Intel Reports

Activity Summary - Week Ending on 9 February 2023:

• Red Sky Alliance identified 39,302 connections from new IP’s checking in with our Sinkholes
• NJ based Reliablesite.net LLC hit 130x
• Analysts identified 593 ‘new’ IP addresses participating in various Botnets
• Red Sky Malicious Email Subject Lines
• Malware Code that Cryptojacks
• Monero Crypto
• XMRig[.]exe
• ChatGPT
• AI Warnings

 Red Sky Alliance Compromised (C2) IP’s 

On 8 February 2023, Red Sky Alliance identified 39,302 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

 For a full black list – contact analysts: info@wapacklabs.com

Red Sky Alliance Botnet Tracker

On 8 February 2023, analysts identified 593 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

 Red Sky Alliance Malicious Subject Line / Last 6 Months

Above are subject line lures to trick propel into opening an email and thus infecting networks with malware of all various types.  Financial based subject lines are a common tactic.

MALICIOUS CYBER TRENDS:

Malware Code that Cryptojacks System to Mine for Monero Crypto – Researchers recently captured Excel documents in the Microsoft OLE Compound File format that contain malicious VBA Macros.  Their file names are Pago_detalles.xls, makbuzu.xls, and Pago.xls. I then conducted deep research on them and found that they all belong to the same malicious campaign that cryptojacks systems to mine for Monero (XMR) cryptocurrency.

Affected platforms:             Microsoft Windows
Impacted parties:               Windows Users
Impact:                             Cryptojack Victim’s Device to Mine Cryptocurrency
Severity level:                    Critical

In this analysis, I will show how the crypto miner software is delivered by opening the Excel document and how it is executed on a victim’s device. I also look at the techniques it uses to prevent its code from being analyzed, how it gains persistence on the victim’s device, and how the malware performs process hollowing to execute the Monero miner on the victim’s device.  The content and VBA project are similar in all three Excel documents.

Figure 1.  The view of one of the documents opened by Microsoft Excel

When the document is opened in Microsoft Excel, as shown in Figure 1.1, it pops up a yellow warning bar to alert the user that the document contains a risky Macro project, which will be executed once the “Enable Content” button is clicked.  Given that the content is written in Spanish, this campaign targets Spanish-speaking people. It shows a blurred picture of a statement that tricks the user into clicking the button on the yellow bar for a clearer view.

The VBA Macro project is password protected from viewing, editing, and debugging. Once I disarmed its protections, I found an auto-execution sub-procedure Workbook_Open() in the project that is executed automatically once the Excel document is opened.  After deobfuscating the VBA statements, it is easy to understand the purpose of the sub-procedure Workbook_Open(), as shown in Figure 2.

Figure 2.  – Debugging the auto-run procedure “Workbook_Open()”

It downloads a file from hxxps[:]//www[.]tractorandinas[.]com/wocontent/templates.exe, saves it into the system’s Templates folder, and renames it “GHJFRGUNL.exe”. At the end of the Workbook_Open() auto-run procedure, it calls “FPKGNSJJDW_Shell_Application.Open (VMNXMOV_local_file)” to run the downloaded file on the victim’s device. 

Diving into the Downloaded File - The downloaded file “GHJFRGUNL.exe” was developed using Microsoft .Net Framework and is protected by an obfuscator called “ConfuserEx v1.0.0”.

By deobfuscating the file, I located a .Net Exe file, which is easier for analysts to use to comprehend its work-flows. It contains a .Net resource, which can be obtained with its resource name “Fyyxdkrpjokzonmmc” by calling the API ResourceManager.GetObject(). 

Figure 3. is a screenshot of the deobfuscated Exe file in an analysis tool.  The .Net resource is shown on the right.

Figure 3.  Screenshot of .Net Resource “Fyyxdkrpjokzonmmc”

The resource's data is a GZip-compressed .Net module (DLL) file. It is extracted in memory and then loaded. Figure 4. shows the context code of doing that.

Figure 4.  Loads .Net module and invokes its entry point method

Next, it gets the type of the entry point function for the .Net module and calls it by calling the API Type.InvokeMember().  The function is named "YLbTOcLUZT" and is defined under the namespace.class “DKNYEHTGFSSZDfys0h6.dOICUYTjc8hIf6usABv”.

