最后更新于2024年4月10日(星期三)14:45:31 GMT
Rapid7的管理检测和响应(MDR)团队持续监控客户的环境, identifying emerging threats and developing new detections.
In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. 恶意软件加载程序是一种恶意软件,旨在向受害者的系统传递和执行额外的恶意软件. IDAT Loader的独特之处在于它从PNG文件中检索数据的方式, searching for offsets beginning with 49 44 41 54 (IDAT).
At the time, the loader was seen being distributed via a FakeUpdates campaign. In two recent investigations, Rapid7’s Managed Detection & 响应(MDR)观察到加载程序再次被使用. 根据最近的战术, 技术和程序观察(TTPs), we believe the activity is associated with financially motivated threat groups.
在这个分为两部分的博客系列中, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. The incidents discussed in the series stem from opportunistic infections, 其中,威胁组织利用恶意广告和驾车下载,以使用户执行其初始恶意载荷.
第一期主要讨论用户下载应用程序触发的事件, 随后触发IDAT Loader和BruteRatel C4 (BRC4)框架的执行,在初始访问受损资产后.
Technical Analysis
Stage 1: The drive by
在最近的一次事件中,我们观察到一个用户浏览到一个播放热门韩国节目的网站. 在试图观看视频时, the website redirected the user's browser through multiple websites, eventually leading to the download of an application named AppFile_v1.1.exe. 威胁行为者利用网站重定向使网络技术难以扫描恶意内容的链接.
二元分析:摆脱铁锈
经过初步的二进制分析 AppFile_v1.1.exe,我们确定这个程序是用Rust编写的.
During execution, the program will query the name of the executable. 如果可执行文件的名称匹配 AppFile_v1.1.exe, the program will continue. 大多数沙箱将重命名提交程序的文件(有时基于散列). 这种技术有助于规避沙箱,确保不运行恶意功能. If the program name does not match its original intended name, 程序将退出并显示一条错误信息, 显示无法加载网页的图像.
接下来,程序将通过查询函数来检查它是否驻留在调试器中 IsDebuggerPresent. 如果检查通过,它将解密一个解析为“Normal”的硬编码字符串。. 如果不是,程序将解密另一个解析为“Debugger”的硬编码字符串,然后退出.
一旦反调试检查通过, the program retrieves an encrypted string and XOR decrypts it, revealing the URL hxxps: / / cdn -网络-服务- 001 (.] com/update/minor/1/release.json.
然后程序将执行反分析技术, 特别是查询用户名和打开进程,并将它们与已知沙箱用户名和工具的列表进行比较. 用户名和进程列表也是xor加密的,并在运行时解密. Based on Open Source Intelligence, we determined that another malware known as Serpent Stealer 包含一个类似的用户名表. 完整的清单见下文附录A.
| Usernames | 已知的沙盒工具/过程 |
|---|---|
| hbyldjtckyn1 | httpdebuggerui.exe |
| lubi53an14cu | immunitydebugger.exe |
| rgzcbuyrznreg | ksdumperclient.exe |
| 8lnfaai9qdjr | httpanalyzerstdv7.exe |
| j6sha37ka | ida64.exe |
If any of the checks fail, the program will exit and display the message box. If the checks pass, the program will then utilize Rust library tokio-1.32.0/src/net/tcp/stream.rs in order to read in data from the decrypted URL and store the contents in memory.
Upon initial analysis, the downloaded data appeared to be encoded. Subsequently, the data is passed into a function tasked with decoding it. 解码过程包括读取每个字节并减去十六进制值32.
下载的数据解码后, 程序异或解密另一个字符串, 显示可执行文件的路径 C:\Windows\system32\werfault.exe. Using syscalls,程序将执行以下操作:
| Windows API Function | Syscall ID | Description |
|---|---|---|
| NtOpenProcess | 0x0026 | 用于启动进程werfault.exe |
| NtCreateUserProcess | 0x00c8 | 用于欺骗父进程ID (PPID) |
| NtAllocateVirtualMemory | 0x0018 | Allocate new space within memory, storing the new executable |
| NtGetContextThread | 0x00F2 | Used to retrieve the context of a thread within the target process (werfault.exe). |
| The thread in this case is a pointer to the entry point of the new executable | ||
| NtSetContextThread | 0x0018B | 用于指向NtGetContextThread中的线程 |
| NtResumeThread | 0x0052 | 启动由NtSetContextThread设置的线程 |
在分析了解码后的二进制文件后,我们确定它是另一个用Rust编写的可执行文件. The program's executable contains a zip archive within the .rdata section. 在执行过程中,程序在目录中生成一个随机生成名称的文件夹 %TEMP% directory and extracts the contents of the archive into this newly created folder.
存档文件包含一个DLL, msidcrl40.dll, an executable named live.exe and an encrypted file, dynatron.mdb. DLL的初步分析 msidcrl40.dll 显示DLL的签名已损坏,表明DLL已被篡改. Further analysis showed that the DLL 包含与IDAT加载器相关的代码.
