eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In early December 2023, the eSentire Threat Response Unit (TRU) detected an attempted, and ultimately unsuccessful, Ducktail malware infection, targeting an employee in digital marketing at a customer within the business services industry. The Ducktail distributors contacted the employee via LinkedIn with a private message containing an attachment leading to a ZIP archive.
The ZIP archive contains bloated shortcuts that are over 800MB in size. The shortcuts contain the batch scripts that execute PowerShell commands.
Figure 1: Contents of the ZIP archive
An example of one of the shortcut files is shown in Figure 2.
Figure 2: 1 _ Project information records and working contracts.lnk contents
Upon decoding the script, we get base64-encoded strings that decodes to the script shown in Figure 3.
Figure 3: Decoded PowerShell script
The script downloads the file from hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/5f8f8c05db68cca200c6379b825648b5.jpg (MD5: 5f8f8c05db68cca200c6379b825648b5).
The downloaded file is another PowerShell script (Figure 4) that downloads the decoy PDF file from hxxp://gdfsgfdrgetgergdsf[.]tech/file/docs/ (Figure 5).
Figure 4: Contents of 5f8f8c05db68cca200c6379b825648b5.jpgFigure 5: Decoy PDF file
Next, the script (Figure 6) does the following:
Creates the mutex – $mtx_child and $mtx are mutex objects used for synchronization, preventing multiple script instances from running simultaneously. It then attempts to acquire locks on both mutexes and if both locks are acquired, it indicates that no other instance is running this script.
Checks the system's UAC settings from the registry.
If UAC is disabled, it tries to download hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/d4e1a9191216420ce7989cf6c3e203cd.jpg
file and executes it with administrative privileges.
If UAC is enabled, it attempts a UAC bypass technique using fodhelper.exe (a known method for bypassing UAC on Windows) and downloads the payload hxxps://gdfsgfdrgetgergdsf[.]tech/file/dll/5be7408b84fbd40c8e7930f4c28a585a.jpg
then overwrites the legitimate propsys.dll file at C:\Windows\System32\ with it.
If the script still holds the mutex lock after a countdown, it releases the mutex and tries to retrieve hxxps://gdfsgfdrgetgergdsf.tech/file/ps/d4e1a9191216420ce7989cf6c3e203cd.jpg
file with administrative privileges.
Figure 6: Cleaned up script
As you can see in Figure 6, some of the commands are assigned to variables that are base64-encoded.
The payload retrieved contains another PowerShell script (Figure 7) that does the following:
The script queries the Windows Management Instrumentation (WMI) to check if Windows Defender or any other antivirus product is active.
If Windows Defender is running, the script adds an exclusion path to it using Add-MpPreference -ExclusionPath. This means Windows Defender will ignore files in C:\Windows\Temp, potentially allowing malicious files to be stored there without detection.
The script exits if no antivirus product is found to be running.
It then attempts to download a file multiple times in case of failure, waiting for a specified delay between retries.
The script then downloads a file (mainbot.exe) from a C2 and saves it as svczHost.exe in the C:\Windows\Temp directory.
The script creates a new scheduled task (zServicequyet) to execute the downloaded file (svczHost.exe or mainbot.exe) with the argument “quyet”. The task is configured to run with the highest privileges (SYSTEM user) and is set to trigger at logon.
Figure 7: Snippet of d4e1a9191216420ce7989cf6c3e203cd.jpg
The retrieved file 5be7408b84fbd40c8e7930f4c28a585a.jpg (MD5: 5be7408b84fbd40c8e7930f4c28a585a ) contains the obfuscated PowerShell command to retrieve the d4e1a9191216420ce7989cf6c3e203cd.jpg file as shown in Figure 8. The command is being decrypted via the hardcoded XOR key, but the threat actors made sure to make it hard to find it via numerous bitwise operations and conditional jump instructions (Figure 8).
Figure 8: Snippet of the decryption routine in 5be7408b84fbd40c8e7930f4c28a585a.jpg file
The payload mainbot.exe retrieved from C2 is responsible for establishing the connection with the C2 server and taking remote commands. Upon successful bot registration, the infected host obtains myRdpService.exe (MD5: 1ade74bbf88c1a41a352682a8f2265f9) from C2 and RDP Wrapper configuration (hxxp://138.201.8[.]186:8000/file/rdpwrap.txt).
