Cyber Intel Brief: February 15 – 21, 2024

New Malware Dropper Family, Delivering Various Payloads, Discovered

Malware – Phishing – Multi-stage Infection Chain – Dropper – TicTacToe Dropper – SmartAssembly – DeepSea Obfuscator – Obfuscation Tool – Industries/All

Threat Analysis

Throughout 2023, a family of malware droppers, dubbed TicTacToe Dropper, that share common characteristics, was used to deliver various final-stage payloads, such as Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. Variants of the dropper were usually delivered through phishing email campaigns with an attached .iso file. These ISO files contained an executable, which initiated a multiple-stage infection chain, employing multiple nested DLL files, which were extracted at runtime and loaded directly into memory. 

Due to the multiple final payloads delivered, multiple threat actors likely employ the TicTacToe dropper, suggesting it’s being sold as a Dropper-as-a-Service. In early 2023, initial versions used a specific Polish string embedded within the code, ‘Kolko_i_krzyzyk’ (which translates to ‘TicTacToe’ in English). As the year progressed, new campaigns used droppers with different, unique strings, such as ‘MatrixEqualityTestDetail,’ ‘QuanLyCafe,’ ‘Pizza_Project,’ ‘Kakurasu,’ ‘BanHang_1’, and ‘ChiuMartSAIS.’ Despite these droppers being part of the same campaign and sharing a common unique identifier, they delivered various final payloads. 

Three variants of the TicTacToe dropper family, ALco.exe, IxOQ.exe, and oJXU.exe, were analyzed. All analyzed variants share the following characteristics:

• Employ a multi-stage nested DLL payload infection chain.
• All dropper payloads are .NET executables/libraries.
• One or more of the payloads are obfuscated using SmartAssembly.
• The DLL files are nested and used to unpack obfuscated payloads.
• All payloads, including the final payload, were loaded reflectively.
• Most initial .NET payloads had internal names with a combination of 3 to 8 letters in varying cases.
• Many samples shared common strings (e.g., Kolko_i_krzyzyk, MatrixEqualityTestDetail, Kakurasu, etc.) for the month they were delivered.
• Some of the variants try to create a copy of themself.

ALco.exe Variant

ALco.exe is a 32-bit executable developed in the .NET programming language. Upon execution, the dropper extracts and loads a .NET PE DLL (Stage 2) directly into its current process (directly into memory without being written to disk) using a runtime assembly object.

The extracted Stage 2 DLL was named ‘Hadval.dll’ in the OriginalFileName field in the file’s version information. This DLL was obfuscated with version 4.1 of the DeepSea software, which differs from the obfuscation method used in the initial executable, resulting in unreadable function names and clear indicators of code flow obfuscation. This Stage 2 DLL (Hadval.dll) extracts a gzip blob containing another 32-bit PE DLL file (Stage 3). 

The Stage 3 payload has the internal filename ‘cruiser.dll,’ which was obfuscated by SmartAssembly. The cruiser.dll file has a function that creates a copy of the executable in the temp folder. The code from the Stage 3 DLL (cruiser.dll) extracts, reflectively loads, and executes the Stage 4 payload from a resource in the primary payload. 

The Stage 4 payload is another .NET PE DLL with the internal name ‘Farinell2.dll,’ obfuscated with a custom obfuscator. This Stage 4 payload then de-obfuscates, reflectively loads, and executes the final payload (Stage 5). Multiple variants of this dropper deploy various final payloads, such as Lokibot, to steal credentials from browsers and software in the victim machine to Remcos RAT for remote access.

A high-level overview of the infection chain:
ALco.exe > Hadval.dll > cruiser.dll > Farinell2.dll > Final payload

IxOQ.exe Variant

IxOQ.exe employs a 4-stage infection chain vs. the 5 that the ‘ALco.exe’ variant employed. This executable was also a 32-bit .NET executable. This executable was not obfuscated but shares similarities with the ‘ALco.exe’ variant, e.g., later-stage obfuscated payloads embedded as object resources. This variant also contained a 32-bit .NET PE DLL (Stage 2). 

