BazaLoader campaign uses fake streaming services to evade detection 

What is it?

Cyber-criminals continue to evolve their social engineering tactics to evade corporate network detection measures and deliver malicious payloads. Proofpoint recently discovered attackers are operating a call center-like capability, where a live agent answers a call and directs victims to a fake movie streaming website. The BazaLoader campaign relies on the victim initially being contacted via phishing emails. The attackers create a sense of concern and urgency by sending messages that the victim will be charged for a subscription, resulting in the installation of the BazaLoader trojan.  

Social engineering is a concept regularly discussed in Threat Reports as a common component of successful attack chains. Attackers continue to utilize social engineering because it is effective. As with any other attack technique, social engineering tactics continually evolve, in an arms race of sorts, as defenders raise awareness of successful campaigns. Recently, Proofpoint described a novel approach used to distribute the BazaLoader trojan involving an actual person answering phone calls, redirecting victims to a fake movie streaming service website. BazaLoader was first discovered by Proofpoint in April 2020 and is used by attackers to download other malicious payloads, including some Conti and Ryuk ransomware campaigns. 

The campaign described by Proofpoint begins with potential victims receiving phishing emails claiming to relate to trial periods for streaming services expiring soon. The streaming services are all fake, using names such as BravoMovies, UrbanCinema and BOMovie, among others. The body of the phishing emails states the target’s credit cards will be charged, soon, if the subscriptions are not canceled. To this point, it sounds like a  common phishing lure, which would usually include a malicious attachment, claiming to be an invoice, bill, or account statement, etc. which the victim would be enticed to open causing a download of a malicious payload. However, in this case, the phishing emails list a phone number and advise the victim to call a customer service number, where a customer service representative will assist them  

When a victim calls  the phone number, it is answered by a human, who talks them through opening the fake streaming service’s website. The agent helps them navigate to a FAQ page where they will find a link to the subscription page, which contains an option to cancel. At first glance, the websites created for these campaigns are a reasonable facsimile of legitimate streaming sites. However, on closer inspection, they appear to be created with a generic website creator, contain grammatical and spelling errors, and list fake movies. It can be assumed that victims don’t notice the fake information, grammatical errors, etc. because they are focused on avoiding the charges.  

If the user clicks the cancel button, an Excel binary file format document (XLSB) containing a malicious Excel 4.0 macro is downloaded. Common to many Bazar Loader campaigns, this malicious document is known as CampoLoader, named for the download URL. The use of Excel 4.0 macros for malicious purposes has been growing in popularity since around February 2020. These macros are a valid Excel feature, added to the product in 1992, and are used by attackers as an evasion method.  It is important to point out that they are more cumbersome to reverse engineer than more commonly used VBA macros. From a user’s perspective, it looks like any other malicious Excel file, showing an image, requesting the enable content option to be selected, which allows the malicious macro to run. If the macro can execute, it downloads and runs the actual Bazar Loader payload. 

This is not the first time the BazaLoader attackers have used this attack chain, since January 2021, there have been several campaigns using lures other than streaming services, such as fake floral, lingerie, pharmaceutical and anti-virus organizations. What’s interesting about this attack chain is the malicious CampoLoader XLSB file is directly downloaded from a website, as is the final Bazar Loader payload. This indicates the elaborate social engineering efforts – the call center and fake streaming service websites – are being used to obviate the need to attach a malicious document to the phishing email; and therefore, evade potential detection of malicious documents in email. It could be an example of attackers adapting to many additional employees still working from home due to the pandemic. Corporate email protections still apply to remote users, however, web browsing usually goes directly from the user’s laptop to the internet, through their home network.                                                                                  

How Does BazaLoader Propagate? 

The malware does not contain the necessary code to self-propagate. This campaign relies on significant social engineering techniques to convince the user to open a malicious XLSB file, resulting in the downloading and execution of the BazaLoader malware. 

When/How Did BluVector Detect It? 

The BazaLoader sample related to this campaign was tested and BluVector patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 79 months prior to its release. The malicious XLSB file was also detected by BluVector MLE. 


Example of a DarkSide ransomware ransom note

DarkSide Ransomware Variant Compromises Disk Partitions

A new DarkSide ransomware variant interrogates the disk drive on an infected system to locate all partitions present, mount additional partitions, and encrypt the files on them. This variant was used in an attack in April 2021. Researchers at found this capability is unique to all currently available ransomware. This example of ransomware-as-a-service (RaaS) shows attackers are adapting and making it easier for less skilled criminals to gain access to novel malware techniques.