The commands upon checking in from mainbot.exe:
begin connect
begin sending DEVICEINFO|quyet!D5A7F263FE404D449438C649AA1E54EE|79b707124b0b4a92b2949acb220b1235|Admin|1.7.2
Further commands from the bot:
STATUS|23/12/2023 10:26:56|Set permission of C:\Users\Default\AppData
STATUS|23/12/2023 10:27:12|add exclude result
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:\Users\Default User\AppData
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:\Users\username\AppData
STATUS|23/12/2023 10:26:56|role admin name Administrators
STATUS|23/12/2023 10:26:56|Set permission of C:\Windows\Temp
STATUS|23/12/2023 10:26:56|RDP|False
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:\Users\Default\AppData
STATUS|23/12/2023 10:26:56|role admin name Administrators
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:27:29|status term service
STATUS|23/12/2023 10:27:05|Success
STATUS|23/12/2023 10:27:08|create user result
STATUS|23/12/2023 10:27:12|term service install state True
STATUS|23/12/2023 10:27:20|delete old rdpwrap ok
STATUS|23/12/2023 10:27:20|delete file rdpwrap.ini ok
STATUS|23/12/2023 10:27:22|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt OK
STATUS|23/12/2023 10:27:22|start TermService againt
STATUS|23/12/2023 10:27:20|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt
STATUS|23/12/2023 10:27:20|delete old rdpwrap ok
STATUS|23/12/2023 10:27:20|delete file rdpwrap.ini ok
STATUS|23/12/2023 10:27:20|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt
STATUS|23/12/2023 10:27:22|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt OK
STATUS|23/12/2023 10:27:22|start TermService againt
STATUS|23/12/2023 10:27:29|status term service
STATUS|23/12/2023 10:27:34|check file hash 1ade74bbf88c1a41a352682a8f2265f9 of file <a href="http://138.201.8">http://138.201.8</a>[.]186:8001/file/t/RdpService[.]exe
STATUS|23/12/2023 10:27:34|download my rdp service new success, setup
STATUS|23/12/2023 10:27:37|result install myRdpService
STATUS|23/12/2023 10:27:44|hide user
STATUS|23/12/2023 10:27:44|hide user success
As you can observe from the hints above, mainbot.exe checks the hash of the retrieved RdpService[.]exe file, attempts to create the user “User1” on infected machine, performs the exclusion of “C:\Program Files” folder for Windows Defender and changes the access control list for specific folders. Periodically it also sends “TESTDATA”.
myRdpService.exe establishes the remote connection with hxxp://23.88.71[.]29:8000 sending the following command containing Device ID and the presumably threat actor’s name that is used as an argument to run mainbot.exe and myRdpService.exe payloads (DEVICEID_quyet_5C0B1DC44D4E637D1A6B43502D6F6167_1.6.5).
Two files are dropped in the working directory after successful exection of myRdpService.exe: deviceId.txt (contains device ID) and log_rdp_<ddmmyyyy_yy>.txt (contains log messages) (Figure 9).
Figure 9: Contents of log_rdp_.txt file
The service “myRdpService” is created to start myRdpService.exe with an argument “quyet” under the working directory.
Two core payloads, named 'mainbot.exe' and 'myRdpService.exe,' are .NET payloads compiled using native Ahead-Of-Time (AOT) compilation to make the analysis process more complicated.
The rest of the shortcuts perform similar actions described above but the hashes for files for some shortcuts are different.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat, and notified the customer of suspicious activities.
What can you learn from this TRU Positive?
The use of LinkedIn messages to deliver malware via a ZIP archive underscores the creativity of attackers in exploiting professional networks and platforms for distributing malware. This approach highlights the need for caution when interacting with unsolicited messages and attachments, even on reputable platforms.
The creation of scheduled tasks and services, along with techniques to bypass User Account Control (UAC), indicates the attackers' focus on avoiding detection and maintaining a persistent presence on the infected system. This highlights the need for robust security measures and continuous monitoring of system activities.
The script’s ability to query the Windows Management Instrumentation for active antivirus products and to add exclusion paths to Windows Defender reveals the attackers' intent to circumvent standard security defenses. This calls for enhanced security protocols and regular updates to antivirus software.
The payload's functionality is to establish a connection with a command-and-control server, execute remote commands, and potentially exfiltrate data points to the risk of sensitive information theft. This reinforces the necessity of network monitoring and the implementation of data loss prevention strategies.
Recommendations from our Threat Response Unit (TRU):
Victims should review their Facebook Business users for unauthorized users.
Raise awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program. An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
