• Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
  • The campaign targets travel and hospitality organizations in Latin America.
  • Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
  • We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators.
  • We've also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.

We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author's intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.

We've also observed some resemblance to the tactics and techniques used by a known crimeware actor "Aggah," especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.

How did it work? The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.

We've also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.

The infection chains used in these campaigns are built using a .NET-based crypter called "3losh crypter rat" [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter's authors themselves.

So what? It is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it difficult to do so since completely disjointed actors can now generate identical infection chains for unrelated campaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the 3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.

All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:

  • Performing preliminary reconnaissance to scope out victim networks and infrastructure.
  • Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
  • Executing arbitrary commands.
  • Exfiltrating confidential and proprietary information from enterprises.
  • Stealing credentials, opening up more systems and services to unauthorized access.

Facebook image advertising the infection builder.
Their YouTube page shows several videos that explain how to use similar builders to bypass several commercial anti-virus products.

The crypter author's YouTube page.
We discovered an email address of the crypter author inside one of these videos. Pivoting off this email, we found a huge number of payloads hosted at archive[.]org.

YouTube video still from the crypter's author displaying their email ID.
This leads us to conclude that, in some cases, the actor is the developer and operator — there are also plenty of videos on Instagram and YouTube where the developer demonstrates that they have compromised several websites.

On the Web Archive, the actor uses two different usernames: 3losh-rat and alo0ch0011. During our research, the payloads were removed from the archive due to breach of terms and conditions. However, we still listed them based on the cache. Most of these payloads had several stages finally delivering njrat.

Crypter author hosting malicious artifacts on archive[.]org.

The current campaign

To begin with, one of the most prolific domains owned and operated by the threat actors (updatewin32[.]xyz) was registered in Brazil.

Whois record for domain updatewin32[.]xyz.
Talos discovered several maldocs predominantly named in Portuguese. One such malicious document was called "Documento.doc" (Portuguese for "document"). Looking at the several files that constitute the doc file, there are two files called "AquiTaLimpo," one with the XML extension and another with ".xml.rels" extension. "AquiTaLimpo" is Portuguese slang for "here is clean."

Constituent files in the open XML-based maldoc.
These XLSM files had VBA macro code that would download the main payload. The macro name is "EstaPastaDeTrabalho," as it can be seen in the screenshot below, which roughly translates to "this work folder" — again translated from Portuguese.

Portuguese stream and macro names used in the maldocs.
Additional metadata indicates the creator and the last modified tags of the maldoc are also written in Portuguese, as can be seen below. These findings indicate that the operating environment, especially the maldoc generation systems of the actor use the Portuguese language.

Maldoc metadata showing the creator and "last modified by" party names in Portuguese.
The creator is a common Portuguese language name, however, the "last modified by" tag can be translated to "Knight from Troy," implying a trojan. The same name appears on the properties of the XLSM files.

Malware authors and campaign operators will frequently submit their payloads to public detection systems such as VirusTotal to check the efficacy of anti-virus products against its malware. This is a practice seen frequently across many crimeware groups.

The Brazilian threat actor used this practice to submit test files with Portuguese names to VirusTotal in June and July 2021 — all files submitted from Brazil. These files are named "Exploit pronto para envio.rar," which translates to "exploit ready to be sent."

Early versions of the test maldocs were true test copies, simply executed calc.exe. At the time of writing, there were approximately 11 files submitted with slight differences, all submitted from the same Brazilian origin around the same time.

Preliminary versions of the test maldcos executing calc.exe.
Ongoing testing conducted by the actors consists of the same file names, author name, malicious domains and URLs as those used in the Latin American campaign embedded in them.

A quick look at the metadata of these test files also confirms the usage of Brazilian Portuguese to build the test maldocs.

Brazilian Portuguese language code in the test maldocs.
As we said above, the crypter author advertises the crypter on social networks like Facebook, Instagram or YouTube. We've found Portuguese-speaking users either praising the crypter or asking for it.

As described in subsequent sections, the text on the email is in near perfect Brazilian Portuguese, the Visual Basic for Applications (VBA) code in the PPAM file attached to the email, shows that it was written in a Portuguese language office installation, since the VBA module is called "Módulo1," which is Portuguese for "module1."

The countries targeted by this set of attacks are primarily based in Latin America:

Targeted countries.
The campaign uses maldocs posing as something as inconspicuous as reservation dates for hotels.

A good example of a maldoc's file name is "Fechas informativas para reservar Amérian Portal del Iguazú,'' which roughly translates to "Informative dates to reserve Amérian Portal del Iguazú" ("Amérian Portal del Iguazú'' is a hotel in Argentina.). It is worth noting that the content of the email is in near perfect Brazilian Portuguse.

These campaigns focussing on Latin American countries usually use malspam as a means to deliver the malicious macro-enabled document to their victims.

An example of a malspam email delivering a PPAM maldoc as early as Jan. 19, 2021.

Infection chain
Some of the Word documents discovered for this campaign use a chain of relationships definitions to load embedded XLSM files which contain the actual VBA code that will download the payloads.

Additional malicious XLSM files loaded during runtime.
The maldocs are Office Open XML documents consisting of two key relationship definition files - the main one called "AquiTaLimpo.xml.rels," and another one called "comments.xml.rels," which will load the embedded XLSM files which contain the VBA code.

Malicious relationship file linking to the embedded XLSM files.
When the Word document is open, Excel is also loaded to open the XLSM files embedded in the document and will launch the macro to download the payloads.

We also discovered a variety of the maldocs that are macro-enabled files such as PPAM and XLAM serving as entry points of the infection chain. PPAM files are add-on files used by Microsoft PowerPoint to add additional functionality such as custom macros, tools and commands. These macros enabled maldocs act as entry points to the infection chain. Finally, the infection chain drops a popular RAT that can be njRAT or AsyncRAT.

The earliest infection chain discovered contains a macro that downloads and executes a remote HTA file from an attacker-controlled location.

Malicious macro in the PPAM.

Stage 1A: Malicious HTA
The malicious HTA is simply an escaped JavaScript snippet that, in turn, executes a VBScript (embedded in an HTA) to download and execute the next stage (Stage #2 PowerShell script) of the infection chain.

Stage #1A malicious HTA containing escaped JavaScript code.

Un-escaped VB code used to download and execute Stage 2 on the endpoint.

Stage 2: PS1 Script
The powershell script executed on the endpoint is the de-facto instrumentor of the infection chain.

This script performs the following actions on the endpoint:

  1. Change the current user's Startup folders to those specified in the script by modify the registry values:
    HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | Startup = <custom_directory>
    HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | Startup = <custom_directory>
    <custom_directory> = Directory created by the malicious ps1 script.

Create a custom VBS (Stage #2A) in this modified Startup directory to execute a downloaded Powershell (ps1) script (Stage #3 e.g. "msi.ps1") across reboots.

VBScript created in a custom Startup folder to run a ps1 downloaded subsequently.

The script will then check for the presence of five Anti-Virus products on the endpoint. Based on the AV found it will download a specific version of the ps1 specified in the previous step (Step 2 and Stage 3 — msi.ps1 above) and execute the VB script created in Stage 2A.

AV product-based Stage 4 script download and execution.