]204</td><td>Suspected MuddyWater’s SimpleHelp server</td></tr><tr><td>37.120.237[.]248</td><td>Suspected MuddyWater’s SimpleHelp server</td></tr><tr><td>a.storyblok[.]com/f/259837/x/21e6a04837/defense-video.zip</td><td>URL to Archive of Advanced Monitoring Agent</td></tr><tr><td>a.storyblok[.]com/f/259791/x/91e2f5fa2f/attachments.zip</td><td>URL to Archive of Advanced Monitoring Agent</td></tr></tbody></table>Additional IOCs regarding MuddyWater can be found in our GitHub page: <a href="https://github.com/deepinstinct/Israel-Cyber-Warfare-Threat-Actors" target="_blank">https://github.com/deepinstinct/Israel-Cyber-Warfare-Threat-Actors</a>

MuddyWater eN-Able spear-phishing with new TTPs

blog-phonyc2-muddywater.jpg

PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater

pindos-js-dropper-blog.jpg

Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a <a href="https://en.wikipedia.org/wiki/Anti-American_sentiment_in_Russia#Pindos" target="_blank">reference</a> to current (and past) anti-American sentiment in Russia.Bumblebee is a malware loader first discovered in March 2022. It was associated with <a href="https://info.deepinstinct.com/conti-leaks-cyber-threat-reports" target="_self">Conti group</a> and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware.IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been <a href="https://www.bleepingcomputer.com/news/security/new-icedid-variants-shift-from-bank-fraud-to-malware-delivery/" target="_blank">observed</a> shifting some of its focus to malware delivery.<h5>Bumblebee’s Dilemma – PowerShell or JavaScript?</h5><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltac10f75989680347" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltac10f75989680347/6493347d48e15a005746c1ff/fig00-bumble_meme.jpg" style="text-align: center;"/></figure>Bumblebee’s primary modus operandi, including its most recent <a href="https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads" target="_blank">major campaign</a>, involves a PowerShell-based first stage with very characteristic obfuscation (“elemXXX”). This serves as a wrapper and loading routine for an embedded 64-bit payload .DLL. Our analysis of this flow can be found <a href="/blog/the-dark-side-of-bumblebee-malware-loader" target="_self">here</a>.The possible switch to JavaScript instead of PowerShell marks a significant change in Bumblebee’s well-established TTP’s.<h5>IcedID – From Banker to Loader?</h5>As recent reports indicate, IcedID appears to be partially following in Emotet’s footsteps and may be abandoning its banking and financial functionalities in favor of becoming a more generalized loader-type malware. An association with a new JavaScript type of dropper can be seen as another step in this direction.<h5>PindOS JavaScript Technical Analysis</h5>Once de-obfuscated, the dropper is surprisingly simple. It consists of a single function, “exec,” which gets four parameters:<ul><li>“UserAgent” – The user-agent string to be used when downloading Bumblebee’s .DLL</li><li>“URL1” – First address to download from</li><li>“URL2” – Second address to download from</li><li>“RunDLL” – Payload .DLL exported function to call</li></ul>When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe. If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.The downloaded payload is saved to %appdata%/Microsoft/Templates/&lt;6-char-random-number&gt;.dat<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt310d8e627d3469ad" alt="Figure 1 – PindOS' main function" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt310d8e627d3469ad/6493347db9a076b80b92866c/fig01-pindos-main-function.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 1 – PindOS' main function</figcaption></figure>The function is then called twice, with four separate URLs:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt94b88382eb4426e4" alt="Figure 2 – exec function call from Bumblebee dropper" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt94b88382eb4426e4/6493347dd5b9a5988d6de2e6/fig02-exec-function-call-from-bumblebee-dropper.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 2 – exec function call from Bumblebee dropper</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt2ccea6ece70d6aef" alt="Figure 3 – exec function call from IcedID dropper" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt2ccea6ece70d6aef/6493347d1fb2d3643c496f99/fig03-exec-call-from-icedid-dropper.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 3 – exec function call from IcedID dropper</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltf4668bbd24eb05b8" alt="Figure 4 – Payload download" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltf4668bbd24eb05b8/6493347df7411b69d437e201/fig04-payload-download.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 4 – Payload download</figcaption></figure>The retrieved payloads are generated pseudo-randomly “on-demand” which results in a new sample hash each time a payload is fetched. This is commonly done to avoid signature-based detection. However, in Bumblebee’s case, this seems somewhat ineffective compared to the previous flow (which did not write the payload directly to disk), as the samples are fairly <a href="https://www.virustotal.com/gui/file/28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523/detection/f-28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523-1686560298" target="_blank">well detected</a> even on “first-seen”. This is likely due to the generated payload’s exports and several other indicators which remain constant and do not vary across the different generated samples.<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt9a6ab350a777b88a" alt="Figure 5 – A generalized comparison of Bumblebee’s infection flows - “older” on the right; “newer” on the left." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt9a6ab350a777b88a/64933d2de66699a1d52eb992/fig05-a-generalized-comparison-of-bumblebees-infection-flows.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 5 – A generalized comparison of Bumblebee’s infection flows - “older” on the right; “newer” on the left.