By Asheer Malhotra and Vitor Ventura, with contributions from Vanja Svajcer.
- Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT.
- The campaign targets travel and hospitality organizations in Latin America.
- Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil.
- We've also discovered a builder/crypter known as “Crypter 3losh rat” used to generate various stages of the highly modularized infection chain used by the campaign operators.
- We’ve also seen instances where the crypter author has operated their own malicious campaigns abusing archive[.]org.
Cisco Talos recently observed a new set of campaigns targeting Latin American countries. These campaigns use a multitude of infection components to deliver two widely popular commodity malware and remote access trojans (RATs): njRAT and AsyncRAT.
We also discovered a .NET-based infection chain builder/crypter binary used to generate the malicious infection artifacts used in recent campaigns, including the ones targeting Latin America. Such builders indicate the author’s intent to bundle malware generation functionalities for easy distribution and use by operators, customers and affiliates.
We’ve also observed some resemblance to the tactics and techniques used by a known crimeware actor “Aggah,” especially the final payload delivery stages. Aggah has traditionally utilized highly modular infection chains with a focus on hosting malicious payloads on public repositories such as Pastebin, Web Archive and Blogger.
How did it work?
The campaigns targeting Latin American countries consist of macro-enabled Office documents that act as the entry points into the infection. What follows is a modular chain of PowerShell and VB scripts, all working towards disabling anti-virus protection features such as AMSI and eventually delivering the RAT payloads.
We’ve also observed some Aggah campaigns using similar infection chains including scripts and similar commodity malware. However, unlike Aggah, the operators working the Latin American campaigns tend to use either compromised or attacker-controlled websites to host their components and payloads instead of using public hosting services such as Blogger, Pastebin and Web Archive.
The infection chains used in these campaigns are built using a .NET-based crypter called “3losh crypter rat” [SIC]. This crypter has been actively advertised on social media by the authors and used to generate infection chains for campaigns operated by the crypter’s authors themselves.
It is important for defenders to identify distinct adversaries and their tactics. The usage of crypters makes it difficult to do so since completely disjointed actors can now generate identical infection chains for unrelated campaigns. Our research uncovers one such scenario where there are three distinct campaigns identified using the 3losh crypter: the Latin American campaigns, the Aggah campaigns and those operated by the crypter authors.
All these campaigns however, aim to distribute commodity RAT families. Commodity malware families are increasingly being used by both crimeware and APT groups to infect their targets. RATs in particular are extremely popular since they provide a wide range of functionalities to their operators to take advantage of the infected systems. These functionalities can be used for malicious activities such as:
- Performing preliminary reconnaissance to scope out victim networks and infrastructure.
- Deploying more malware such as ransomware and wipers to disrupt enterprise operations.
- Executing arbitrary commands.
- Exfiltrating confidential and proprietary information from enterprises.
- Stealing credentials, opening up more systems and services to unauthorized access.
Dropper/Crypter developer threat actor
This threat actor uses the nickname “alosh.” We have found indications that they’ve been active since at least 2018. This actor is the developer of the “3losh crypter rat” crypter. They advertise services on Facebook and YouTube where they keep several videos demonstrating evasion capabilities of the 3losh crypter or 3losh RAT. Although we can't establish a direct link between the actor and the current campaign, there are several links between this actor and previous campaigns, making this actor the developer and operator of some malware campaigns.
Facebook image advertising the infection builder.
Their YouTube page shows several videos that explain how to use similar builders to bypass several commercial anti-virus products.
The crypter author’s YouTube page.
We discovered an email address of the crypter author inside one of these videos. Pivoting off this email, we found a huge number of payloads hosted at archive[.]org.
YouTube video still from the crypter’s author displaying their email ID.
This leads us to conclude that, in some cases, the actor is the developer and operator — there are also plenty of videos on Instagram and YouTube where the developer demonstrates that they have compromised several websites.
On the Web Archive, the actor uses two different usernames: 3losh-rat and alo0ch0011. During our research, the payloads were removed from the archive due to breach of terms and conditions. However, we still listed them based on the cache. Most of these payloads had several stages finally delivering njrat.
Crypter author hosting malicious artifacts on archive[.]org.
The current campaign
The threat actor
We believe the threat actor behind the current campaign targeting Latin America is not the crypter developer. In fact, there are several indications that this actor is, in fact, a Brazilian. There are several technical and tactical links that support this assertion.