Figure 5.  Debugging at the entry point function of the .Net module

Figure 5. shows the dynamically loaded .Net module in a .Net debugger, where it breaks at the entry point function.  As you may have noticed, the module is thoroughly obfuscated, including the class name, variable names, obfuscated workflow, and more.  It also includes functions to perform anti-tamper checks during the run time.  These cause the system to crash if it detects any modifications made to the module.  That means that it’s hard to deobfuscate. This was my biggest challenge in analyzing it.  According to my analysis, the downloaded file is like a malware loader and installer, and the .Net module is the payload module for the malware.

Gaining Persistence - The payload module determines if the current process file (“GHJFRGUNL.exe”) is located in the system “%AppData%” folder and runs with Administrator privilege.  If not, it will exit the process and rerun it with Administrator privilege, popping up a message for the victim to confirm.  It copies the Exe file into the “%AppData%” folder and adds it to the system Task Scheduler. This ensures the process launches at startup and runs every two minutes.

Figure 6.  The malware is about to create a new task

It breaks at a function, as shown in Figure 6, where it uses a TaskScheduler object to create the new task with the TaskDefinition displayed at the bottom. The new task’s name is from the process name “GHJFRGUNL”.

Figure 7. is the screenshot of the system Task Scheduler. You can see that a new task has been created with the process name.

Figure 7.  Created task in the system Task Scheduler

Once completed, it can launch at system startup. The Task Scheduler repeatedly starts “GHJFRGUNL.exe” every two minutes in case the process or its sub-processes are killed by the victim due to high consumption of hardware resources (like CPU and memory). It also has a strategy for keeping only one process running simultaneously using a Mutex object.

Communicate with the C2 server - Its config block data is base64 encoded in the payload module (“Fyyxdkrpjokzonmmc.dll”), which is decoded and loaded in a config block.  This contains the malware configuration data, like flags that tell the malware how to work, its C2 server domain string and port numbers, malware variant name, and crypto key used to encrypt and decrypt packets between the client and C2 server.

The decoded config block data is a stream of bytes converted into an object by calling the Deserialize() function (from a third-party module, protobuf-net.dll). The config object is used throughout the payload module lifetime.  Figure 8. is a screenshot of the config data being deserialized into a global variable.

Figure 8.  Config object

There are two TCP port numbers in the config object. It repeatedly attempts to connect to the C2 server with two ports, one by one, until a connection is established.  Next, it gathers basic information from the victim’s device, encrypts the collected information, and sends it to its C2 server.

Figure 9.  It’s about to encrypt collected data

Figure 9. shows when the malware is about to call a function to encrypt the collected information carried by variable “u” and send it to the C2 server.

The collected information consists of many of the items shown below:

• "true" - A flag indicating if the current user is an administrator.
• "Explo" - A constant string from config object, malware variant name.
• "Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz" - Processer’s information.
• "Desktop" - It tells the victim’s computer type.
• "96f709c0c080fbcb92806bd724266a13" - It’s a sort of victim ID that is MD5 generated using the device hardware data, such as ProcessorID, DiskSerialNumber, and GraphicsAdapter.
• "Bobs" - Its current user name.
• "v1.6.4" - Its malware version, a decrypted constant string.
• "N/A" - This should be installed AV product information.
• "Untitled - Notepad" - This is the current topmost program title.
• 8 - Its memory size 8Gb.

It uses a Triple DES cipher algorithm to encrypt and decrypt the data between the malware and its C2 server. Figure 10. shows the encrypted packets captured by Wireshark.

Figure 10.  Encrypted packets sent and received.

The cryptography key is "57dd8b6cc78fd8f51c2f5a", taken from the config object.

Steps for sending data to the C2 server

• It serializes the information from an object variable (as shown in Figure 4.2) into a byte stream.
• It calls the DES encryption function.
• It uses the Send() function from the TcpClient’s socket object to send the encrypted data.

Steps for receiving data from the C2 server

• It receives the C2 server’s packets by calling the Recv() function of the TcpClient’s socket object.
• It calls the DES decryption function to decrypt the data to a byte stream.
• It deserializes the byte stream into an object variable.