IDAT Loader
在rust程序删除zip归档文件的内容之后,它将继续执行二进制文件 live.exe, which sideloads the DLL, msidcrl40.dll,其中包含IDAT Loader代码.
After the binary live.exe loads the DLL msidcrl40.dll, the DLL executes the function containing the IDAT Loader. The loader then reads in encrypted contents contained within the file dynatron.mdb, searching for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. 解密内容后,加载器将使用 RtlDecompressBuffer and execute additional code into a newly created process, cmd.exe.
IDAT加载器采用了先进的技术,例如 Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code.
The code contained within cmd.exe 负责解密最终有效载荷并将其注入到新创建的进程中, msbuild.exe.
Using our IDAT Loader配置提取器, we were able to extract the final payload and determined that it was SecTop RAT. During execution of the SecTop RAT,我们观察到它与IP地址通信 152.89.217[.]215.
开发后:BRC4部署
After the SecTop RAT was executed successfully, Rapid7观察到后续活动,其中威胁参与者从文件夹路径内执行另一个版本的IDAT加载程序 C:\ProgramData\. We observed the following related files were dropped by the threat actor into C:\ProgramData:
| Files | Description |
|---|---|
| glib-2.0.dll | 由rvm加载的良性可执行文件.exe |
| iconv.dll | 由rvm加载的良性可执行文件.exe |
| intl.dll | 由rvm加载的良性可执行文件.exe |
| rvm.exe | 加载vmtools的合法可执行文件.dll during execution |
| spank.mpg | Encrypted file containing IDAT sections, read in by vmtools.dll |
| vmtools.dll | 包含IDAT加载器的篡改DLL,由rvm加载.exe |
经过对文件的分析,我们确定 rvm.exe was a renamed executable rvmsetup.exe, a legitimate tool that is a part of the VMWare Tools toolset. 该二进制文件用于将VMWare源虚拟机加入active directory域. 我们也观察到双星 vmtools.dll had a corrupted signature, indicating the binary’s code was tampered with. We observed that the DLL vmtools.dll 包含与IDAT加载器相关的代码.
在执行可执行文件期间, rvm.exe, the program loads vmtools.dll. After vmtools.dll 加载时,DLL被定向执行包含IDAT加载器的函数. The IDAT Loader proceeds to read in contents from within spank.mpg, searching for the same offset, 49 44 41 54 (IDAT) followed by C6 A5 79 EA. 解密后的内容 spank.mpg, IDAT Loader生成一个新进程, cmd.exe, 注入负责解密最终有效负载并将其注入新创建的进程的附加代码, explorer.exe.
Using our static config extractor,我们提取了最终的有效负载,一个64位的可执行文件. 在对最终有效载荷进行初步分析时, 我们观察到程序利用了API函数 VirtualAlloc and VirtualProtect. 在程序执行期间,它利用 VirtualAlloc 将附加代码(包括加密数据)读入并存储到内存的一个新区域. 然后程序调用该函数 VirtualProtect,将新分配的内存区域(包含新代码)更改为可执行的. 我们还观察到64位可执行文件(从IDAT Loader python脚本获得)具有执行的能力 process hollowing by starting a new process, notepad.exe, 并将代码注入到新创建的进程中.
新分配的代码负责使用RC4解密加密的数据, copying the decrypted code into an allocated memory buffer via VirtualAlloc, and setting the memory buffer to have executable permission using VirtualProtect. Rapid7 determined the decrypted code was a Brute Ratel C4 (BRC4) “badger”.
Brute Ratel最初是用于渗透测试人员的开发后工具, designed to mimic adversary tactics as of December 2020. 它的开发旨在复制已建立的指挥和控制(C2)软件的功能,如Cobalt Strike, Mythic and Sliver. 在一个成功的目标妥协之后, 攻击者部署了蛮鼠獾,,其任务是与攻击者的指挥和控制域建立通信.
在执行BRC4程序期间,我们观察到它延伸到域 updatenazure[.]com.
在BRC4程序执行之后, 我们观察到威胁行为者试图通过使用命令枚举域控制器 nltest /dclist.