To begin with, one of the most prolific domains owned and operated by the threat actors (updatewin32[.]xyz) was registered in Brazil.
Whois record for domain updatewin32[.]xyz.
Talos discovered several maldocs predominantly named in Portuguese. One such malicious document was called “Documento.doc” (Portuguese for “document”). Looking at the several files that constitute the doc file, there are two files called “AquiTaLimpo,” one with the XML extension and another with “.xml.rels” extension. “AquiTaLimpo” is Portuguese slang for “here is clean.”
Constituent files in the open XML-based maldoc.
These XLSM files had VBA macro code that would download the main payload. The macro name is “EstaPastaDeTrabalho,” as it can be seen in the screenshot below, which roughly translates to “this work folder” — again translated from Portuguese.
Portuguese stream and macro names used in the maldocs.
Additional metadata indicates the creator and the last modified tags of the maldoc are also written in Portuguese, as can be seen below. These findings indicate that the operating environment, especially the maldoc generation systems of the actor use the Portuguese language.
Maldoc metadata showing the creator and “last modified by” party names in Portuguese.
The creator is a common Portuguese language name, however, the “last modified by” tag can be translated to “Knight from Troy,” implying a trojan. The same name appears on the properties of the XLSM files.
Malware authors and campaign operators will frequently submit their payloads to public detection systems such as VirusTotal to check the efficacy of anti-virus products against its malware. This is a practice seen frequently across many crimeware groups.
The Brazilian threat actor used this practice to submit test files with Portuguese names to VirusTotal in June and July 2021 — all files submitted from Brazil. These files are named “Exploit pronto para envio.rar,” which translates to “exploit ready to be sent.”
Early versions of the test maldocs were true test copies, simply executed calc.exe. At the time of writing, there were approximately 11 files submitted with slight differences, all submitted from the same Brazilian origin around the same time.
Preliminary versions of the test maldcos executing calc.exe.
Ongoing testing conducted by the actors consists of the same file names, author name, malicious domains and URLs as those used in the Latin American campaign embedded in them.
A quick look at the metadata of these test files also confirms the usage of Brazilian Portuguese to build the test maldocs.
Brazilian Portuguese language code in the test maldocs.
As we said above, the crypter author advertises the crypter on social networks like Facebook, Instagram or YouTube. We’ve found Portuguese-speaking users either praising the crypter or asking for it.
As described in subsequent sections, the text on the email is in near perfect Brazilian Portuguese, the Visual Basic for Applications (VBA) code in the PPAM file attached to the email, shows that it was written in a Portuguese language office installation, since the VBA module is called “Módulo1,” which is Portuguese for “module1.”
The countries targeted by this set of attacks are primarily based in Latin America:
The campaign uses maldocs posing as something as inconspicuous as reservation dates for hotels.
A good example of a maldoc’s file name is “Fechas informativas para reservar Amérian Portal del Iguazú,'' which roughly translates to “Informative dates to reserve Amérian Portal del Iguazú” (“Amérian Portal del Iguazú'' is a hotel in Argentina.). It is worth noting that the content of the email is in near perfect Brazilian Portuguse.
These campaigns focussing on Latin American countries usually use malspam as a means to deliver the malicious macro-enabled document to their victims.
An example of a malspam email delivering a PPAM maldoc as early as Jan. 19, 2021.
Some of the Word documents discovered for this campaign use a chain of relationships definitions to load embedded XLSM files which contain the actual VBA code that will download the payloads.
Additional malicious XLSM files loaded during runtime.
The maldocs are Office Open XML documents consisting of two key relationship definition files - the main one called “AquiTaLimpo.xml.rels,” and another one called “comments.xml.rels,” which will load the embedded XLSM files which contain the VBA code.
Malicious relationship file linking to the embedded XLSM files.
When the Word document is open, Excel is also loaded to open the XLSM files embedded in the document and will launch the macro to download the payloads.
We also discovered a variety of the maldocs that are macro-enabled files such as PPAM and XLAM serving as entry points of the infection chain. PPAM files are add-on files used by Microsoft PowerPoint to add additional functionality such as custom macros, tools and commands. These macros enabled maldocs act as entry points to the infection chain. Finally, the infection chain drops a popular RAT that can be njRAT or AsyncRAT.
The earliest infection chain discovered contains a macro that downloads and executes a remote HTA file from an attacker-controlled location.
Malicious macro in the PPAM.
Stage 1A: Malicious HTA
Un-escaped VB code used to download and execute Stage 2 on the endpoint.