</figcaption></figure>According to Virus Total, on “first-seen” PindOS droppers have mostly received very low detection rates:<img asset_uid="blt5a182e8e00749668" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt5a182e8e00749668/64933d2d1fb2d36df6496fcb/fig06-vt-first-seen-detection-pindos-virus.png"/><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt6e2212907fb50273" alt="Figures 6 & 7 – VT first-seen detection for PindOS droppers" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt6e2212907fb50273/64933d2d48a8ff009c477fde/fig07-vt-first-seen-detection-pindos-dropper.png" style="text-align: center;"/><figcaption style="text-align: center;">Figures 6 &amp; 7 – VT first-seen detection for PindOS droppers</figcaption></figure><h5>Bumblebee DLL Payload Analysis Highlights</h5>The DLL payload is slightly different from the one previously encountered. Dynamically, it is very similar, with the addition of a few layers of obfuscation. It’s anti-debugging and anti-VM/sandbox features remain the same but with some additional “legitimate looking” strings taken from the <a href="https://github.com/FFmpeg/FFmpeg/blob/1617d1a752d5e97d5e74f6c384609c027c884553/libavutil/error.c" target="_blank">FFmpeg project open-source</a> project’s “error.c” file and a few other files from the same project added for distraction purposes:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt64d2e5ce682d4b38" alt="Figure 8 – Strings found in Bumblebee DLL" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt64d2e5ce682d4b38/6493347d9601bc69e508214d/fig08-strings-found-in-bumblebee-dll.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 8 – Strings found in Bumblebee DLL</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltff29e3f9d11aa98a" alt="Figure 9 – FFmpeg project source, “error.c” file." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltff29e3f9d11aa98a/6493347dea50bc3ffabea7f4/fig09-ffmpeg-project-source-error.c-file.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 9 – FFmpeg project source, “error.c” file.</figcaption></figure>Another point of differentiation is that previously Bumblebee DLLs had two main export functions, while the new one has four.<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt3c905274f728fa88" alt="Figure 10 – “New” Bumblebee DLL Exports" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt3c905274f728fa88/6493347dd2420473b31cd636/fig10-new-bumblebee-dll-exports.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 10 – “New” Bumblebee DLL Exports</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltcb5ad0e83176edf1" alt="Figure 11 – “Old” Bumblebee DLL exports, with main “SetPath” function" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltcb5ad0e83176edf1/6493347d75c2ae82940617e7/fig11-old-bumblebee-dll-exports-with-main-setpath-function.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 11 – “Old” Bumblebee DLL exports, with main “SetPath” function</figcaption></figure>Further examination of the DLL brings us to the same main function as the previous variant.<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltec80d5d7fc0f0819" alt="Figure 12 – “SetPath” in the “new” Bumblebee DLL." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltec80d5d7fc0f0819/6493347ee6669913502eb96f/fig12-setpath-in-the-new-bumblebee-dll.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 12 – “SetPath” in the “new” Bumblebee DLL.</figcaption></figure><h5>Conclusion</h5>Bumblebee’s latest “experiment” attempts to leverage pseudo-random sample generation as a means of reducing the risk of detection. This has been used by threat actors in the financial/banking malware landscape for years, including IcedID, which “shares” the PindOS dropper.Whether PindOS is permanently adopted by the actors behind Bumblebee and IcedID remains to be seen. If this “experiment” is successful for each of these "companion” malware operators it may become a permanent tool in their arsenal and gain popularity among other threat actors.As Bumblebee and <a href="https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/" target="_blank">IcedID</a> are known to deliver ransomware, we recommend that security teams take note of these IOCs. You can find updated lists of IOCs on our <a href="https://github.com/deepinstinct/PindOS-JS-Dropper" target="_blank">GitHub page</a>.<h5>IOCs</h5><ul><li>Network Artifact User-Agent: PindOS</li><li>Bumblebee infection URLs hxxps://qaswrahc.com/wp-content/out/mn[.]php hxxp://tusaceitesesenciales.com/mn[.]php hxxp://carwashdenham.com/mn[.]php hxxps://intellectproactive.com/dist/out/mn[.]php</li><li>Bumblebee .JS dropper SHA256 bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91 07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1 00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0 15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec 180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a</li><li>Bumblebee DLL payload SHA256 24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359 76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b 28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523 ac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4</li><li>IcedID infection URLs hxxps://masar-alulaedu.com/wp-content/woocommerce/out/berr[.]php hxxps://egyfruitcorner.com/wp-content/tareq/out/berr[.]php hxxps://tech21africa.com/wp-content/uploads/out/berr[.]php hxxps://www.posao-austrija.at/images/out/lim[.]php hxxps://logisticavirtual.org/wp-content/out/lim[.]php hxxps://adecoco.us/wp-content/out/lim[.]php hxxps://acsdxb.net/wp-content/out/lim[.]php</li><li>IcedID .JS dropper SHA256 92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b c84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814 7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6 8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151</li><li>IcedID DLL payload SHA256 9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226 4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c cb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c 361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10 e71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c 8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7</li></ul><h5>MITRE ATT&amp;CK</h5><table><thead><tr><th style="width: 13%;">Tactic</th><th>Technique</th><th>Description</th><th>Observable</th></tr></thead><tbody><tr><td>Execution</td><td>Command and Scripting Interpreter: JavaScript – T1059.007</td><td>Adversaries may abuse various implementations of JavaScript for execution.</td><td>.JS Droppers</td></tr><tr><td>Defense Evasion</td><td>System Binary Proxy Execution: Rundll32 – T1218.001</td><td>Adversaries may abuse rundll32.exe to proxy execution of malicious code.</td><td>Rundll32.exe usage</td></tr><tr><td>Defense Evasion</td><td>Obfuscated Files or Information – T1027</td><td>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.</td><td>Obfuscated JS, “Random” generated payloads</td></tr></tbody></table>

