Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

Victimology 

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

Actor uses Gophish to send phishing emails 

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex[.]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex[.]ru resolves to the IP address 34[.]236[.]234[.]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165[.]compute-1[.]amazonaws[.]com, during our analysis. We also observed that the same server 34[.]236[.]234[.]165 was reverse resolving to another domain e-connection[.]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34[.]236[.]234[.]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34[.]236[.]234[.]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

Multi-modular Campaign delivers PowerRAT and DCRAT  

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

Maldoc-based infection delivers PowerRAT 

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document’s default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine’s current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionLOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionLOAD” with the value “C:Users<Username>UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

Intermediate phase includes Malicious HTA, JavaScript, and PowerShell Loader  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

PowerRAT expands the attack vector for further infections  

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32_volume class of WMIobject.  The collected data is written to memory in the format <Computername_Username_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94[.]103[.]85[.]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5[.]252[.]176[.]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim’s environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 – 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

HTML-based infection delivers DCRAT 

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

GOLoader downloads and runs the DCRAT 

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:” and the folder “C:Users$userDesktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath ‘C:Users$userDesktop’

powershell -Command Add-MpPreference -ExclusionPath ‘C:’

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

Threat actor delivers DCRAT 

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  It has the capability of downloading and executing other files on the victim’s machine. With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim’s machine.  The RAT can take screenshots and capture the keystrokes on the victim’s machine. We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:UsersadminDesktopzaHrebVC.log

C:UsersadminDesktopHQLYdHol.log

C:UsersadminDesktopqJutJUJW.log

C:UsersDefaultAppDataRoamingMicrosoftWindowsStart Menutaskhostw.exe

C:ProgramDatadllhost.exe

C:UsersDefaultPicturescsrss.exe

C:UsersDefaultSaved Gameswinlogon.exe

It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn “winlogonw” /sc MINUTE /mo 11 /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /f

schtasks.exe /create /tn “winlogon” /sc ONLOGON /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “winlogonw” /sc MINUTE /mo 5 /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “csrssc” /sc MINUTE /mo 12 /tr “‘C:UsersDefaultPicturescsrss.exe'” /f

schtasks.exe /create /tn “csrss” /sc ONLOGON /tr “‘C:UsersDefaultPicturescsrss.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “csrssc” /sc MINUTE /mo 7 /tr “‘C:UsersDefaultPicturescsrss.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 11 /tr “‘C:UsersPublicdllhost.exe'” /f

schtasks.exe /create /tn “dllhost” /sc ONLOGON /tr “‘C:UsersPublicdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 12 /tr “‘C:UsersPublicdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 8 /tr “‘C:UsersAll Usersdllhost.exe'” /f

schtasks.exe /create /tn “dllhost” /sc ONLOGON /tr “‘C:UsersAll Usersdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 11 /tr “‘C:UsersAll Usersdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “taskhostwt” /sc MINUTE /mo 6 /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /f

schtasks.exe /create /tn “taskhostw” /sc ONLOGON /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “taskhostwt” /sc MINUTE /mo 10 /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “filef” /sc MINUTE /mo 13 /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /f

schtasks.exe /create /tn “file” /sc ONLOGON /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “filef” /sc MINUTE /mo 9 /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /rl HIGHEST /f

The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp[://]cr87986[.]tw1[.]ru/L1nc0In[.]php”.  Sample of DCRAT configuration file. 

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

IOCs 

IOCs for this research can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

We’re excited to share ANY.RUN‘s latest malware trends analysis for Q3 2024.

Our quarterly update provides insights into the most widely deployed malware families, types, and TTPs we saw during the last 3 months of the year.

Summary

In Q3 2024, ANY.RUN users ran 1,090,457 public interactive analysis sessions, which is a 23.7% increase from Q2 2024. Out of these, 211,770 (19.4%) were marked as malicious, and 47,375 (4.3%) as suspicious.  

Compared to the previous quarter, the percentage of malicious sandbox sessions increased slightly from 18.4% in Q2 2024 to 19.4% in Q3 2024. The share of suspicious sessions saw a decline from 7.0% to 4.3%.  

As for indicators of compromise, users collected a total of 570,519,029 IOCs this quarter.

Top Malware Types in Q3 2024   

Let’s take a closer look at the most common malware types identified by ANY.RUN’s sandbox. 

Stealer: 16,511

Loader: 8,197 

RAT: 7,191 

Ransomware: 5,967 

Miner: 3,880 

Keylogger: 3,172 

Backdoor: 811 

Installer: 640 

Trojan: 507 

Compared to Q1 and Q2 of 2024, the ANY.RUN sandbox saw a significant increase in the detection of malware in Q3. A major reason for this is the growing number of public samples being uploaded by our 500,000-strong community of security analysts. Our team is also continuously improving the service’s capabilities, resulting in broader threat coverage. 

Top malware types: highlights  

In Q3, Stealers were the most common malware type detected, returning to the first spot since the start of the year after falling to the fourth place in Q2. They saw a serious rise in detections, reaching 16,511 in Q3.  

Loaders maintained a strong presence, securing the second position for another quarter in a row. Their detections have seen a 49% rise from 5,492 to 8,197.

After leading in Q2, RATs dropped to the third spot, with 7,191 detections. 

Trojan and Installer malware experienced a substantial decrease, shedding 3,704 and 2,466 detections correspondingly. Ransomware increased by 3,021, indicating a rise in this type of threat.  

Top Malware Families in Q3 2024   

Lumma: 4,140 

AsyncRAT: 3,053  

Remcos: 2,548    

Agent Tesla: 2,316  

XWorm: 2,188  

Stealc: 2,030  

Snake: 1,782  

MetaStealer: 1,663  

Cobalt Strike: 1,262 

Top malware families: highlights 

In Q3 2024, the malware landscape saw notable shifts. Despite not being present on the Q2 ranking, Lumma emerged as the leading threat, recording 4,140 instances. 

AsyncRAT went from 670 detections in Q2 to 3,053 in Q3, followed by Remcos whose detections almost doubled from 1,282 to 2,548.  

Agent Tesla also showed an increase, jumping from 439 detections to 2,316, which is still more than its Q4 2023 result, when it topped the malware families chart. 

Several new families made their debut in Q3, including XWorm with 2,188 detections and Stealc with 2,030.

Top MITRE ATT&CK techniques in Q3 2024

The MITRE ATT&CK framework categorizes adversary behavior into tactics and techniques, helping malware analysts more efficiently identify, assess, and respond to threats.

Here are the top 20 techniques observed in Q3 2024: 

Top TTPs: Q3 2024 vs Q2 2024 

The first three spots were taken accordingly by:

T1562.002, Impair Defenses: Disable Windows Event Logging — new entry. 

T1059.001: Command and Scripting Interpreter: PowerShell — up from the 7th spot in Q2. 

T1059.003, Command and Scripting Interpreter: Windows Command Shell — rose from the 6th spot, nearly doubling in detections. 

The worthy mentions: 

T1114.001, Local Email Collection, was pushed down from the top spot in Q2 to the 13th position with 10,807 detections. 

T1036.003, Rename System Utilities, dropped from the 3d spot in the previous quarter to 4th, registering 41,254 instances. 

T1497.003, Time Based Evasion, despite falling to the 5th spot from 2nd in Q2, saw an increase in detections, bringing the figure to 39,021. 

Report methodology    

For our report, we looked at data from 1,090,457 interactive analysis sessions. This information comes from researchers in our community who contributed by running public analysis sessions in ANY.RUN.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s services in your organization →

The post Malware Trends Report: Q3, 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More