Stay in touch
Sign up to get the latest News about Cloud Security.
Delivery via phishing mailThe initial phishing mail tricks the recipient into a special business offer, which is supposed to be included in an enclosed PDF called “inquiry.pdf”. The email tries to be more convincing by using the complete contact information. Since this information is often real, we have blackened it in the screenshot below. The attached phishing PDF looks like a link to Dropbox but includes a URL that downloads an archive file from another source. This “inquiry.zip” ZIP archive contains the file “inquiry.scr”. The file extension “scr” is only an alternative to “exe” and was formerly used for executable PE files that install screensavers. In this case, it is a self-extracting Winrar archive that is being misused as a malware dropper.
Use of a self-extracting archiveThe strings contained in the file show that the scr file is a self-extracting Winrar archive. Significant strings include:
- SoftwareWinRAR SFX
- WinRAR self-extracting archive
- 42 randomly named files with different endings, which are only about 500 bytes in size and contain ASCII data
- The legitimate administration tool AutoIT, renamed as “mta.exe”
- An ASCII file “qoa.docx” that is 951K in size and contains the configuration for AutoIT
- • An ASCII file “stt = dsr” that is 3MB in size and contains an obfuscated script in the AutoIT native VBA-like scripting language
Attackers abuse automation tool AutoITAutoIT is a legal tool , used to automate administrative tasks. It provides its own scripting language, which is based on VBA. The tool is available for free and has unfortunately been used so many times by criminals to install malware that it is sometimes mistaken for being dangerous. The AutoIT script in the file “stt = dsr” from the ZIP archive has an AntiAV technique built in which will put the application to sleep if the process “avastui.exe” is running on the system. It reads out different values from the section “Setting” in the “qoa.docx” configuration file. Afterwards, a randomly named file is created into which one of the detected strings is written. This file is also an obfuscated AutoIT script, 272K in size, and is called “DIENU” in our case. In this file, the string “Settings File Name” is overwritten with the name of the configuration file “qoa.docx”. Then the script sets the attributes of all extracted files to “hidden” and “read only” to make them as inconspicuous as possible. AutoIT is started and the created “DIENU” script, which uses “qoa.docx” as a configuration file, is passed to AutoIT.
Intelligent system check before installing NanoCoreThe “DIENU” script makes some changes to the system, such as changing the system configuration and registry entries. It tries to find out if it is running in a VMware or Virtualbox Sandbox. If so, the script aborts to avoid potential analysis. Subsequently, the Remote Access Trojan is installed by injecting malicious code into the process memory of RegSvcs.exe – a .NET tool designed to install services. This technique is often used to hide malware in legitimate programs.
Flexibility of NanoCore through modular designNanoCore has a modular structure. The respective plugins, which can be switched on and off independently, are described in detail in an article by DigiTrust. Two plugins were used in this attack: the client plugin in version 126.96.36.199 and the surveillance plugin with product version number 188.8.131.52. The plugins were written as library files “ClientPlugin.dll” and “SurveillanceExClientPlugin.dll” for .NET and obfuscated with the tool “Eazfuscator.NET 3.3”. The methods have the attributes “DebuggerHiddenAttribute” and “DebuggerNonUserCode”, to complicate the analysis with a debugger. This prohibits debugging these methods and setting breakpoints.
Client-PluginThe client plugin is the basic element that handles communication with the command-and-control server and the management of collected information in a key/value collection. The information can optionally be compressed and send to the C2 server via pipe. The client also has options to change settings, uninstall plugins as well as uninstall and control the host computer, such as shutting it down, restarting it, or disabling security mechanisms.
Surveillance-PluginThe surveillance plugin comes with all sorts of features for spying on the victim. This allows the attacker to collect passwords, logs and DNS records. The host computer is remotely controllable, and recordings of key inputs, the microphone, or the webcam can be recorded. The Surveillance Plugin can receive four commands:
- Password: SendTools, EmailClient, InternetBrowser
- Logging: (KeyboardLogging, ApplicationLogging, DNSLogging, GetLogs, DeleteLogs, ExportLogs, ViewLogs)
- Keyboard: Write, Download, LogToServer
- Dns: GetRecords
No getting through thanks to Hornetsecurity ATPAs sophisticated as the obfuscation methods of this NanoCore attack are, the true intent of the tool is recognized by the behavioral analysis of the Hornetsecurity ATP Sandbox. It recognizes both the unpacking of the files, the creation of new files, the process injection of the NanoCore DLLs into a legitimate process, the modification of the registry entries as well as the network communication.
Indicators of CompromiseDie folgenden Dateien mit ihren sha256-Hashwerten wurden in dem Angriff verwendet. Da AutoIT eine legitime Software ist, führen wir das Tool hier nicht mit auf.
- inquiry.pdf** 9c5d693e7c86f8f0c05af495d95a9d6f998ec93bec5c6f8d560d54f8a945f866
- inquiry.zip** e0d88bab6749297eb1c03ec1e86bb0d9b7e53d10de8c05dcde032e5f040d03a2
- inquiry.scr** 4a71602852c7a1a2b3c3c9690af9a96b57c622b459e4fff4f34d43c698b034b8
- DIENU** 5612ac210a8df891f9ed07c5a472beb0d78f1f714f9f37e31320ec1edbc41d9c
- SurveillanceExClientPlugin.dll** 01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
- ClientPlugin.dll** 61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
- qoa.docx** f36603bf7558384d57a9f53dfcd1e727bd6f56d4a664671f06fd5ca1383413d0
- stt=dsr** 6236beb6702dd8396339fdad8c4539d7e177733a0f7cff1ded06f060895feac1