This stage 2 payload had the internal name of ‘Pendulum.dll.’ When executed, This DLL will extract the Stage 3 payload that shares the same file name (cruiser.dll) as the Stage 3 payload DLL of the ‘ALco.exe’ variant and uses the same loading process. The Stage 3 payload (cruiser.dll) extracts the Stage 4 payload from a resource in the primary payload (IxOQ.exe). This and the ‘ALco.exe’ variant present similar obfuscated image objects, which are visually identical between samples.

The extracted final payload was found to be another 32-bit .NET PE DLL with the internal name ‘Discompard.dll.’ The code from this payload was also loaded reflectively, as in previous stage payloads. Multiple antivirus engines detected this final payload (Discompard.dll) as the Zusy Banking Trojan (TinyBanker or Tinba) or Leonem. 

A high-level overview of the infection chain:
IxOQ.exe > Pendulum.dll > cruiser.dll > Discompard.dll (final payload)

oJXU.exe Variant 

The oJXU.exe is an earlier variant that used the Polish string, ‘Kolko_i_krzyzyk’ (TicTacToe in English). This variant is also a 32-bit .NET executable. It employs an identical technique to load code stored in the resource object of the file. When the resource object was checked, it was very similar to the resource object used by the IxOQ.exe variant. 

The Stage 2 payload has the internal name ‘Pendulum.dll,’ and the Stage 3 payload has the name ‘cruiser.dll.’ On execution, the Stage 3 payload extracts the Stage 4 payload from an image object. Again, the visual aspects of this embedded image object match those of ALco.exe and IxOQ.exe. The final payload was AgentTesla.

A high-level overview of the infection chain:
oJXU.exe > Pendulum.dll > cruiser.dll > AgentTesla

Since each variant drops a different final payload, each would have a different hash. As a result, while hash-based detections can effectively mitigate static threats, this dropper family requires a behavior-based approach to detect new campaigns. The multi-stage payload extraction and in-memory execution behaviors exhibited by this dropper are abnormal compared to normal application execution; Endpoint Detection and Response (EDR) solutions should be able to detect and block this behavior. 

Risk & Impact Assessment

The TicTacToe Dropper represents a significant risk to organizations due to its multifaceted nature and the variety of payloads it can deliver. The risk associated with this malware dropper stems from its multi-stage infection chain and known distribution through phishing email campaigns, leading to unauthorized access, malware deployment, and the potential for data exfiltration and further malicious activities. The likelihood of the TicTacToe Dropper impacting an organization, while difficult to assess due to the lack of intelligence on the success, scope, and extent of the phishing campaigns, is likely, given the dropper’s multi-stage infection chain, designed evasion techniques, and the observed continuous development to bypass security measures. 

A cyberattack facilitated by the TicTacToe Dropper could profoundly impact an organization, especially if it successfully deployed additional malware. Financially, it could lead to substantial losses due to operational downtime, data recovery efforts, legal fees, and potential fines for compliance violations. The reputational damage could erode stakeholder trust, affecting customer relationships and leading to a loss of business. Furthermore, the theft or compromise of sensitive data could have long-term implications on competitive advantage, exposing the organization to further targeted attacks. The cumulative effect of these impacts underscores the need for organizations to prioritize this threat.

Source Material: Fortinet, TicTacToe Dropper

Cyber Attack With No Malware, Compromised Account Used to Access and Exfiltrate Sensitive Data

Valid Account Abuse – Privilege Escalation – Data Exfiltration – VPN Abuse – LDAP Query – Directory Enumeration – Public Administration

Threat Analysis

An unidentified threat actor gained initial access by utilizing the compromised account of a former employee with administrative privileges (USER 1), which did not have multifactor authentication enabled, to conduct reconnaissance and discovery activities. Unfortunately, this account was not disabled immediately following the employee’s departure. Collected logs revealed the threat actor employed an unknown virtual machine (VM) to connect to the victim’s on-premises environment via the victim organization’s VPN, intending to blend in with legitimate traffic to evade detection. 

