Palo Alto Networks Unit 42 has discovered a new malware family written using the Microsoft. Cursory investigation into the malware showed the attackers not only had flair for malware naming, but also for choosing interesting targets for their malware: Our initial interest was piqued through a tweet from a fellow researcher who had identified some malware with an interesting theme relating to the Ukrainian Ministry of Defense as a lure.
Figure 1 — The decoy document displayed to users when executing the initial malware sample. The sample was an SFX exe which displayed a decoy document to users before continuing to execute the malware; the hash of the file is given below.
Using AutoFocus, we were quickly able to find similar samples, by pivoting on the artifacts the malware created during a sandbox run, resulting in 7 other samples as shown in Figure 2.
Figure 2 — Pivoting in AutoFocus makes it easy to find similar malware samples. We quickly built up a picture of a campaign spanning just over 2 years with a modest C2 infrastructure:.
The malware samples we discovered fell largely into two buckets: Quasar RAT is an open-source malware family which has been used in several other attack campaigns including criminal and espionage motivated attacks.
Looking at the samples in our cluster we could see the themes of the dropper files were similar to our first sample. Notably, most of the other files we discovered did not come bundled with a decoy document and instead were simply the malware and dropper compiled with icons matching popular document viewing tools, such as Microsoft Word.
Names of some of the other dropper binaries observed are given below, with the original Ukrainian on the left and the translated English via Google on the right:.
Analyzing the malware dynamically quickly gave us a name for the malware, based on the PDB string present in the memory of the sample:.
As is the case with many of the samples from the threat actors behind VERMIN, our sample is packed initially with the popular.
NET obfuscation tool ConfuserEx. Using a combination of tools, we were able to unpack and deobfuscate the malware.
Following initial execution, the malware first checks if the installed input language in the system is equal to any of the following:.
The fact that this functionality does not work as intended suggests that if author tested the malware before deployment, they were likely to be doing so on systems where the language matches the list above, since otherwise they would notice that the function is not working as expected.
The malware has a fairly easy to identify C2 checkin with interesting headers. From the looks of it, it may be trying to patch itself.
At the bottom of this long POST request filled with all of my systems data is a base64 encoded part which decodes listing registry key names, software, etc.
These were not all on my system so it seems to be static list. NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices.
It is often delivered via malicious attachments in phishing and spear-phishing emails. Below you can see the connection that was established.
Below you can view my run starting at the AZORult binary. You are commenting using your WordPress. Quasar server does not even verify that a file was requested from the victim.
We can respond to those commands by instead sending two files of our choice to the Quasar server. Again, we control the content of the file, the size and the path and filename.
Although Downeks has been publicly examined to some extent, our analysis found several features not previously described.
Earlier Downeks samples were all written in native code. However, among our Downeks samples, we found new versions apparently written in.
We observe many behavioral similarities and unique strings across both the native-Downeks versions, and the new. Almost all of the strings and behaviors we describe in this analysis of a.
NET version are also present in the native version. As seen in previous Downeks versions, it uses masquerades with icons, filenames and metadata imitating popular legitimate applications such as VMware workstation Figure 1 and CCleaner, or common file formats such as DOC and PDF.
All 3 samples were compiled with the same timestamp. Downeks is a backdoor with only very basic capabilities. It runs in an infinite loop, in each iteration it requests a command from the C2, and then it sleeps for a time period it receives in the C2 response defaulting to 1 second if no sleep-time sent.
The data that is sent in the POST is serialized with json, which is then is encrypted, and finally encoded in base Unfortunately, we were unable to get any C2 servers to issue download commands to any samples that we tested in our lab.
Downeks can also be instructed to execute binaries that already exist on the victim machine. After successful execution, Downeks returns the results to the C2 server.
The filenames across the two variants bear striking similarities. This is a pseudo-unique ID for each machine, based on install date taken from the registry, volume serial number, OS version and service pack, Processor architecture, and computer name.
Downeks enumerates any antivirus products installed on the victim machine and transmits the list to the C2. It constructs this list using the WMI query:.
We observed these Quasar samples: A second Quasar sample was also observed attacking this new victim: However, based upon the timeframe of subsequent telemetry we observe, we understand the attack chain as follows: The initial dropper which varies across attacks is delivered to the victim via email or web: Additional Downeks downloaders connecting to the previously-observed server dw.
Figure 1- Quasar and Downeks Charting the samples and infrastructure clearly shows the separate Downeks campaigns, and infrastructure links Figure 2: Figure 2- Infrastructure Patterns and Connections In Figure 2, top-right green has the Quasar infrastructure Figure 3 , with a link to the Downeks infrastructure.
The timing of the attacks is commensurate with the Middle-Eastern working week Figure 6: Figure 6- Attacks by day-of-the-week The sample build days-of-the-week follow an almost identical pattern Figure 7: Figure 7- Builds by day-of-the-week We saw five samples built on the same date in December , and six on the same date in January, further solidifying the link between each sample.
Quasar We analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis: We observed the following customizations: After decompilation, the packer looks like this: GetAssembly resource , args ;.
UnZip data ; memoryStream. Begin ; return Assembly. Seek 0L , SeekOrigin. Invoke object null, parameters2 ;.
Invoke object null , parameters2 ;. GetBytes key ; AES. CopyTo src, Stream cryptoStream, ; cryptoStream. CopyTo src , Stream cryptoStream , ;.
Read , ds , ;. Add typeof object , ; Exts.After this, the malware is ready to start operations, and does so by collecting various information about the infected machine, Beste Spielothek in Remschütz finden of collected information includes but is not limited to:. Once it finds this array of 6 bytes it performs an MD5 hash sum on the bytes, this value is used as the key. Here is a previous blog I did over a Beste Spielothek in Fahl finden ago with similar traffic:. These were not all on my system so it seems to be static list. Add typeof int- ; Exts. Click to share on Twitter Opens in merkur onlne window. We can respond to those commands by instead sending two files of our choice to the Quasar server. GetProperty fieldName ; if fiServ! The password of the sample we analyzed is:. This is a pseudo-unique ID for each machine, based on install date taken from the registry, volume serial number, Beste Spielothek in Sistrans finden version and service pack, Processor architecture, and computer name.