Rapid7 Customers
通过Rapid7扩展的检测规则库,insighttidr和管理检测和响应客户已经拥有了现有的检测覆盖范围. Rapid7建议在所有适用的主机上安装Insight Agent,以确保对可疑进程的可见性和适当的检测覆盖率. 以下是部署的检测和对所描述的活动发出警报的非详尽列表:
- Network Discovery - Nltest Enumerate Domain Controllers
- Suspicious Process - Execution From Root of ProgramData
- Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
- 可疑进程-浏览器.exe在非标准位置
附录A:已知沙盒用户名和分析工具
| Usernames | Processes |
|---|---|
| hbyldjtckyn1 | httpdebuggerui.exe |
| lubi53an14cu | immunitydebugger.exe |
| rgzcbuyrznreg | ksdumperclient.exe |
| 8lnfaai9qdjr | httpanalyzerstdv7.exe |
| j6sha37ka | ida64.exe |
| keecfmwgj | 32dbg.exe |
| pwouqdtdq | 64dbg.exe |
| qmis5df7u | protection_id.exe |
| txwas1m2t | vmsrvc.exe |
| uox1tzamo | x32dbg.exe |
| rb5bnfur2 | x64dbg.exe |
| cm0uegn4do | x96dbg.exe |
| douyo8rv71 | prl_cc.exe |
| paul jones | windbg.exe |
| pxmduopvyx | scylla.exe |
| fnbdsldtxy | idau64.exe |
| gexwjqdjxg | idaq64.exe |
| gjam1nxxvm | idag64.exe |
| jcotj17dzx | taskmgr.exe |
| 05kvauqkpqk5 | procexp.exe |
| 64f2tkiqo5k5h | procmon.exe |
| of20xqh4vl | fiddler.exe |
| harry johnson | dumpcap.exe |
| 4tgiizslims | df5serv.exe |
| bvjchrpnsxn | ollydbg.exe |
| kfu0lqwgx5p | rdpclip.exe |
| nok4zg7zhof | vmusrvc.exe |
| ogjb6gqgk0o5 | qemu-ga.exe |
| xplyvzr8sgc | vboxtray.exe |
| ykj0egq7fze | vmtoolsd.exe |
| ryjijkiroms | pestudio.exe |
| nzap7ubvas1 | vmacthlp.exe |
| 9yjcpseyimh | procexp64.exe |
| uhuqiuwoefu | wireshark.exe |
| 6o4kyhhjxbir | prl_tools.exe |
| 7wjlgx7pjlw4 | importrec.exe |
| 8nl0colnq5bq | vmwaretray.exe |
| g2dbyldgzz8yo | vmwareuser.exe |
| pqonjhvwexsst | xenservice.exe |
| rdhj0cnfevzxf | scylla_x86.exe |
| xmimmckziitdl | scylla_x64.exe |
| l3cnbb8ar5b8 | vboxservice.exe |
| vzy4jmh0jw02 | |
| 21zlucunfi85 | |
| sal.rosenburg | |
| defaultaccount | |
| wdagutilityaccount |
MITRE ATT&CK Techniques
| Tactics | Techniques | Details |
|---|---|---|
| Initial Access | 飞车妥协(T1189) | 威胁行为者利用飞车下载来指导浏览器在未经用户同意的情况下下载其初始有效载荷 |
| Execution | 用户执行:恶意文件(T1204.002) | 用户执行二进制AppFile_v1.1.exe |
| Execution | Native API (T1106) | IDAT注入器和IDAT装载机使用天堂之门技术逃避检测 |
| Defense Evasion | Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) | run.Exe加载恶意的wbxtrace.dll |
| Defense Evasion | Process Injection (T1055) | IDAT注入器实现NtCreateSection + NtMapViewOfSection代码注入技术注入到cmd.exe process |
| Defense Evasion | 解混淆/解码文件或信息(T1140) | msidcrl40.dll decrypts dynatron.mdb |
| Defense Evasion | 工艺注入:工艺Doppelgänging (T1055.013) | IDAT loader implements Process Doppelgänging technique to load the SecTop RAT |
| Defense Evasion | Masquerading (T1036) | dynatron.mdb file masqueraded to a .png file |
| Defense Evasion | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) | Execution delays are performed by several stages throughout the attack flow |
IOCs
| IOC | Sha256 | Notes |
|---|---|---|
| AppFile_v1.1.exe | A3A5E7011335A2284E2D4F73FD464FF129F0C9276878A054C1932BC50608584B | Rust Loader负责下载IDAT Loader |
| msidcrl40.dll | 02D5E281689EC2D4AB8AC19C93321A09113E5D8FA39380A7021580EA1887B7A5 | 恶意DLL由live执行.exe |
| dynatron.mdb | C5C52331B208CAD19DC710786E26AC55090FFCA937410D76C53569D731F0BB92 | msidcrl40解密的加密载荷.dll |
| vmtools.dll | BEFE0DF365F0E2DC05225470E45FDF03609F098A526D617C478B81AC6BB9147F | rvm执行的恶意DLL.exe |
| spank.mpg | E05E561C5118EFDBCA113CA231C527B62E59A4BFFAE3BD374F7B4FCDD10E7D90 | vmtools解密的加密载荷.dll |
| hxxps: / / cdn -网络-服务- 001 (.] com/update/minor/1/release.json | Downloads additional Rust binary containing IDAT Loader | |
| 152.89.217[.]215 | SecTop RAT domain | |
| updatenazure[.]com | BRC4 Domain |
References
| Article | URL |
|---|---|
| Uncovering the “Serpent” | http://malware.news/t/uncovering-the-serpent/76253 |
| Process Doppelgänging | http://malware.news/t/uncovering-the-serpent/76253 |
| 《ladbrokes立博中文版》解析(上) | http://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0 |
| 深入研究恶意直接系统调用检测 | http://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/ |
| Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | http://rtx.qfyx100.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/ |
Rapid7 Labs GitHub
http://github.com/rapid7/Rapid7-Labs/blob/main/Malware Config Extractors/IDAT_Loader_extractor.py