Stage 2: PS1 Script
The powershell script executed on the endpoint is the de-facto instrumentor of the infection chain.
This script performs the following actions on the endpoint:
- Change the current user’s Startup folders to those specified in the script by modify the registry values:
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | Startup = <custom_directory>
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | Startup = <custom_directory>
<custom_directory> = Directory created by the malicious ps1 script.
- Create a custom VBS (Stage #2A) in this modified Startup directory to execute a downloaded Powershell (ps1) script (Stage #3 e.g. “msi.ps1”) across reboots.
VBScript created in a custom Startup folder to run a ps1 downloaded subsequently.
- The script will then check for the presence of five Anti-Virus products on the endpoint. Based on the AV found it will download a specific version of the ps1 specified in the previous step (Step 2 and Stage 3 — msi.ps1 above) and execute the VB script created in Stage 2A.
AV product-based Stage 4 script download and execution.
The AV products checked by the script are:
- ESET Security
- If no AV products are found on the endpoint, the script will perform the following actions:
a. Create four configuration scripts on the endpoint.
b. Script 1 is used to modify the “windir” path to execute itself when a user or application accesses the “windir” environment variable. The script also runs Script 3 if the current user is an Administrator.
Figure 12: Modify the “windir” path to execute itself.
c. Script 2 is used to create exclusions for Microsoft Defender for specific paths, executables and to deploy a specific .Net framework:
Add-MpPreference -ExclusionPath C:
Add-MpPreference -ExclusionProcess powershell.exe
Add-MpPreference -ExclusionProcess Wscript.exe
Dism /online /enable-feature /featurename:NetFX3
d. Script 3 is used to run Script 2.
e. Script 4 is used to run Script 1.
f. Execute Script 4 on the endpoint.
The execution of these scripts is convoluted and the following diagram illustrates the executions:
Mini-scripts execution order.
g. Finally, the parent ps1 script will download another version of the Stage 4 script and execute it via the Stage 2A VB script.
h. Once the configuration scripts have completed execution, they are deleted from the endpoint.
Stage 3: PS1
The Stage 3 ps1 is simple and consists of three key components:
- Hexlified injector DLL: This DLL is used to run a specified process and inject the accompanying malware into it.
- Hexlified malware payload: either njRAT or AsyncRAT.
- Base64-encoded or plaintext command to reflective load the injector DLL into the powershell process with the target process’ image path and malware payload bytes passed as an argument to the injector. An example of the reflective loading command used is:
Stage 3 ps1 script.
The overall infection chain is:
Complete infection chain.
We have also observed minor variations in the infection chains where some of the (mini) scripts used in Stage 2 are hosted independently, downloaded and executed during the infection process. This is another example of a threat actor modularizing their infection chains to be able to control/update different stages of its attack.
The executables accompanying the Stage 3 PowerShell script consist of:
- Injector DLL: This DLL accepts two arguments:
- The filepath of a process to be spawned, hollowed and replaced with the accompanying malware payload.
- Malware payload bytes to be injected into the hollowed out target process.
- Malware payload: The actual malware payload to be deployed on the endpoint.
The DLL is a simple injector based on .NET. The DLL is usually obfuscated with .NET Reactor which can be easily deobfuscated using de4dot. There is only one exported method that takes the two arguments mentioned above and deploys the malware payload into the target process.
The injection method is a straight process hollowing, following all the usual steps. If any error occurs during the injection it will kill the target process and retry five times before giving up.
Interestingly, the DLL which is a modified version of RunPE, also contains code to change ACL to kernel objects, which is never called, indicating either a work-in-progress or redundant code borrowed from somewhere else but never used.
The malware payloads found so far belong to two families AsyncRAT and njRAT.
AsyncRAT and njRAT are well-known and highly prolific RATs used by crimeware groups and APTs.
Many malware families use victim names or group IDs to identify different types of infections. This is done so that campaign operators can easily identify infections for administration and deploy additional malware to their victims.
Now, AsyncRAT and njRAT both use these victim identification methods. While njRAT identifies victims using the “victim name,” AsyncRAT uses a “group name” to keep track of infections and their respective groups.