What Is It?

Now infamous, due to the Colonial Pipeline attack, DarkSide ransomware was first seen on Russian underground forums in August of 2020; and operates on the ransomware-as-a-service (RaaS) model. RaaS allows other cyber criminals, likely less technically skilled individuals, to subscribe and gain access to ransomware for a fixed percentage of the ransoms paid by victims (usually around 30%). Configuration of the ransomware itself and monitoring of attacks is typically performed through a centralized GUI portal, lowering the technical skill required of subscribers. RaaS operators have borrowed terminology from legitimate Software as a Service and refer to their subscribers as “affiliates.”

Elliptic, a British blockchain analytics company, have reported that since October 2020, DarkSide received a little over $90 Million in bitcoin payments from 47 unique wallets. It appears that owing to the sliding scale of commission the DarkSide developers take, depending on the size of the ransom, that they received $15.5 million, while the affiliates kept a total of $74.7 million.

One of the advantages for affiliates, is access to updated variants of ransomware developed by the RaaS operator. One such new DarkSide variant is described in research recently released by Fortinet. Fortinet found a variant of DarkSide which utilizes a capability they believe to be unique to all currently available ransomware. That being, the ability to read disk partition information and potentially encrypt files, on additional disk partitions, within infected systems. We would like to highlight that this variant was not used in the Colonial Pipeline attack.

This new DarkSide variant interrogates the disk drive on an infected system to locate all the disk partitions present. It skips certain types of reserved system partitions and attempt to mount additional partitions and encrypt files on them; potentially leading to increased impact on multi-boot systems and those containing data partitions. We can assume, the authors believe the effort invested in researching, and coding this feature will, quite literally, pay-off for them.

The sample described by Fortinet was used in a known DarkSide attack against a victim in April 2021. When we executed the sample for analysis in a virtual machine, it was apparent the ransom note was not generic but unique to this specific attack. The ransom note lists how much data the attackers claim to have downloaded from the victim’s network and details the specifics data downloaded. The attackers offer to provide evidence of exfiltrated data and claim that upon payment of the ransom, all stolen data will be deleted. Exfiltration of sensitive data prior to executing the ransomware is now a common tactic, used by attackers as additional incentive for victims to pay the ransom, or risk having their sensitive data publicly released. The attackers also guarantee to their victim, their decryption capabilities will decrypt all files -  going as far as offering support in the event there are issues on the back-end of the ransom payment being made. DarkSide’s intent is to make the entire process of paying the ransom, and decrypting files, as easy as possible. It can be assumed the criminals also want to reduce a victim’s motivation to recover files via backups. The filename for the ransom notes we analyzed contains an eight-character hexadecimal string, “c177efc0”, which is also used as the file extension for encrypted files. In the case of RaaS malware, this string is either the affiliate’s ID or a unique ID to identify the campaign or specific target.

Example of a DarkSide ransomware ransom note
Example of a DarkSide ransom note from the April 2021 sample BluVector analyzed.

How Does DarkSide Propagate?

The malware does not contain the necessary code to self-propagate. However, this DarkSide ransomware variant is capable of encrypting files on alternate disk partitions and network shares. As with most ransomware, initial attack vectors utilized by DarkSide ransomware attacks are often poorly secured internet facing servers, exploitation of unpatched software vulnerabilities and spear phishing emails.

When/How Did BluVector Detect It?

One sample of DarkSide partition encrypting ransomware is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 88 months prior to its release.

Additionally, 27 other recent DarkSide ransomware samples, 24 Windows executables and 3 Linux executables, were also regression tested. All 27 were detected by BluVector’s patented Machine Learning Engine (MLE) and would have been detected an average of 75 months prior to their release.

 


FIN7 APT Group's Lizar Backdoor Claims To Be An Ethical Hacking Tool

The FIN7 APT group, based in Eastern Europe, is alleged to be responsible for payment card breaches involving well-known brands Chipotle, Chili’s, Arby’s and Red Robin. FIN7 exploits financial institutions and payment terminals. Specifically, they target restaurants, gambling, and hospitality-oriented entertainment venues. The estimated value of the attacks is $900 million. Researchers believe FIN7 APT group is distributing Lizar malware, claimed to be an ethical hacking tool.