• Due to USER 1 credentials appearing in publicly available channels containing leaked account information, the threat actor likely obtained this account’s credentials in a separate data breach. 
• USER 1 account had access to a virtualized SharePoint server and the former employee’s virtualized workstation.

Using the access available to USER 1, the threat actor likely obtained a global domain administrator account (USER 2) from the virtualized SharePoint server because USER 2 credentials were stored locally on this server. 

• The threat actor authenticated to multiple services via the USER 1 and USER 2 accounts through the VM connection.
• The USER 2 account granted administrative privileges to the on-premises AD and Azure AD environments.

Through the threat actor’s VM connection, they executed four (4) LDAP queries of the on-premises AD. Based on the query output format, the threat actor likely used the open-source tool AdFind.exe. CISA and MS-ISAC assess the threat actor executed the LDAP queries to collect user, host, and trust relationship information. It is also believed the LDAP queries generated the text files (ad_users.txt, ad_computers.txt, and trustdmp.txt) the threat actor posted for sale on a dark web brokerage site.

• The LDAP queries collected names and metadata of users and hosts in the domain, trust information in the domain, and Domain Administrators and Service Principals in the domain.

Through the VM, the threat actor was observed authenticating to 16 services on the victim organization’s network from the USER 1 and USER 2 administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints, which provided shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery and assessed to be executed in an automated manner. Additionally, the threat actor used compromised accounts to interact with a remote network share using the Server Message Block protocol.

• The threat actor authenticated to four services using USER 1, presumably for network and service discovery.
• The threat actor authenticated to twelve services using USER 2.

High-level overview of the intrusion chain:

1. The threat actor likely gathered valid account credentials in a data breach where account information appeared in publicly available channels.
2. The actor gained initial access through the compromised valid account (USER 1) of a former employee with administrative privileges.
3. The actor connected a VM via the victim’s VPN to blend in with legitimate traffic to evade detection.
4. The actor likely obtained a second administrator account (USER 2) credentials from a virtualized SharePoint server, where they were locally stored using the USER 1 account.
5. Through the VM connection, the actor executed LDAP queries of the AD to collect user and host information and trust relationship information.
6. The actor used the compromised USER 1 account to authenticate to four (4) services, presumably for network and service discovery.
7. The actor authenticated to 12 services using the USER 2 account (Global Domain Administrator account). The actor also authenticated to the Common Internet File Service (CIFS) on various endpoints, likely for file, folder, and directory discovery.
8. Using the Server Message Block protocol, the actor used compromised accounts to interact with a remote network share.

Risk & Impact Assessment

The abuse of valid accounts, particularly those with administrative privileges that lack multifactor authentication, represents a substantial risk to organizations across various sectors. This type of cyber attack underscores the critical vulnerabilities associated with inadequate account security measures and the failure to promptly deactivate accounts post-employment. The risk is primarily characterized by the ease with which threat actors can gain initial access and perform reconnaissance within an organization’s network undetected. Using techniques like connecting to the victim’s VPN through a virtual machine to mimic legitimate traffic further complicates detection efforts and increases the likelihood of significant impact.

Organizations targeted by such attacks could face dire consequences. Financially, the repercussions extend beyond immediate remediation costs, potentially incurring significant expenses related to legal liabilities and compliance penalties. The operational impact is equally grave, with potential disruptions to critical services, loss of productivity, and the costly diversion of resources towards incident response and recovery. The reputational impact is perhaps more damaging in the long term; breaches of this nature can severely erode stakeholder trust, leading to a loss of business and diminished public confidence. The theft or unauthorized access to sensitive data facilitated by such breaches poses a persistent threat with far-reaching implications for an organization’s competitive edge and security posture. The risk of further targeted attacks and the potential for espionage activities underscore the strategic importance of robust cybersecurity practices.