Figure 11.  C2 server’s response packet deserialized into an object variable

Figure 11. shows the entire set of received data responding to the first packet with collected information to the C2 server.  It has been converted into an object variable (referred to as a response object) from a byte stream. The response object leads the malware to execute further unauthorized actions on the victim’s device.   In the response object, there are two Onedriver URLs from which the malware will download two files.  The two MD5 values in the response object are the hash values of the two files. It does not save the files to local folders but to the system registry under its sub-key, as shown in Figure 12.

Figure 12. The downloaded files from Onedriver are saved in the system registry.

The sub-key name “96f709c1c080fbcb92806bd724266a03” is the victim ID, as I mentioned earlier.  It is generated with the device hardware information. The names of the values are the two files’ MD5 values, and the data is the content of the two files. It won’t download the two files if the relevant registry values exist.

Both of them are compressed PE files, which are named “plugin_3.dll” (File size: 2.3Mb, MD5:78B10BAE1DB822E486A2393F0ADBE627) and “plugin_4.dll” (File size: 37Kb, MD5: A722D3BCD1D9056D1BBE840197059BCE) on the website.  To explain how they work together, I will refer to them by their names.

Process Hollowing - Decompressing “plugin_4.dll” gets a .Net dll file (“ClassLibrary1.dll”), which is used to perform process hollowing.  “plugin_3.dll” contains an Exe file (“xmrig.exe”, the XMR Miner) that will be injected into another process by “plugin_4.dll”.

The payload module (“Fyyxdkrpjokzonmmc”) proceeds to dynamically load “ClassLibrary1.dll”, which is also thoroughly obfuscated. Its function, Plugin.Plugin.Run(), is the entry point function for process hollowing.

Figure 13.  The decrypted Miner in memory

After “xmrig.exe” is decompressed in memory, as shown in Figure 12., it calls the API CreateProcess() to create a process called "AddInProcess.exe", which is from the response object.   The function parameter Creation Flag is 12 (i.e., CREATE_SUSPENDED | DETACHED_PROCESS).   Later, it calls a bunch of key Windows APIs, such as VirtualAlloc(), GetThreadContext(), WriteProcessMemory(), SetThreadContext(), and ResumeThread(), to deploy the “xmrig.exe” into the newly-created “AddInProcess.exe” process.  Afterward, “xmrig.exe” runs as “AddInProcess.exe”, and the malware payload module becomes the daemon process to the process-hollowed process to prevent it from being killed.

Monero (XMR) Miner - XMRig is a high-performance, open-source, cross-platform (Windows, Linux, Android, and macOS) cryptocurrency miner application, which is both a CPU and GPU miner supporting RandomX, KawPow, CryptoNight, and GhostRider algorithms.  However, this platform is also commonly abused by cybercriminals to perform cryptojacking, which means hackers hijack the victim’s computing resources to mine cryptocurrencies on their behalf.  “xmrig.exe” is XMrig’s Windows version application.  It can use the CPU to mine for Monero coins.  I manually decompressed the miner application from the downloaded “plugin_3.dll” into “plugin_3_1.exe”. You can see the detailed properties of this file in Figure 14.

Figure 14.  XMRig miner property

Taking a look back at the Process Hollowing section, it created a suspended new process of “AddInProcess.exe”. Other than the Creation Flag to API CreateProcess(), it also has a Command Line parameter, like “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:13333 -u 88hKxLYFGsx4U{…}eF.Rig998 -p x --tls --algo rx/0 --cpu-max-threads-hint=50".

The parameter string is from the response object.  It is not a parameter to the created “AddInProcess.exe” but for the xmrig.exe that has been injected into it.

 The following table contains a description for each of the options:

Figure 15.  shows how XMRig is mining Monero for the attacker.

Figure 15.  XMRig is mining Monero

Summary - In this analysis, we walked through the entire process, from executing the VBA code in the Excel document to downloading an executable file (template.exe or GHJFRGUNL.exe).  Next, I explained how the payload .Net module is extracted from the executable file and executed.  Then, you learned how the malware communicates with its C2 server and what control data (Monero miner) is received. 