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID

blog-image-bpfdoor-malware.jpg

<h5>What is BPFdoor?</h5>BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.The malware gets its name from its usage of a <a href="https://en.wikipedia.org/wiki/Berkeley_Packet_Filter" target="_blank">Berkley Packet Filter</a> – a fairly unique way of receiving its instructions and evading detection, which bypasses firewall restrictions on incoming traffic.The malware is associated with a Chinese threat actor, Red Menshen (AKA Red Dev 18), which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors since 2021.When it was first discovered, approximately one year ago, BPFdoor was noted for its effective and elegant design and its high emphasis on stealth – an essential element in maintaining undetected long-term persistence.Recently, Deep Instinct’s threat lab observed and analyzed a previously undocumented and fully undetected new variant of BPFdoor.<h5>New, Stealthier Variant</h5>Several key differences that make this new variant even stealthier compared to the previous version include the following:<table class="text-center"><thead class="bg-grey"><tr><th style="width: 24%;">&nbsp;</th><th style="width: 38%;">“New stealthy” 2023 variant</th><th>“Old” 2022 variant</th></tr></thead><tbody><tr><td>Encryption</td><td>Static library encryption</td><td>RC4 Encryption</td></tr><tr><td>Communication</td><td>Reverse-Shell</td><td>Bind shell and iptables</td></tr><tr><td>Commands</td><td>No hardcoded commands – all commands are sent through the reverse-shell</td><td>Hardcoded commands</td></tr><tr><td>Filenames</td><td>Not hardcoded</td><td>Hardcoded</td></tr></tbody></table>One of the most significant differences compared to the previous variant lies in the removal of many of its hardcoded indicators, making the newer version more difficult to detect. Since first seen on VirusTotal in February 2023, the new variant remained undetected and is still undetected as of this writing.<h5>BPFdoor Technical Analysis</h5>When executed, the BPFdoor sample will attempt to create and get a lock on a runtime file at “/var/run/initd.lock” and will exit if it fails using that file as a makeshift mutex.<figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt6b1f7a605acf0d71" alt="Figure 1 - BPFdoor " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt6b1f7a605acf0d71/645bce382f97ad6087afc2a7/fig01-lock-mutex.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 1 - BPFdoor "mutex" check</figcaption></figure></figure>If successful, BPFdoor will fork itself and continue to run as a child process and in this context will close its stdin, stdout, and stderr streams, and set itself to ignore the following operating system signals:<table class="text-center"><thead class="bg-grey"><tr><th style="width: 16%;">Signal Number</th><th style="width: 21%;">Signal Name</th><th>Signal Description</th></tr></thead><tbody><tr><td>1</td><td>SIGHUP</td><td>SIGHUP ("signal hang-up") is a signal sent to a process when its controlling terminal session is closed.</td></tr><tr><td>2</td><td>SIGINT</td><td>SIGINT (“signal interrupt”) is a signal sent when a user interrupts a program (Ctrl + C)</td></tr><tr><td>3</td><td>SIGQUIT</td><td>SIGQUIT is a signal sent to terminate a process.</td></tr><tr><td>13</td><td>SIGPIPE</td><td>SIGPIPE is a signal sent when a pipe breaks.</td></tr><tr><td>17</td><td>SIGCHLD</td><td>SIGCHLD is a signal sent when a child process exits.</td></tr><tr><td>21</td><td>SIGTTIN</td><td>SIGTTIN is a signal sent to a process attempting to read from the same terminal session and is blocked.</td></tr><tr><td>23</td><td>SIGTTOU</td><td>SIGTTOU is a signal sent to a process attempting to write to the same terminal session and is blocked.</td></tr></tbody></table>Ignoring these signals hardens BPFdoor against tampering with its processes.Having set up the above, BPFdoor then allocates a memory buffer and creates a socket as follows:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltb66f26dd618af2fe" alt="Figure 2 - Socket arguments" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltb66f26dd618af2fe/645bce386d595aca93fa2ebf/fig02-socket-args.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 2 - Socket arguments</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blte9215556a7459197" alt="Figure 3 - Socket creation" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blte9215556a7459197/645bce388a8445ca97101283/fig03-call-socket.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 3 - Socket creation</figcaption></figure>It will proceed to specify the following socket options using setsockopt:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltff07360ec7be9930" alt="Figure 4 - Setsockopt options" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltff07360ec7be9930/645bce388dbb82c3c233f5f4/fig04-setsockopts.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 4 - Setsockopt options</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt0e81a161934c6431" alt="Figure 5 - Call to setsockopt" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt0e81a161934c6431/645bce38e4e69e5cbc037449/fig05-call-setsockopts.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 5 - Call to setsockopt</figcaption></figure>And will read from it in a loop (further described below) using recvfrom:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt7a59c922701ee083" alt="Figure 6 - Recvfrom arguments" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt7a59c922701ee083/645bce38065c95739056107a/fig06-recvfrom.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 6 - Recvfrom arguments</figcaption></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt811bbcab6a1bb954" alt="Figure 7 - Recvfrom call" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt811bbcab6a1bb954/645bce38367cefb5428f68a2/fig07-loop-call-recvfrom.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 7 - Recvfrom call</figcaption></figure>An interesting point in the above-described flow is that the “addr” parameter is zeroed out in the call to recvfrom; it should point to a specific address from which to read data. The socket is not connected and no bind or listen calls have been made. So, what exactly is going on here?Interpreting the exact arguments that are used to create the socket reveals that the call is structured as follows:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt36f6534323294019" alt="Figure 8 - Socket call" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt36f6534323294019/645bce38367cefe17b8f689e/fig08-socket_eth.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 8 - Socket call</figcaption></figure>This creates the socket as a special packet sniffing socket which is able to read every packet that is sent to the machine from the ethernet layer and above without being bound to any specific protocol.BPFdoor employs this type of packet sniffing socket to read data with recvfrom, even without an “addr” parameter, by using the loop below to search for a specific “magic” byte sequence:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltf3c3312b0751a812" alt="Figure 9 - Looped search for " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltf3c3312b0751a812/645bce388929af83080777c5/fig09-read-loop.