Pierluigi Paganini
January 25, 2019
During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company.
In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.
A preliminary analysis of the two malicious email waves shows no common strict indicators: the
In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors, “Difast Srl”. These messages were written in Italian.
The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.
However, we figured out these two email waves were linked to the same attacker.
The following attachments have been analyzed by Cybaze-Yoroi Zlab team:
| Hash | Sha 256:a17b18ba1d405569d3334f4d7c653bf784f07805133d7a1e2409c69c67a72d99 |
| Threat | JAR/Dropper |
| ssdeep | 12288:1zdaHanWmyPL64RrYzX/6ZjHfTMmy7KUBjycRKXsfp330VPMsCXtZcLzSU:1zUHanW3DJRr0/ubfTK3hycjfx30VPMw |
| Hash | Sha256:cb5389744825a8a8d97c0dce8eec977ae6d8eeca456076d294c142d81de94427 |
| Threat | JAR/Dropper |
| ssdeep | 12288:LR9aQ+oSsyJZVqhoae1yjocYKLCpOo5q/mOmFgnxhQZMR:C4yuoCoflp1DFOxx |
| Hash | Sha256:5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be |
| Threat | JS/Dropper |
| ssdeep | 12288:Vhz+1VYSCR8TedejbWcGrwmzt7cOk6O6vJX9SxmN6QjH9HJW93awECdf66bC8a:rzbsedejF1k1BXFRVJjXl |
The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails.
Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them.
Differently from other ones, the JS file has a different structure how visible in the following figure.
Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.
The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:
In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.
After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.
After many deobfuscation rounds of the nested base64 strings recovered, the final results is:
The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:
This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.
As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.
| Hash | Sha256:9b2968eaeb219390a81215fc79cb78a5ccf0b41db13b3e416af619ed5982eb4a |
| Threat | Adwind/JRAT |
| ssdeep | 12288:jz8uQYmMzFIXJ9A2G5px ogQNUhIK/0c2qnAv:EuQ/ImYnsS7B2qnk |
The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.
Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.
The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services, hosts the control server reachable on port tcp/9888. Also, the configuration reveal the nickname field containing the string “MANUEL1986”.
The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.
The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.
The specific attack waves are not likely related to the
Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″] [adrotate banner=”13″]