What Is It?

The FIN7 APT has been successful utilizing its Cabana RAT (Remote Access Trojan) to compromise various financial institutions and payment terminals. In April 2021, a senior member of FIN7, a Ukrainian national, was sentenced to 10 years in prison.

FIN7 has previously utilized a front company, Combi Security, to appear reputable. The company allegedly had offices in Moscow and Haifa, Israel; and advertised for penetration testers to recruit for seemingly legitimate roles. One job advertisement on a Ukrainian job board stated that Combi Security had 21-80 employees, and that the company was "one of the leading international companies in the field of information security". It is conceivable that some of the ethical hackers hired by Combi Security believed their roles and their assignments were genuine.

Research published by BI.ZONE suggests that FIN7 have returned to their previous modius operandi, by distributing Lizar. Lizar claims to be a genuine ethical hacking tool for Microsoft Windows networks, but is in-fact the latest evolution of their backdoor. Researchers believe FIN7 is still hiring individuals who are likely not aware the tool is malware; and that they are employed by a cyber-criminal enterprise.

The Lizar backdoor toolkit has been observed in the wild since late February 2021, mainly associated with infected systems across the United States, though victims have also been seen in Germany and Panama. Organizations infected include educational institutions and pharmaceutical, gambling and finance companies. Lizar is believed to be under active development, and more attacks utilizing this malware are anticipated.

Conceptually, the Lizar backdoor toolkit is similar to Carbanak and uses a modular architecture. The modular approach allows for ease of development and addition of new functionality. The main components are a loader and a series of plugins, which together operate as a malicious bot. The functions of the plugins include loading existing tools such as Mimikatz or Carbanak itself to take screenshots and exfiltrate various sensitive information and credentials. Communication between the backdoor and server is encrypted, the encryption key is specified in the configuration and must match the key on the server, otherwise the communication is ignored.  

How Does FIN7 Propagate Lizar?

The malware does not contain the necessary code to self-propagate. Lizar claims to be an ethical hacking tool for Windows networks, in an effort to have it deployed on target networks.

When/How Did BluVector Detect It?

Sixteen samples related to Lizar are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average 64 months prior to their release.


If you can't beat 'em, try a new language: New Buer Loader Variant RustyBuer is written in Rust

As a recent  Threat Report discussed, attackers are using novel programming languages in an attempt to evade detection. In this earlier case, researchers at Proofpoint  found NimzaLoader malware that utilizes Nim, a relatively new and obscure programming language. Recently, they found a new example of attackers attempting to evade detection, using Rust to develop a variant of Buer Loader, RustyBuer.

What Is RustyBuer?

In a new report, Proofpoint researchers have discovered a new variant of the Buer Loader downloader, written in the Rust language, which they have dubbed RustyBuer. Though Rust is significantly more common than Nim, with the first stable version being released in May 2015, it has not often been used to author malware.

The Buer Loader downloader was first released in late August 2019 and is often used by malware-as-a-service operators to download various trojans and ransomware. Buer was originally written in venerable programming language C. Due to the effort required, it is an uncommon step to see an existing malware variant completely rewritten in another language. We can assume the authors  believed the investment in this effort would be rewarded by improved detection evasion, rather than take this as a sign that Rust programming is becoming trendy.

The phishing campaigns delivering RustyBuer began in early April 2021 and were wide ranging, targeting over 200 organizations covering 50 industry verticals. These campaigns mainly used lures relating to DHL parcel deliveries; and included Microsoft Excel or Word documents containing malicious macros which dropped the RustyBuer malware. There were similar campaigns distributing the original C based Buer, however researchers found the social engineering components of the RustyBuer campaigns were more convincing, with an improved likelihood of succeeding. Once executed, RustyBuer uses a Windows shortcut file to ensure it will always be run at startup.

RustyBuer’s purpose is to compromise a host, obtain persistence and download additional malicious payloads. In some cases, these campaigns resulted in the downloading of a Cobalt Strike Beacon. As we have mentioned in previous Threat Reports, while Cobalt Strike is a legitimate tool used for penetration testing, it is frequently leveraged by attackers to create a backdoor on an infected system. Interestingly, it was found that some campaigns did not result in an additional payload. This suggests that in some cases, the operators may be using RustyBuer as an access-as-a-service offering, selling their foothold on infected systems to other malicious actors.

