.docx, .xlsx, .xls, .doc, .ppt, .pptx, .pdf, .xlt, .xla, .xll, .pps, .pot
File enumeration via cmd.exe.
File infector Traditional file infectors usually target executables such as EXEs to infect targets with malicious code. Other script-based worms, such as Jenxcus, would replace the target-benign documents on a removable drive with malicious shortcuts to ensure the execution of their malicious hidden scripts.
This particular infector seen in these attacks, however, goes after Office documents, specifically .doc, .docx and .rtf files. The infector checks for the presence of removable, CD-ROM or Network drives attached to the endpoint to find either of the file extensions. Any files found are weaponized using an embedded RTF file to exploit CVE-2017-11882. The documents are basically reconstructed as a malicious RTF to consist of:
- A weaponized RTF exploiting CVE-2017-11882 to execute the Stage 1 PowerShell script.
- The benign copy of the target document (converted to RTF format).
- The malicious PS1 script (Stage 1) embedded in the final RTF's overlay after a specified marker.
DOCX infector code.
This is an interesting method of proliferation to ensure the spread of the infection within restricted networks. Infecting benign documents in an enterprise carries two advantages:
- Infecting existing files, especially documents, takes away the need to social engineer more victims into executing external infection vectors such as suspicious attachments or clicking on untrusted links to infect themselves.
- Infected files also carry with them the inherent trust of the original authors of the benign content, thus increasing the likelihood of victims infecting themselves.
Browser credential stealer The stealer tried to gather the login data for the following browsers:
Brave, Google Chrome, Opera, Opera GX, Microsoft Edge, YandexBrowser and Mozilla Firefox.
DcRAT DcRAT is a relatively new commodity RAT family observed in the wild in 2019. In the current campaigns, we've discovered multiple DcRAT payloads hosted on attacker-controlled websites. These payloads were then delivered to their victims during the infection phase of the campaign.
The DcRAT payloads have minimal changes to their configuration, with only the C2 server configuration modified.
DcRAT contains a variety of functionalities including remote shells, process management, file management and keylogging.
DcRAT features are listed by the malware author.
QuasarRAT Another highly prolific RAT family used by the threat actor is QuasarRAT. Quasar provides a plethora of functionalities, including the standard features such as remote shell, file management, arbitrary command execution and credential stealing.
We've also discovered versions of AndroRAT, another commodity Android RAT utilized by the attackers sharing the same C2 servers.
Downloader containing the encrypted PowerShell command.
The decrypted PowerShell command performs some rudimentary anti-virtual machine checks, downloads and opens a decoy image and the actual payload to the endpoint:
Malicious PowerShell command executed by the downloader.
Simple C#-based downloaders
These downloaders are straightforward in their implementation (C#-based) where, again, they download and open a decoy image and the actual malware payload. The difference here, however, is that the malware payload downloaded is double base64-encoded.
We've observed these downloaders deploying obfuscated copies of QuasarRAT to endpoints.
C#-based downloader downloading a double base64-encoded malware payload.
The source code compilers
During the reconnaissance phase, the attackers used loaders consisting of hardcoded source code that was compiled on the fly and invoked by the loader process. The hardcoded source code was that of the custom file enumerator and infectors.
The attackers utilized similar downloaders during their attack phase. These downloaders would, however, download the malicious source code from a remote location, compile it and execute in the downloader process' memory.
Source code downloaded and compiled on the fly.
The malicious source code is meant to base64 decode an embedded executable, drop it to disk, establish persistence for it and, finally, run it on the infected endpoint.
The binaries seen embedded in the source code were obfuscated copies of QuasarRAT.
Malicious source code downloaded from a remote location.
In some cases, we also observed the use of obfuscated loaders containing embedded RAT executables such as DcRAT. The loader would simply perform anti-analysis checks and drop the RAT to disk, set up persistence and execute it.
In other cases, the actors used C-based loaders to load and invoke the compiled C# file enumerator module in memory.
File enumerator and infector strings in loader process' memory.
This threat actor, A.R., uses a front company to procure infrastructure for operationalizing their crimeware campaign. This campaign uses a variety of political and government-related themes in their icons and decoys. The infection chains utilized by the actor are simple and consist of delivering commodity RATs such as dcRAT, Quasar and AndroRAT to their victims. Their use of custom downloaders for delivery, file enumerators for reconnaissance, and infectors to weaponize benign documents indicates attempts at aggressive proliferation. These tools also indicate that the threat actor is actively pursuing creating bespoke tools to shift away from commodity malware.
Commodity malware is extremely popular with malware operators these days. It allows the attackers to focus on operational aspects of their campaigns without having to put in effort into development of novel malware families. Coupled with small customized file infectors, generating straightforward infection chains enables an attacker to automate their proliferation efforts. Organizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms .
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs detecting this threat are: 58356-58361.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
The hash list is available here.
The network IOCs list is available here.