The victim identifiers found embedded in the RATs were indicative of their targeting of Latin American countries. This finding matches with the targeting tactics, themes and languages used in the maldocs employed in these attacks. Some of these victim identifiers (specific to Latin America) used are:
The infection chain builder
Talos also discovered a builder used by the operators of the attacks to create multiple scripts used in various stages of the attack chain. This builder is named “Crypter 3losh RAT.” This builder contains a set of malicious scripts embedded in it in the form of resources which are modified based on the inputs provided by the operator to generate the various scripts. The builder is built in .NET and can carry out a variety of malicious actions, which we will outline below.
Build Stage 1A scripts
The builder only supports the generation of the VBScripts used in the Stage 1A HTAs. The embedded VBScript modified is an older version used in previous attack campaigns by the operators.
The builder accepts the URL for the next stage and generates a VBScript. The VBScript is displayed to the user in a textbox on the UI but also saved to the builder’s working directory with the name “alosh-rat.vbs.”
Stage 1A VBScript generated in the bottom left text box based on the Stage 2 URL specified in the text box at the top.
Build Stage 2 scripts
The second-stage scripts are built using an embedded PS1 script. This UI accepts two URLs for the Stage 3 PS1 scripts and spits out a file called “3.txt” in the current user’s Desktop folder.
Builder UI for creating the Stage 2 scripts with the Stage 3 scripts being used as inputs.
Build Stage 3 scripts
The Stage 3 scripts are perhaps the most important part of the infection chain. These scripts are responsible for unhexlifying the injector DLL and malware payload and in turn deploying both to infect the victim’s endpoint.
Again, the builder here uses two embedded PS1 scripts as templates. These templates already contain the hex representation of the injector DLL. This builder UI accepts the a local filepath of (upto) two malware payloads to be embedded in the generated Stage 3 scripts called “1.txt” and “2.txt,” respectively.
Stage 3 builder UI accepting path to the RAT binaries.
The builder contains references to its creator on Facebook, YouTube and Skype. The YouTube page shows several videos which explain how to use the builder to bypass several commercial anti-virus.
The Aggah connection
Many distinct malware campaigns sometimes tend to have commonalities and overlap in their TTPs. At times, this is due to the use of the same publicly or semi-privately available tools, builders and malware-as-a-service. An interesting commonality between the Latin American and Aggah campaigns seen recently are the Stage 3 PowerShell scripts. They utilize the same structure, syntax and semantics, down to the exact variable names. Identical Stage 3 PowerShell scripts are also present in the “3losh rat” crypter/Builder described previously. This indicates a common source of malicious code base for both these campaign sets or the use of a common crypter to build infection chains.
The malware families distributed by Aggah are also very similar to those seen in the Latin American campaigns, i.e. AsyncRAT and njRAT.
There are, however, a few distinctions between the two campaigns sets:
- Aggah relies heavily on the use of URL redirection services in their campaigns. Specifically using bitly, j[.]mp etc. We have not observed the use of these services in the Latin American campaigns.
- Aggah is also known to heavily abuse public hosting services such as Blogger, Pastebin, Web Archive etc. to host their malicious components. The Latin American campaigns however, indicate that the operators tend to use either compromised or attacker controlled websites to host their components and payloads.
Thus there are three distinct campaigns utilizing the same Crypter and infection scripts:
- The campaigns conducted by the crypter author “Alosh” — also seen abusing archive[.]org to host their malicious payloads.
- The campaigns conducted by the Bralizian threat actor targeting Latin America.
- The campaigns were conducted by the crimeware group “Aggah” using the same scripts found in the “3losh rat” crypter.
This campaign details a crypter used by operators to build infection artifacts for spreading malware in Latin America with a focus on the travel and hospitality industry. The campaign started in October 2020 and is currently ongoing. The fact that the actor is regional does provide the advantage of being able to write more targeted and perfect emails. This is a good example on how an actor can inflict losses to organizations without being part of an APT or a crimeware syndicate.
The variety and the ease of generating infection artifacts via Crypters indicates that the attackers will likely expand their net of victims to more industries and geographies.
The threat actor authoring the crypter primarily aims to sell it as a service. We’ve observed the authors’ advertise their crypters on Facebook, YouTube and other social media. However, we’ve also discovered that the crypter’s authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs.
The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties.
Organizations should remain vigilant against such threats as they are likely to proliferate in the future.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
PPAM and XLAM files
Stage 1A - HTA
Stage 2 - PS1
Stage 2A - VBS
Stage 3 - PS1
Infection Chain Builder/Crypter
Stage 2 mini scripts
Malicious Google Drive URL hosting the PPAM:
archive[.]org abuse URLs
Attacker Email ID