If malware authors see improved detection evasion by using new or less common programming languages to write or rewrite new malware variants, we will see this trend continue. Malicious actors will continue to adapt and change, if their efforts deliver value;  generating additional revenue. They will continue to employ this tactic, until it becomes necessary to alter their tactics once again.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The campaigns related to RustyBuer utilized phishing emails with Office document attachments, containing malicious macros, which dropped the RustyBuer malware.

When/How Did BluVector Detect It?

One sample of RustyBuer referenced by Proofpoint’s researchers is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 36 months prior to its release.


NimzaLoader uses obscure Nim language to avoid legacy detections

Researchers at Proofpoint recently described an obscure malware named NimzaLoader and Walmart’s internal security team recently described similar malware named Nimar Loader

Proofpoint describes the use of NimzaLoader as an initial backdoor, installed onto victim’s systems via a highly targeted spear phishing campaign by a group they refer to as TA800, who were previously linked to Bazaloader.

What Is It?

The concept of security by obscurity is an interesting one. It was once used somewhat derisively, or as an in-joke, by experienced security professionals to describe the security posture of a product or service which uses secrecy rather than other types of controls to secure itself. However, in the increasingly commoditized and profit driven world of cyber-attacks, it can be become a truism. If a product, operating system or platform attracts only a fraction of market share, then from an attacker’s point of view it may not make sense, from a return on time and effort basis to attack that entity.

From a defender’s point of view, security by obscurity is essentially no security at all and fraught with risk, it is obviously no substitute for actual security measures. However, from an attacker’s position, security by obscurity can sometimes be used to their advantage, especially if their goal is to evade detection by legacy signature-based detection tools. These tools require signatures be created and distributed to provide detection of threats, so if a new threat is sufficiently different to existing threats, it will not be detected.

The malware is written in the relatively new and obscure programming language, Nim. Only two other malware variants written in Nim have previously been observed, both from the Russian APT group Zebrocy, also known as APT28, one in April 2019 and one September 2020. In addition to evading signature detections, using an obscure language will also make automated detection by sandboxes and even by human analysts less likely. It also makes reverse engineering of a sample slower and potentially more difficult. 

The attack chain begins with phishing emails that use information such as the user’s name, organization’s name, or both in the body of the email in an attempt to make it appear more credible. The emails contain links which purport to be a downloadable PDF, but actually result in download and execution of the NimzaLoader malware.

Once installed, NimzaLoader contacts it’s C2 (command and control) site to receive instructions, it’s primary function is to download and execute further malware. It appears NimzaLoader may have been used to execute a Powershell command resulting in a Cobalt Strike beacon being installed. At this time, NimzaLoader’s C2 sites are no longer up, and a hardcoded expiration date has passed, indicating the attackers may still be developing this malware and this campaign was a limited scope test.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector is the use of spear phishing emails.

When/How Did BluVector Detect It?

The NimzaLoader sample related to this campaign is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 35 months prior to its release.


Lazarus APT uses an embedded image to conceal a RAT payload

What Is It?

A malware infection chain is the sequence of events which must occur for a malware payload to be successfully executed on an endpoint. From an attacker’s point of view, the object is to evade all detection mechanisms attempting to stop an endpoint becoming compromised and infected. From the defender’s perspective, while it is advantageous to be able to detect each step of an infection chain, as long as the infection chain can be disrupted at any point before the execution of the malicious payload on the endpoint, then the threat is mitigated.

A great deal of effort continues to be expended in moving beyond legacy, signature-based detection tools on endpoints and improving detection efficacy. As such, attackers often direct the bulk of their time and energy to evolving techniques to evade endpoint detection. However, sometimes attackers neglect to consider the entire infection chain in their zeal to utilize innovative evasion techniques on the endpoint.

One such example was recently described by researchers from MalwareBytes targeting users in South Korea. They have attributed the campaign to the North Korean Lazarus APT group. The infection chain utilizes a multi-step process to extract, decrypt and execute a malicious payload from a Microsoft Word document. It includes a novel technique using a JavaScript in a HTA file, embedded in a BMP image, that itself is stored in a PNG image file, to drop the malicious payload. The intention of course being to evade detection on the endpoint.