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 9 - Looped search for "magic" byte sequence (highlighted)</figcaption></figure>“Magic” byte sequence: \x44\x30\xCD\x9F\x5E\x14\x27\x66Once found, the loop will break and BPFdoor will continue to Its next phase of operation.But, that creates quite a lot of traffic that BPFdoor will need to go through.Let’s examine the usage of setsockopt a bit further. When parsing its arguments, we arrive at the following code:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt734c1601420f27c9" alt="Figure 10 - Setsockopt attaches BPF" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt734c1601420f27c9/645bce4b7e7e7b9bafe70a08/fig10-setsockopt-args.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 10 - Setsockopt attaches BPF</figcaption></figure>This is where BPFdoor gets its name from. The above code that attaches a <a href="https://en.wikipedia.org/wiki/Berkeley_Packet_Filter" target="_blank">Berkley Packet Filter</a> to the socket; this is the very same mechanism that underpins infosec staples such as libpcap and allows BPFdoor to filter out “uninteresting” types of data coming through its socket.A Berkley Packet Filter can be defined as in the example below, which allows TCP over IPv4:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt89210974b140db77" alt="Figure 11 - BPF example" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt89210974b140db77/645bce4b065c95264056107e/fig11-bpf-example.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 11 - BPF example</figcaption></figure>By setting the socket option SO_ATTACH_FILTER and pointing filter to the following sock_filter_code:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt3a9b0cf5b5fbc758" alt="Figure 12 - BPF sock_filter_code" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt3a9b0cf5b5fbc758/645bce4b1f0a4c5876e36beb/fig12-sock-filter-codev3.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 12 - BPF sock_filter_code</figcaption></figure>BPFdoor guides the kernel to set up its socket to only read UDP, TCP, and SCTP traffic coming through ports 22 (ssh), 80 (http), and 443 (https).Because of its positioning at such a low level, BPFdoor does not abide by any firewall rules, and can bypass any firewall restrictions on incoming traffic and listen for packets that otherwise wouldn't have surfaced to the machine's user mode.When BPFdoor finds a packet containing its “magic” bytes in the filtered traffic it will treat it as a message from its operator and will parse out two fields and will again fork itself.The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a Command & Control IP-Port combination and will attempt to contact it.<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt59a3decfdb9a8b40" alt="Figure 13 - Connect to Command & Control" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt59a3decfdb9a8b40/645bce4b8a84453a7a101287/fig13-connect-c2.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 13 - Connect to Command & Control</figcaption></figure>An interesting point to note, this variant of BPFdoor contains a pre-compiled version of <a href="https://github.com/libtom/libtomcrypt" target="_blank">libtomcrypt</a>, an open-source encryption library, as can be seen in the sample’s contained strings, which also offer a few additional insights:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt8e6c0a33246bf7b3" alt="Figure 14 - Contained strings" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt8e6c0a33246bf7b3/645bce4b291ca448ab7458bf/fig14-libtom-strings.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 14 - Contained strings</figcaption></figure>We can see that the library was compiled at the beginning of October 2022 using GCC on a system running Red Hat Linux. This may suggest that this variant has been operational significantly earlier than its first appearance on VirusTotal.By compiling our own version of the library in similar fashion and using bindiff to compare against BPFdoor we can see its statically linked exports:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt816a0cb45cfa1a28" alt="Figure 15 - Libtomcrypt bindiff snippet" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt816a0cb45cfa1a28/645bce4b2f97ad7a76afc2ab/fig15-libtom-bindiff.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 15 - Libtomcrypt bindiff snippet</figcaption></figure>Having made the comparison, we determined that BPFdoor is using libtomcrypt functionality to set up a secure and encrypted “reverse-shell” session with its Command & Control. This replaced its previous mechanism.After this session is established, BPFdoor will begin a loop that can be described by the following:<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="bltb2ff1c169f93cb84" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltb2ff1c169f93cb84/645bce3822f9986ff5c5974b/BPFDOORv2Flow.png" style="text-align: center;"/></figure><h5>Conclusion</h5>BPFdoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration.Regardless of whether one considers the encryption library compilation time (October 2022) or its initial submission to VirusTotal (February 2023) as indicative of when this sample was first put into use, it is truly amazing how long it has remained fully undetected.<figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt93ffef0dee975742" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt93ffef0dee975742/645d25159c40aa50cb074137/fig16-vt-0detectionv3.png" style="text-align: center;"/></figure><figure style="margin-top: auto;margin-right: auto;margin-bottom: auto;margin-left: auto;text-align: center;width: auto;"><img asset_uid="blt940800074dbf8141" alt="Figure 16 & 17 - 0 VirusTotal detections, 7 different scans." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt940800074dbf8141/645bce4b32acc8af715ee19b/fig17-vt-many-scans.png" style="text-align: center;"/><figcaption style="text-align: center;">Figure 16 & 17 - 0 VirusTotal detections, 7 different scans.</figcaption></figure><h5>IOCs</h5>afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7 – BPFDoor ELF SHA256 /var/run/initd.lock – BPFDoor "mutex”<h5>MITRE ATT&CK:</h5><table class="text-center"><thead class="bg-grey"><tr><th style="width: 20%;">Tactic</th><th>Technique</th><th>Description</th><th style="width: 20%;">Observable</th></tr></thead><tbody><tr><td>Command and Control Defense Evasion Persistence</td><td>T1205 - Traffic Signaling</td><td>Attacker employs “magic” values to trigger response.</td><td>“Magic” byte sequence</td></tr><tr><td>Command and Control Defense Evasion Persistence</td><td>T1205.002 - Traffic Signaling: Socket Filters</td><td>Attacker attaches filter to a network socket.</td><td>Usage of Berkley Packet Filter</td></tr><tr><td>Command and Control</td><td>T1573 - Encrypted Channel</td><td>Attacker employs encrypted Command & Control communication.</td><td>Usage of libtomcrypt</td></tr><tr><td>Execution</td><td>T1106 – Native API</td><td>Attacker calls upon native OS APIs in order to execute behaviors.</td><td>Usage of popen</td></tr></tbody></table>Earlier variant analysis: <a href="https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" target="_blank">https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor</a>Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first and only purpose-built, deep learning cybersecurity framework. We prevent ransomware, zero-day threats, and previously unknown malware in &lt;20 milliseconds, 750x faster than the fastest ransomware can encrypt. Deep Instinct has &gt;99% zero-day accuracy and promises a &lt;0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack – providing complete, multi-layered protection against threats across hybrid environments.