Last, I elaborated on how it injects a Monero miner into another process (“AddInProcess.exe”) by executing process hollowing to mine Monero on the attacker’s behalf.  Below is a workflow chart that depicts the entire process.

Figure 16 – Workflow of the entire process

IOCs:

URLs:

• hxxps://www[.]tractorandinas[.]com/wocontent/templates[.]exe
• hxxps://onedrive[.]live[.]com/download?cid=F32323276F5346E9&resid=F32323276F5346E9%21132&authkey=AJUNOnV3DDTyOJw
• hxxps://onedrive[.]live[.]com/download?cid=F32323276F5346E9&resid=F32323276F5346E9%21131&authkey=ANCBF29YwxfXxd4

 C2 Server List:

• dnuocc[.]com:9077
• dnuocc[.]com:9078

Relevant Sample SHA-256

• [Pago.xls]

EF02701E2196F54B5858BCB67A41D34FC9A5F248EFDAE181C701C200950D638D

• [makbuzu.xls]

68346D23F359A27744B49D6EA9BD229F2929D1CEE057670D2BA73545C0BA427D

• [Pago_detalles.xls]

417AE2D5F5111DDF80B63C443E14B70EC2052B3E64A35940C9F81F262F7E526E

• [templates.exe / GHJFRGUNL.exe]

8A2194A75F972890729328A15A01B34E327A0145A6121098315AF9ECBF86ED67

GLOBAL TRENDS:   

ChatGPT is the new buzzword in the tech world as well as outside.  ChatGPT is a chatbot launched by OpenAI in November 2022.  It is built on top of OpenAI's GPT-3 family of large language models and is fine-tuned with both supervised and reinforcement learning techniques. The Artificial Intelligence (AI)-powered chatbot is deemed a disruptive tool capable of significantly altering the way knowledge and content are produced.[1]  Yet ChatGPT has taken the world by storm in recent months, but just as it has amazed people with its technical capabilities, concerns have also been raised over its potential misuse.  Now, it seems some IT leaders are worried it will soon be used in major cyberattacks, with the potential to cause devastation in the future.

In a survey of 1,500 IT and cybersecurity professionals conducted by BlackBerry, 51% of respondents believed that ChatGPT will be responsible for a successful cyberattack in the next 12 months. As much as 78% feel that attack will happen within two years, while a handful think it could happen within the next few months.  And it’s not just rogue hackers or malware gangs that the survey respondents believe will be responsible. Up to 71% feel that nation-states could already be putting ChatGPT to work on malicious tasks.  When it comes to how exactly ChatGPT will be used to help spur cyberattacks, 53% of people said it would help hackers create more believable phishing emails, while 49% pointed to its ability to help hackers improve their coding abilities.

As well as that, 49% also believed ChatGPT will be used to spread misinformation and disinformation, and 48% think it could be used to craft entirely new strains of malware.  A shade below that, 46% of respondents said ChatGPT could help improve existing attacks.  Researchers have already seen a large range of impressive uses for AI tools like this, from writing novels to composing music.  Yet those same skills that help ChatGPT fashion believable sentences could also be used to weave malicious code. As BlackBerry’s survey indicates, that’s a concern for a lot of people.[2]

Changing the malware landscape - How will these potential threats be kept in check?  As much as 95% of survey respondents argued that governments have an obligation to regulate ChatGPT-like technology, with 85% saying the level of responsibility should be “moderate” or “significant.”  It’s not just going to be governments fighting off ChatGPT-driven malware, though — 82% of IT professionals surveyed are already planning to defend against this type of attack, with the same number saying they’d used AI tools to do so.

Despite the dire outlook, ChatGPT (and tools like it) have a lot of potential to do good, and three-quarters of the survey takers agreed that it will mainly be used to benefit people.  But when it comes to malware, tools like ChatGPT could completely change the landscape.  Whether it tips the scales in favor of the attackers or defenders remains to be seen.  If it’s the latter, even the best antivirus apps might struggle to keep up.

[1] https://www.timesnownews.com/bengaluru/we-asked-chatgpt-to-list-best-biryani-outlets-in-bengaluru-see-answers-with-explanation-article-97619936

[2] https://www.digitaltrends.com/computing/chatgpt-cyberattacks-blackberry-survey/