However, the initial component of the infection chain is a Microsoft Word document containing a malicious macro. This technique is decidedly lacking in innovation and is one which likely has a relatively high probability of detection. (Though at the time of writing, VirusTotal detection for this sample was only 29/60.) This technique also relies on successfully socially engineering the recipient to allow macros to execute, assuming it is not detected before reaching the user’s inbox. The document purports to be an application form for participation in a fair in a South Korean city, and the filename translates to “Application form.doc”.

If the user permits the macro to execute, it saves the Word document out in HTML format, which also saves all the document’s images out as files. It then reads in one of the PNG image files and uses a built-in function to convert it to a BMP image file. The attacker does this because PNG image files are compressed and BMP files are not, and the PNG file contains a compressed HTA fie that is decompressed when the file is saved as a BMP. It is a clever technique to bypass detection of embedded objects on the endpoint. The HTA file is executed, which results in the JavaScript it contains running to create and execute the malicious RAT (Remote Access Trojan) executable.

While utilizing a clever technique to evade detection of the malicious payload on the endpoint, the basic approach of a malicious Word document attached to a phishing email creates a high probability the effort in developing this new technique will be rendered moot by detection higher up in the infection chain.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector is a Microsoft Word document containing a malicious macro.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. The first of these is the malicious Microsoft Word document at the beginning of the infection chain. This sample would have been detected 84 months, or a full 7 years, prior to its release as part of this campaign. The second sample is the malicious executable, which although it is decrypted and extracted on the endpoint, could potentially be seen if it was copied over the network, possibly by a simple backup. This sample would have been detected 52 months prior to its release, giving an average detection across both files of 68 months.


DearCry: Exchange Server Vulnerability Exploitation With A Side Of Ransomware

A couple of weeks ago, Microsoft released details of critical 0-day vulnerabilities in on-premises deployments of Microsoft Exchange Server, which were being actively exploited in limited and targeted attacks. These initial attacks were attributed to a Chinese based; state sponsored group known as HAFNIUM. Further investigation suggested potentially tens of thousands of victims. According to Microsoft, these targeted attacks enabled access to email accounts hosted by the server and allowed for the installation of malware (including ransomware.) Microsoft urged customers to quickly patch affected systems.

 

What Is It?

As is usually the case, the technical details of the vulnerabilities and how to exploit them were not publicly released. However, once vulnerabilities are publicly announced and patches made available, both security researchers and attackers compare the vulnerable Exchange Server files with the patched versions and reverse engineer specific ways to exploit the vulnerabilities. This occurs with any high severity vulnerability, however, given the product impacted in this case and the attack surface this provides, the time between when patches are released, and the rush to exploit the vulnerabilities occurs is shortened significantly. This is a primary reason why prompt patching is always imperative.

 

For some insight into the potential scope of exploitation, despite the fact Microsoft initially referred to limited and targeted attacks, cyber intelligence group Shadowserver have stated that up to 68,500 servers may have been compromised prior to the patches being released. Approximately a week later, Shadowserver found over 64,000 distinct IP addresses were still vulnerable. One of Shadowserver’s partner organizations found approximately 20% of the 250,000 servers they scanned were still vulnerable.

 

Statistics like that would likely make attackers salivate at thought of the profit from the smorgasbord of potential victims to choose from. Therefore, it’s no surprise that ransomware operators are making use of the vulnerable systems to deploy ransomware.

 

One novel piece of ransomware observed using this attack vector is called DEARCRY, also known as DoejoCrypt. Insight from McAfee Cyber Investigations shows DEARCRY victims in Germany, Luxembourg, Indonesia, India, Ireland and the US. The ransomware adds DEARCRY! to the beginning of each encrypted file and uses genuine cryptography, making decryption impossible without payment of the ransom. It also adds .CRYPT to the end of all encrypted files. The attackers provide victims two emails to contact them, with one victim known to have been told to pay a $16,000 ransom.

 

Once again, attackers have shown a motivation and capability to very quickly make use of new high-profile vulnerabilities to install malware, including ransomware. Vulnerabilities such as these allow ransomware operators to easily and directly install ransomware, without the need for the usually reliable social engineering methods they tend to rely on.

 

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector, exploitation of the Microsoft Exchange Server ProxyLogon vulnerability, is discussed in detail above.

 

When/How Did BluVector Detect It?

Four samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have all been detected 7 months prior to their release.