dirty-vanity-blog.jpg

Dirty Vanity: A New Approach to Code Injection & EDR Bypass

cve-2023-23397-blog-image.jpg

Disclaimer: This blog contains sensitive information but since this information is publicly available and at least partially public knowledge we decided not to redact any information as it would cause this post to be irrelevant. Due to the simplicity of the attack and the fact it does not require user interaction we are urging everyone to patch their systems immediately.On March 14, 2023, Microsoft released a security fix for an elevation-of-privilege vulnerability (CVE-2023-23397) in Microsoft Outlook.A specially crafted email can trigger the vulnerability automatically when it is retrieved and processed by the Outlook client. Such an email could lead to exploitation before the email is viewed in the Preview Pane, which allows an attacker to steal credential hashes by forcing the target’s devices to authenticate to an attacker-controlled server.The Computer Emergency Response Team for Ukraine (CERT-UA) reported the vulnerability to Microsoft. Based on Microsoft Threat Intelligence, a Russia-based threat actor used it in attacks to target and breach the network of several governments, military, energy, and transportation organizations in Europe between April and December 2022.MDSec already <a href="https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" target="_blank">demonstrated</a> a POC of this attack and security researcher <a href="https://twitter.com/kevthehermit/status/1635981427400400897" target="_blank">@KevTheHermit</a> found a sample of an email attack in the wild.Deep Instinct Threat Lab found additional samples exploiting this vulnerability including the potential attack that was reported by CERT-UA.The samples can be grouped into five distinct clusters. Below is a timeline of the attacks:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt032ce0ad10df7dd6" alt="Figure 1: Timeline of attacks utilizing CVE-2023-23397" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt032ce0ad10df7dd6/6413c20811934c1085402d52/fig1-timeline-of-attacks-utilizing-cve-2023-23397.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 1: Timeline of attacks utilizing CVE-2023-23397</figcaption></figure><h3>Possible Attribution</h3>Microsoft attributed the attack to a Russian-based threat actor. The attacks on Romania, Poland, and Ukraine align with Russian interests, while the attacks on Jordan and Turkey might be related to a different threat actor.This attack vector, which leads to NTLM harvesting, was also <a href="https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/" target="_blank">observed</a> in 2020 by Iranian threat actors. Additionally, Russia and Iran have signed a cyber-cooperation <a href="https://www.cfr.org/blog/iran-russia-cyber-agreement-and-us-strategy-middle-east" target="_blank">agreement</a>.The Jordanian foreign ministry has been targeted in the <a href="https://therecord.media/apt34-oilrig-iran-jordan-email-campaign-malwarebytes" target="_blank">past</a> by Iranian threat actors, which might indicate the vulnerability was shared with the Iranians.NTLM harvesting could be used either to hash relay attacks or for offline password cracking, indicating that the attacker either had prior access to the attacked organization or they have knowledge of remote-authentication services that do not require multi-factor authentication.<h3>Hunting for the Vulnerability</h3>Microsoft <a href="https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/" target="_blank">provided</a> a PowerShell script to retroactively search for potentially malicious messages containing the vulnerability. The script looks for three types of messages – note, appointment, and task:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt46f1b647b377698d" alt="Figure 2: Microsoft’s PowerShell code that looks for three specific types of messages" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt46f1b647b377698d/6413c2080c29c7363bf3956f/fig2-microsofts-powershell-code-that-looks-for-specific-messages-from-cve-2023-23397.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 2: Microsoft’s PowerShell code that looks for three specific types of messages</figcaption></figure>This could indicate that the vulnerability can be triggered by any of those types of messages. If you are using Outlook, you might be familiar with some of them:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt298f779daa396908" alt="Figure 3: How to manually create a legitimate task or appointment" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt298f779daa396908/6413c20858d08575eae5b295/fig3-how-to-legitimately-create-manual-task-appointment-outlook.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 3: How to manually create a legitimate task or appointment</figcaption></figure>While MDSec used an “appointment” message in their POC, the attacks in the wild used a “task” message:<figure style = "margin: auto; text-align: center;width: 433px;"><img asset_uid="blt398e5bc10dee52f8" alt="Figure 4: IPM.Task property in malicious email ITW" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt398e5bc10dee52f8/6413c2084d478f2618dc953c/fig4-ipm.task-property-in-malicious-itw-cve-2023-23397.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 4: IPM.Task property in malicious email ITW</figcaption></figure>Using the following query in VirusTotal we found suspected emails with the vulnerability: “content:{490050004d002e005400610073006b00} tag:outlook”If the email also contains a UNC path this means this is a malicious task using the vulnerability.However, we found extracts from emails sent to Polish targets dated in the September timeframe that are not found via the query above:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt76275f2529aacbeb" alt="Figure 5: File from September containing characteristics of CVE-2023-23397" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt76275f2529aacbeb/6413c2081605593a8b0d15d0/fig5-file-from-september-containing-characteristics-of-cve-2023-23397.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 5: File from September containing characteristics of CVE-2023-23397</figcaption></figure><h3>Conclusion</h3><ul><li>While we found evidence of attacks starting in April 2022, there is a possibility that it was exploited even earlier.</li><li>Due to the fact that we used only publicly available data the actual scope of attacked targets could be much higher.</li><li>Microsoft attributed the attacks to a Russian-based threat actor; however, public evidence might suggest another threat actor exploited the vulnerability as well.</li><li>Since the attack does not require user interaction, we urge everyone using the Outlook application to patch their systems as soon as possible.</li><li>We also suggest running the PowerShell script <a href="https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/" target="_blank">provided</a> by Microsoft to find retroactively malicious emails in the exchange server.</li></ul><h3>IOCs</h3>24.142.165[.]2 101.255.119[.]42 113.160.234[.]229 168.205.200[.]55 181.209.99[.]204 185.132.17[.]160 213.32.252[.]221