Source Material: CISA, Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

New Phishing-as-a-Service Platform Discovered

Phishing-as-a-Service – Phishing – Credential Theft – WebSocket Communication – Tycoon Group – Two-Factor Authentication Bypass – Active Directory Federation Services Cookies – Industries/All

Threat Analysis

The Tycoon Group Phishing-as-a-Service (PaaS) platform provides an admin panel accessible to subscribers, enabling them to log in, generate and oversee campaigns, and manage stolen credentials, including usernames, passwords, and session cookies. Depending on their subscription plan, subscribers may access the panel for a limited duration. Users can generate new campaigns within the settings section, selecting the desired phishing theme and toggling various PaaS features on or off. The service also allows subscribers to forward phishing results to their Telegram account. Also displayed within the admin panel are metrics such as Bot Blocked, Total Visits, Valid Logins, Invalid Logins, and the count of Single Sign-On logins.

Within the stolen credentials table, each row features a “Get Cookies” button that enables threat actors to download a JavaScript file that allows them to set stolen cookies onto the browser, which can be used alongside the stolen password for unauthorized access to the victim’s account.

Leveraging scanned sessions in Urlscan.io containing artifacts and filenames related to Tycoon Group’s PaaS offering, scanned session data shows the earliest Tycoon Group’s phishing page submission occurred on 25 August 2023, which may be around the time frame Tycoon Group introduced this service.

On 22 October, a URLScan.io scan submission shows the use of socket.io.min.js, a WebSocket JavaScript library, in their phishing pages, allowing the transmission of data to the actor’s server in a more streamlined fashion. This WebSocket integration corresponds to a mid-October 2023 update where Tycoon Group claimed that “link and attachment will be smooth.” In February 2024, Tycoon Group introduced a new “premium” service that bypasses the two-factor authentication of Google Gmail and Microsoft Office. This release also includes the “Latest Gmail Display” login page, and Tycoon Group claims it “works with Google Captcha.”

Most recently, Tycoon Group claimed that links support Active Directory Federation Services (ADFS) cookies, enabling subscribers to steal these cookies, specifically targeting authentication mechanisms that use ADFS.

The attack chain starts with a phishing email that uses a link to a reputable online mailer and marketing services, newsletters, or document-sharing services, such as DocuSign, Microsoft Cloud, OneDrive, Dropbox, Sharepoint, Google Drive, Microsoft Dynamics, Adobe Cloud, Flipsnack.com, Baidu.com, Paperless.io, Feedblitz.com, Marsello.com, RetailRocket.net, Padlet.com, and Doubleclick, as URL redirectors or to host a decoy document containing a link to the final phishing page. 

Once a target clicks the link in the phishing email, they will be redirected to the landing page, composed of two primary components: a PHP script named index.php, which loads the secondary component, myscr(random digits).js. This second component’s function is to generate the HTML code for the phishing page.

“Index.php” Component

Trustwave identified two versions of index.php. Earlier versions feature HTML source code in non-obfuscated plain text. Later versions employ code obfuscation, using randomly generated variable names and a combination of Base64 encoding and XOR operations to hide the JavaScript link.

myscr JavaScript Component

This script also uses multiple obfuscation techniques to evade bot crawlers and antispam engines. One obfuscation technique involves using a very long array of characters represented as decimal integers. Each integer value undergoes conversion from decimal to character and is then concatenated to construct the HTML source code of the phishing page. In addition, the script uses an obfuscation technique known as an opaque predicate, inserting unnecessary code in the program flow to obscure the underlying logic of the script and makes reverse engineering harder.

Initially, the JavaScript component prefilters automated crawlers and humans using the Cloudflare Turnstile service to verify that a human is clicking the link. Tycoon Group’s PaaS subscribers can enable this feature in the admin panel by supplying Cloudflare keys associated with the subscriber’s account, which also adds visitor metrics for the phisher via the Cloudflare dashboard.

Upon successful verification, the JavaScript component loads a fake sign-in page based on the phishing theme configured by the subscriber, such as Microsoft 365. If a target inputs their credentials, the phishing page uses a distinctive method of exfiltrating the victim’s credentials. It utilizes the socket.io JavaScript WebSocket library to communicate with the command and control (C2) server, enabling the exfiltration of the data entered into the fake sign-in page. Usually, the phisher’s C2 server is hosted on the same domain as the phishing page. 