A Cautionary Tale: North Korean Campaign Targets Security Researchers

A new campaign targeting security researchers began in late 2020. Specifically aimed at researchers specializing in analyzing and investigating vulnerabilities, the attackers pose as legitimate security researchers and share a sample of an exploit that contains a malicious custom backdoor with the intent of exfiltrating information about undisclosed vulnerabilities. The Google Threat Analysis Group (TAG) have attributed this campaign to a state sponsored North Korean entity. The entity may be affiliated with the Lazarus Group APT. A user who went by the handle Br0vvnn on now-suspended Twitter and Github accounts and the security blog, Br0vvnn[.]io are a known vector in the campaign according to Google.

It’s easy to say security researchers should know better, but attackers of all levels use social engineering in most attack chains at some point for the simple reason that it works – over and over. This campaign is a blunt reminder that vigilance is required at all times by everyone, regardless of training, experience or role in the organization. This is especially true in times of intense workloads and external stress factors, such as those created by the pandemic.

What Is It?

This social engineering campaign targets security researchers specializing in analyzing and investigating vulnerabilities to deliver and install a custom malicious backdoor.

The actors behind this campaign appear to take advantage of some key characteristics of the security research community.  Security researchers:

  • Often collaborate with peers, frequently building on exploit discoveries made by others in the field
  • Have diverse backgrounds, skills, and levels of situational awareness. There are highly experienced and well-trained professional researchers, those new to the industry and amateur hobbyists - who may perform research merely for the challenge or in hopes of making it a full-time career
  • Are geographically dispersed and even pre-COVID, most interactions outside of conferences were via email, social media, forums and other electronic forms of communication.

Credibility is the currency of the security industry. Through training and hard earned, real world experience, security professionals learn to be paranoid, but they can still be vulnerable.

In this campaign, the actors seek to establish their credibility as legitimate security researchers by creating a number of Twitter and LinkedIn accounts and a research blog. They also post videos of alleged exploits they discovered and cross post links from their various accounts, trying to add veracity to the posts. Their blog contains vulnerability analysis of public exploits and posts copied from legitimate researchers, again all intended to make them appear to be genuine peers of the researchers they target.

The campaign begins by attempting to make contact with researchers via Twitter or LinkedIn direct messages. The Cisco threat intelligence team (Talos) have detailed an exchange with one of their researchers who was contacted in this campaign. After initial pleasantries, the actor asked if they researched vulnerabilities and if not, did they know someone who did. When the Talos researchers advised they did not, the attacker politely ended the conversation.

The founder of Hyperion Gray, Alejandro Caceres, described how he was taken in by the campaign. A broker of vulnerabilities he had previously dealt with and trusted introduced him to a new researcher in a three-way group chat. This new researcher, “James Willy”, sent a Visual Studio project he stated demonstrated a new zero-day vulnerability. Because he was introduced to James by a known associate, Caceres reviewed the code and executed it, which did in fact appear to be a genuine, if somewhat basic, zero-day. Unknown to Caceres, the Visual Studio project contained an additional DLL file which was executed by compiling the Visual Studio project. This DLL file is a malicious custom backdoor. The attacker’s intent appears to be to gain access to researchers’ systems to potentially obtain any research and exploits for as yet undisclosed vulnerabilities.

A review of the code of the malicious DLL shows that it is not particularly sophisticated. For example, the file properties show the file claims to be a legitimate Microsoft Windows component, which is a very basic attempt at obfuscation. In this campaign the actors put their effort into creating a social engineering driven infection vector, delivering a relatively unsophisticated malicious payload.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector, based around social engineering, is discussed in detail above.

When/How Did BluVector Detect It?

Five samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 58 months prior to their release.


MuddyWater APT Uses GitHub and Imgur to Deploy Cobalt Strike Beacon

Just after Christmas (December 25), a security researcher going by the Twitter handle of @Arkbird_SOLG, posted details of what appears to be an attack chain that began with a malicious Word document. Since then, Arkbird and multiple subsequent researchers have attributed this attack to the MuddyWater APT (Advanced Persistent Threat) group.

MuddyWater activity was first discovered in 2017, primarily targeting entities involved in oil, telecommunications and government in Middle Eastern nations as well as some European and North American countries. MuddyWater is believed to be Iran-based, state-sponsored and is also known as SeedWorm and TEMP.Zagros.