CVE-2023-23397: Exploitations in the Wild – What You Need to Know

emotet-returns-2023-blog.jpg

Earlier this week, on Tuesday, March 7th, Emotet was observed for the first time this year sending new malspam to infect victims. This is significant because the last time Emotet was seen sending malicious spam was in <a href="/blog/emotet-vacation-is-over-no-rest-for-the-wicked" target="_self">November</a> of 2022. This current wave is different from the one in November, though, including new evasion techniques that we will detail in this blog. Deep Instinct’s Threat Research team has been tracking Emotet over the last year and has written about its periods of silence and reemergence with new tactics. We will continue to track the malware and alert the community to any changes or activity. <ul><li>November 17, 2022: <a href="/blog/emotet-vacation-is-over-no-rest-for-the-wicked" target="_self">Emotet Vacation Is Over: No Rest For The Wicked</a></li><li>June 9, 2022: <a href="/blog/emotet-malware-returns-in-2022" target="_self">Emotet Malware Returns in 2022</a></li></ul>The first to observe and tweet about Emotet’s return was <a href="https://twitter.com/ilbaroni_/status/1633087980561735680" target="_blank">@ilbaroni_</a>: <figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="blt06f56e90c1fd7d11" alt="Figure 1: First public observation of Emotet’s return" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt06f56e90c1fd7d11/640a621ee5ffbf108e0bbf3f/fig1-first-public-observation-of-emotets-return.png" height="auto" /><figcaption style = "text-align: center;" >Figure 1: First public observation of Emotet’s return</figcaption></figure> <h3>Delivery via Thread Hijacking Emails  </h3>The delivery method that Emotet used is the same as in November, however, this time the attached zip files are not password protected. Deep Instinct’s Threat Research team observed thread-hijacked emails sent to companies around the globe, including in Japan: <figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="blt20e3927b313134eb" alt="Figure 2: Thread-hijacked mail in Japanese" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt20e3927b313134eb/640a621e6d0cf81016ab9102/fig2-thread-hijacked-mail-in-japanese.png" height="auto" /><figcaption style = "text-align: center;" >Figure 2: Thread-hijacked mail in Japanese</figcaption></figure> <h3>Changes to Emotet Malspam </h3>In November, Emotet was sending malicious Excel files in the archives. Now Emotet is sending archives with malicious Word files. The Word files include macros that, if enabled, start the infection chain. The first page contains an image that tries to lure the receiver to enable macros: <figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="bltf706d459b420f0d1" alt="Figure 3: Social engineering lure on first page" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltf706d459b420f0d1/640a621ea7d98e0267ed3669/fig3-social-engineering-lure-on-first-page.png" height="auto" /><figcaption style = "text-align: center;" >Figure 3: Social engineering lure on first page</figcaption></figure> The second page is blank, while pages 3-7 are excerpts from the novel “<a href="https://en.wikipedia.org/wiki/Moby-Dick" target="_blank">Moby-Dick</a>” which are written in white font to make the pages appear blank. The whole document has 14,801 characters and 2,587 words; the text is added as part of an evasion technique. Many security tools will classify a Word document with just an image and a macro as malicious, which is true in most cases. Some people still use macros for legitimate reasons, despite there being little reason to do so with the advances we have made in technology in the 21st century. Adding textual context to a file with macros might fool some security tools into thinking that the file is benign: <figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="blt9396b636b76e97a8" alt="Figure 4: Changing the font color reveals the hidden text" src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt9396b636b76e97a8/640a621f325d0044fe5fabb6/fig4-changing-font-color-reveals-hidden-text.png" height="auto" /><figcaption style = "text-align: center;" >Figure 4: Changing the font color reveals the hidden text</figcaption></figure> The Word document in the example contains several long and obfuscated macros which download and execute a ZIP file containing the Emotet DLL from one of several compromised websites. If that’s not enough, the most interesting change made by Emotet that it now artificially inflates the size of the Word document to over 500mb: <figure style = "margin: auto; text-align: center;width: auto;"><img asset_uid="blt4771a740a24441f5" alt="Figure 5: Zero bytes are added to the end of the document." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt4771a740a24441f5/640a621fe35cc90ebcbd3896/fig5-zero-bytes-are-added-to-end-of-document.png" height="auto" /><figcaption style = "text-align: center;" >Figure 5: Zero bytes are added to the end of the document.</figcaption></figure> This is done by simply adding zero bytes at the end of the document. Deep Instinct researchers have <a href="/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk" target="_self">seen this technique previously</a> used to inflate the final payloads, such as executables or DLL files. The result is like the one before, and because the files are so big, many security products and sandboxes don’t scan them, which breaks the automatic analysis and IOC extraction. As mentioned earlier, the macros download a ZIP file from compromised hosts which contain a DLL file which is the Emotet loader. This DLL is also inflated with zero bytes to a file size of over 500mb. The combination of both the initial attack vector and the payload being artificially inflated might completely blind products that solely rely on static analysis. Despite these changes the behavior of the loader appears the same. In the past Emotet used to copy a local version of the certutil.exe; this time Emotet drops a specific version of renamed certutil into “&lt;AppData&gt;\Local\Temp.” The hash of the observed version is: 4224312da8c3a37b95dd78236fca5ca316021c5de6e517d0ddc753ee26932e6a Emotet is still using process injection, therefore, security products that do not rely solely on static detection have a better chance at stopping the current wave. <h3>IOC </h3>DOC: a13b394e4017c0c77faf4fab6c3aea4de3443f11610cc85a1d677249b9b2bc3a DLL: efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc For the full list of IOCs (278) visit our <a href="https://github.com/deepinstinct/Emotet-IOCs" target="_blank">GitHub page</a>.