Initial WebSocket request

wss://{THREAT ACTOR DOMAIN}/web6socket/socket.io/?type=User&customid={CUSTOMID}&EIO=4&transport=websocket

Initially, the JavaScript on the phishing page transmits a message to the WebSocket server, sending information such as the maximum payload size, WebSocket ping interval and timeout, unique ID, and additional upgrade details.

The phisher’s WebSocket server then confirms receipt of this message by sending a received message that includes a randomly generated alphanumeric character. Then, the phishing page sends a WebSocket message to the server with four fields: send_to_browser, route, arguments, and getresponse. 

“send_to_browser” specifies the action to be performed. “route” specifies if the data collected is an email (enteremail) or password (enterpassword). “arguments” is an array containing additional data or parameters for the specified route. For example, if the route specified is “enteremail,” it includes [“user email address”, “sid”, “browser type”, “IP”]. “getresponse” is a flag indicating whether a response from the browser is expected (1 for true, 0 for false). For instance, if the sender anticipates receiving a response, the value will be 1.

Once the message is received, the C2 server responds with a corresponding message with five fields: response_from_browser, message, bottomsection, backbutton, and description. During a test scenario, Trustwave entered an arbitrary email address, and the server replied with an error message indicating that the entered username did not match their target. 

The “response_from_browser” field indicates that the data represents a response received from the browser. The “message” field specifies the nature of the response; in Trustwave’s test, it was “error,” indicating that the entered username did not match their target. The “bottomsection” field is an array containing objects representing clickable elements in the bottom section of the response. Each object may have properties such as a_text (anchor text), a_id (anchor ID), type (link type), and text (displayed text). The “backbutton” field is a binary flag indicating whether a back button should be shown (0 for no or 1 for yes). The “description” field is an object providing additional details or instructions, which may include properties such as a_text (anchor text), a_id (anchor ID), type (link type), and text (displayed text).

A high-level overview of the intrusion chain:

1. Phishing email with a link or attachment. 
2. If the target clicks the link, the target is presented with Cloudflare’s Turnstile verification service.
3. The service will display the phishing landing page if the target passes verification and establishes communication with the service’s server via WebSocket. 
4. If the target inputs their credentials, they are sent to the service’s server via WebSocket messages. 

Risk & Impact Assessment

The Tycoon Group’s Phishing-as-a-Service (PaaS) offering represents a considerable risk to organizations across various sectors due to its comprehensive features and ease of use, including customizable phishing campaigns, management of stolen credentials, and advanced features designed to bypass traditional security measures. The risk associated with Tycoon Group’s PaaS is primarily due to its ability to facilitate widespread phishing attacks with minimal effort from subscribers. This service’s ease of use, coupled with its subscription-based model, lowers the barrier to entry for cybercriminals. There is a reasonable likelihood that an organization will be impacted by Tycoon Group’s PaaS, especially considering the service’s enhancements, such as two-factor authentication bypassing capabilities and support for Active Directory Federation Services (ADFS) cookies. These features demonstrate the developer’s intention to overcome security defenses and its potential to enable unauthorized access to sensitive systems and data, making the platform more enticing to potential subscribers.

The impact of a cyberattack leveraging Tycoon Group’s Phishing-as-a-Service (PaaS) could be severe for affected organizations. Financial repercussions may include direct losses from fraud, costs associated with response and remediation efforts, and potential fines for data breaches. Operational impacts could involve disruption to business processes and the theft of critical data, further compounded by the time and resources required for recovery. Additionally, the reputational damage from such an attack could significantly erode stakeholder confidence, leading to a loss of business and long-term harm to the organization’s brand. The theft or unauthorized access to sensitive information facilitated by Tycoon Group’s service could also expose the organization to espionage, targeted attacks, and a compromise of competitive advantages. Given these factors, the cumulative impact of an attack via Tycoon Group’s PaaS underscores the urgency for organizations to recognize and mitigate this threat through proactive security measures and awareness programs.

Source Material: Trustwave, Breakdown of Tycoon Phishing-as-a-Service System