What Is It?

The attack chain begins with a Microsoft Word document containing a malicious macro. The document utilizes the oft used social engineering technique of claiming that the embedded file was “edited in a different version of Microsoft Word” and “To load the document, please Enable Content.” If a recipient is convinced to “Enable Content,” the embedded macro executes a PowerShell script in a hidden window. This script then downloads and executes another PowerShell script hosted on a Github account. At the time of writing, this hosted PowerShell script is only detected by one of the sixty products on VirusTotal.

Once executed, the PowerShell script then downloads what appears to be a harmless Portable Network Graphic (PNG) image file with four icons. However, the script utilizes a process known as steganography to perform calculations on the pixel values of the image file to extract code for the final payload, a Cobalt Strike beacon script. While Cobalt Strike is a legitimate tool used for penetration testing and often leveraged by attackers, a Cobalt Strike beacon creates a system backdoor.

There is one more trick in this attack chain. Once decoded, the shellcode contained in the Cobalt Strike payload contains an European Institute for Computer Antivirus Research (EICAR) test string. This specific string is used to test whether signature-based malware detection tools are functioning correctly. In the MuddyWater APT attack the intent is to make it appear to signature-based detection tools and the SOC teams reviewing the alerts generated by such tools that the payload is for testing and not malicious. This technique is not unique, but it is not frequently used. The timing of this attack during a holiday and vacation season suggests the attackers are attempting to capitalize on reduced SOC and higher-level security team’s capacity so that their payload might be dismissed as an EICAR test.

The combined use of the techniques described above is consistent with evidence that an APT group perpetrated this attack.

How Does It Propagate?

This malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is malicious Word document attachments containing macros.

When/How Did BluVector Detect It?

Two malicious Word document samples and the PowerShell script downloaded from GitHub are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the Word document samples would have both been detected 82 months prior to their release. The PowerShell script downloaded from GitHub, which at the time of writing is only detected by one of the sixty products on VirusTotal, would have been detected by BluVector 15 months prior to its release.


SystemBC RAT Used as Ransomware Backdoor

In recent months, Sophos’ incident response team has observed the use of the commoditized SystemBC RAT (Remote Access Tool) in Ryuk and Egregor ransomware attacks. In these attacks, SystemBC is used as a backdoor on systems to move laterally through a victim’s network, allowing it to exfiltrate data and to deploy malicious payloads (including ransomware.)

What Is It?

The Ryuk and Egregor attacks described by Sophos begin with the use of one of several malicious droppers, delivered by spam emails. These are then utilized to deliver Cobalt Strike and SystemBC malware for lateral movement through the victim network. SystemBC is then used to perform data exfiltration and as a delivery mechanism to deploy the ransomware payload. To this point, the attackers have been inside the victim network for up to weeks. When they are satisfied with they have exfiltrated data and compromised enough systems, the previously deployed ransomware is activated to encrypt systems and file servers.

As a RAT, SystemBC comes with all the normally expected functionality. When executed, it reports back to the attacker via the C2 channel: the active Windows username, Windows build number, volume serial number and whether the system is 32-bit or 64-bit. It can execute a variety of different file types sent to it via C2, including executables, DLLs, shellcode, Visual Basic scripts, Windows commands, Windows batch files and PowerShell scripts. Executed malicious code can then use the Tor proxy to communicate with attackers and exfiltrate data.

The use of SystemBC is another example of threat attackers choosing the efficiency of using existing malicious tools as a component of their attack chain – why reinvent the wheel when a suitable tool already exists? This allows them to focus time and effort on their own malware and ransomware in the incidents described here.

The SystemBC RAT was first detailed by researchers from Proofpoint in August 2019, where they saw it been used in conjunction with Fallout and RIG exploit kits. Initial versions are believed to have been sold on Russian dark web marketplaces and created data-handling SOCKS5 proxies on infected systems. These proxies were used to evade detection of C2 traffic by firewalls and other detection mechanisms and to obfuscate the addresses of the C2 sites. Subsequent versions of SystemBC have replaced the use of SOCKS5 proxies with Tor.

How Does It Propagate?

The SystemBC RAT malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is spam with malicious Buer Loader, QBot, Bazar Loader or ZLoader attachments/links.

When/How Did BluVector Detect It?

Four SystemBC samples related to these attacks are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 81 months prior to their release.