Emotet Again! The First Malspam Wave of 2023

ducktail-blog.jpg

DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection

VSTO-blog.png

<h3>Introduction</h3>Office Visual Basic for Applications (VBA) macros have been a <a href="/blog/types-of-dropper-malware-in-microsoft-office" target="_self">core tool</a> in most threat actors’ arsenals for decades.Their capabilities have enabled clever — and just <a href="https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/" target="_blank">clever-enough</a> — threat actors to deliver a dizzying array of malware to countless devices around the world. During that time, they have served as what is quite possibly the most commonplace attack vector to infect and compromise Windows PCs. They also acted as a significant component of the first link in a malicious kill-chain that resulted in network compromises, data breaches, and ransomware incidents.This threat landscape prominence has recently been stifled by Microsoft’s long-awaited decision to <a href="https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked" target="_blank">block-by-default</a> any VBA macro in Office files bearing the mark-of-the-web (indicating that the file did not originate from the local machine). This significantly reduced this attack surface and forced threat actors to adapt and explore alternative attack vectors.One of these, which is gaining popularity, is the usage of .LNK (shortcut) files. An example of this can be seen in one of our <a href="/blog/the-dark-side-of-bumblebee-malware-loader" target="_self">recent reports</a>.Another such example is Visual Studio Tools for Office (VSTO). Below we explore some “in-the-wild” examples of how VSTO can become a significant attack vector.<h3>What is VSTO?</h3>A software development toolset, VSTO is available in Microsoft’s Visual Studio IDE. It enables Office Add-In’s (a type of Office application extension) to be developed in .NET and also allows for Office documents to be created that will deliver and execute these Add-In’s.Additionally, VSTO Add-In’s can be associated with the specific Office application they were developed for (Word, Excel, etc.) and will execute every time that application is booted, offering up an interesting persistence option on top of the code-execution ability.VSTO Add-In’s can be packaged alongside Office documents (Local VSTO), or, alternatively, fetched from a remote location when a VSTO-Bearing Office document is opened (Remote VSTO). This, however, may require bypass of trust-related security mechanisms.<h3>VSTO as a Threat Vector</h3>In the current threat landscape’s observed state, VSTO is still an uncommon vector (despite being initially <a href="https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/" target="_blank">discussed</a> quite <a href="https://twitter.com/gN3mes1s/status/939146796605018113" target="_blank">some time ago</a>). But as is often the case when an esoteric attack vector is involved, it also goes largely undetected by most security vendors, which may lead to it increasing in popularity in the near-term future.VSTO-bearing Office files contain several indicators which differentiate them from non-VSTO Office files, the primary of which is a contained “custom.xml” XML which contains “_AssemblyLocation” and “_AssemblyName” properties used by the Office application to locate the Add-In and install it.<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="bltae692c45fce8c9be" alt="Figure 1 - Example of a " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltae692c45fce8c9be/63da8c54df2bf910c80316e8/fig01-custom-xml-referring-local-vsto-add-in.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 1 - Example of a "custom.xml" XML referring to a local VSTO Add-In.</figcaption></figure><h3>Local VSTO</h3>When VSTO is employed in its local “flavor” the .NET compiled .DLL “Add-In” and its dependencies are stored alongside the Office document created to execute it, commonly in a “container” such as an .ISO file.In the example detailed below, which targets Portuguese-speaking users, we can see a malicious .ISO file which contains a malicious Word document and a hidden VSTO “Add-In” and its dependencies:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt54d82b8f46d9881c" alt="Figure 2 - Malicious .ISO, Hidden files not shown, as would appear to most users." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt54d82b8f46d9881c/63da8c54c8540a111ada8b4b/fig02-malicious-iso-hidden-files-not-shown.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 2 - Malicious .ISO, Hidden files not shown, as would appear to most users.</figcaption></figure><figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blta83b367d030dd885" alt="Figure 3 - Malicious .ISO, hidden files shown, mostly dependencies, highlighted - Word document and VSTO " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blta83b367d030dd885/63da8c545b2c1e6188c56ec2/fig03-malicious-iso-hidden-files-shown.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 3 - Malicious .ISO, hidden files shown, mostly dependencies, highlighted - Word document and VSTO "Add-In" payload.</figcaption></figure>Once the victim opens the malicious Word document, they are encouraged to install the “Add-In” in a very similar fashion to the way victims were encouraged to click the “Enable Content” button and allow a malicious VBA macro to execute.<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt41d8d794383d1aa8" alt="Figure 4 - Word document (“Eventos_CDG_1Maio.docx”) prompts the user to allow " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt41d8d794383d1aa8/63da8c540cf395166a6e22fb/fig04-word-doc-prompts-user-to-allow-add-in.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 4 - Word document (“Eventos_CDG_1Maio.docx”) prompts the user to allow "Add-In" installation.</figcaption></figure><figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt1785537237489441" alt="Figure 5 - Malicious " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt1785537237489441/63da8c54e480c910d1acbbb7/fig05-malicious-custom-xml-contained-by-eventos-referring-to-hidden-add-in.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 5 - Malicious "custom.xml" contained by “Eventos_CDG_1Maio.docx” referring to the hidden “Add-In” present locally on the .ISO file.</figcaption></figure>Once allowed by the user, the malicious “Add-In” will be executed.<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="bltfd8952f6b1cd8776" alt="Figure 6 - VSTO installation prompt." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltfd8952f6b1cd8776/63da8c542d94ad4c89edc84d/fig06-vsto-installation-prompt.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 6 - VSTO installation prompt.</figcaption></figure>Examining the “Add-In” payload reveals it serves to execute an encoded and compressed PowerShell snippet:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="bltff7e2e81ed5f2a4f" alt="Figure 7 - " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltff7e2e81ed5f2a4f/63da8c544ad09d10da61ae0b/fig07-eventos_cdg_1maio.dll-payload-core.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 7 - "Eventos_CDG_1Maio.dll” payload “core”.</figcaption></figure>An interesting point of note is that the above code’s parent .NET namespace is “schell_test.” This appears to be a reference to a <a href="https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010" target="_blank">post by Daniel Schell</a>, which predates the appearance of this sample by approximately two weeks.Decoding and decompressing from the above, the snippet is intended to deliver and execute additional PowerShell code from a Command & Control server:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt2deb8b0052b3ec77" alt="Figure 8 - Decoded and decompressed PowerShell snippet." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt2deb8b0052b3ec77/63da8c543d28dd4dde642bc5/fig08-decoded-and-decompressed-powershell-snippet.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 8 - Decoded and decompressed PowerShell snippet.</figcaption></figure>Unfortunately, we were unable to obtain this additional 2nd-stage code as it had gone offline prior to our investigation of this sample.<h3>Remote VSTO</h3>VSTO can also be employed in remote fashion, i.e., the Add-In can be stored separately of the Office document created to deliver and execute it. This can make an attack employing VSTO even more challenging to detect or prevent. However, it can also be more complex for an attacker to execute because it requires bypassing various trust-related security mechanisms using a trusted publisher certificate, for example.In the example below, we can see a reference to a remotely stored VSTO “Add-In” taken from a malicious Word document:<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="bltf4e068fa4bdd09dc" alt="Figure 9 - Remote VSTO " src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/bltf4e068fa4bdd09dc/63da8c545ca8a710cf4b7226/fig09-remote-vsto-custom-xml.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 9 - Remote VSTO "custom.xml" XML.</figcaption></figure>Examining the “Add-In” .DLL payload, which was obtained by cross-referencing threat intelligence data, we can see the following contained code which is intended to download a password protected .ZIP archive, extract it in the user’s %\AppData\Local\ folder, and execute a contained “conhost.exe” file.<figure style = "margin: auto; text-align: center;width: autopx;"><img asset_uid="blt29d36f5d1f3a9676" alt="Figure 10 - “3rd stage” payload delivery and execution code." src="https://images.contentstack.io/v3/assets/blt1ec077b6b53d6b3e/blt29d36f5d1f3a9676/63da8c54e4e29e75dc5df0ee/fig10-3rd-stage-payload-delivery-and-execution-code.png" /><figcaption style = "text-align: center;" style="text-align: center;">Figure 10 - “3rd stage” payload delivery and execution code.</figcaption></figure>Unfortunately, we were unable to obtain the 3rd-stage archive and its contained payload (“conhost.exe”) as it had gone offline prior to our investigation of this sample.<h3>POC of VTSO Attack Scenarios</h3>Partly as an academic exercise, and partly because the final payloads related to the above-described samples were unavailable, we decided to put together a proof of concept (POC) of how VSTO can be used in multiple types of attack scenarios.

In the above video, you can see a demonstration of our proof of concept delivering and executing a Meterpreter payload as well as establishing persistence on the victim’s machine.The POC code can be found in our public <a href="https://github.com/deepinstinct/VSTO-POC" target="_blank">GitHub repository</a>Please note that we used a simple, highly detectable, Meterpreter payload. This required us to disable <a href="/vs-microsoft-defender" target="_self">Microsoft Windows Defender</a> to film the above video. However, the rest of the POC components went completely undetected.<h3>Conclusion</h3>While VSTO Add-In's are relatively uncommon in the threat landscape due to the capabilities offered both in terms of execution (in theory – an entire fully-featured malware strain can be written and developed in .NET as a VSTO Add-In) and in terms of persistence, we expect more threat actors to adopt and employ them soon. This is particularly true of nation-state and other “high caliber” actors who are more likely to gain the ability to bypass the trust mechanisms present in the Windows environment by means such as a stolen (or otherwise obtained) trusted certificate.<h3>IOCs</h3>5530F5D20016E3F0E6BBC7FAD83EEC56F118179D4C5D89FC26863C37482F8930 E74DD27FF0BA050BBC006FD579B8022E07B570804588F0E861CC4B1321A3EC48 0526F63486DE882CCF33374DCA4B093219A8FD93014BABE794715F04FF49B151 B3282DC58AD961911D94B712CEA11F649B0BA785D7FF74D7ED9946E1260DD521 40C9D3D58CE5DB0C6D18184E5813C980CD7B72EFC7505C53CD13E60860EF8157 78D6A2C0B52E9E5AF8007BC824EFD5846585A3056B3A0E6EFDFA7E60EED48C8C hxxps://34.241.171.114/ hxxp://classicfonts.live/<h3>MITRE Mapping</h3><table><thead class="bg-grey"><tr><th style="width: 15%;">Tactic</th><th>Technique</th><th>Description</th><th>Observable</th></tr></thead><tbody><tr><td>Execution</td><td>T1204.002User Execution: Malicious File</td><td>User must open a malicious document</td><td>E74DD27FF0BA050BBC006FD579B8022E07B570804588F0E861CC4B1321A3EC48</td></tr><tr><td>Execution</td><td>T1059.001Command and Scripting Interpreter: PowerShell</td><td>PowerShell code is executed</td><td>0526F63486DE882CCF33374DCA4B093219A8FD93014BABE794715F04FF49B151</td></tr><tr><td>Defense Evasion</td><td>T1553.005Subvert Trust Controls: Mark-of-the-Web Bypass</td><td>.ISO container file used</td><td>5530F5D20016E3F0E6BBC7FAD83EEC56F118179D4C5D89FC26863C37482F8930</td></tr><tr><td>Defense Evasion</td><td>T1027Obfuscated Files or Information</td><td>Obfuscation used; Password protected file used.</td><td>0526F63486DE882CCF33374DCA4B093219A8FD93014BABE794715F04FF49B151, 78D6A2C0B52E9E5AF8007BC824EFD5846585A3056B3A0E6EFDFA7E60EED48C8C</td></tr><tr><td>Persistence</td><td>T1137.006Office Application Startup: Add-ins</td><td>VSTO Add-In's may be used for persistence</td><td>E62E05D9DE5DAAB900FC32941727870C018D7CFD46E2BAC43EF360B80B3A0B31</td></tr></tbody></table>

No Macro? No Worries. VSTO Being Weaponized by Threat Actors

Deep Instinct Included in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms (EPP)

Deep Instinct Included in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms (EPP)

Deep Instinct Threat Lab

From Deep Instinct Threat Lab.