返回 TI 主页

Overview

APT groups often use some uncommon file types to host malicious code in order to increase the probability of immunity against antivirus software, such as CD-ROM image files (.iso) and virtual hard disk files (.vhd), which we have monitored for abuse in recent years. And the use of these two formats can effectively circumvent the MOTW mechanism (a security measure in which Windows displays a warning message when a user tries to open a file downloaded from the Internet). The effectiveness of the Lazarus group's attack campaign was evident back in November '22 when we disclosed that its attack components using the vhdx format had a detection rate of 0 on VirusTotal.

When combing through the recently uploaded vhdx files we found that from September to December 2022, Kasablanka group is suspected of attacking Russia, and its targets include the Russian Federal Government Cooperation Agency, the Ministry of Foreign Communications of the Astrakhan Region of Russia, etc., and the detection rate of some samples is always 0.

Analyzing and organizing the captured samples, the Kasablanka group used a socially engineered phishing email as the entry point for the attack, with a virtual disk image file attached, which nested a variety of next-stage payload executions including lnk files, zip packages, and executables. In the early stages of the attack the final execution was the commercial Trojan Warzone RAT, in the later stages of the attack we observed that the executed Trojan changed to Loda RAT.

Decoy File

A phishing attack against the Agency of the Government of the Russian Federation for CIS Affairs, Aliens and International Humanitarian Cooperation, or "Россотрудничество".

The translation of the phishing email content is as follows:

Phishing email attack against the Ministry of Foreign Communications of the Astrakhan Region of Russia.

The translation of the phishing email is as follows:

One of the phishing email attachments uses the situation related to the Republic of Turkey in 2022 as a bait.

Attacks using articles related to Russian import substitution and migration policy in 2015 as bait.

In addition, the Kasablanka group intercepted the first page from Resolution No. 1725 published on the official website of the Government of the Russian Federation as a decoy.

And the relevant content of the draft Digital Code of Kyrgyzstan was used as a bait.

Sample Analysis

The captured samples are all virtual disk image files (.vhdx suffix), and the sample decoy names and contents are in Russian and uploaded from Russian regions. Some of the samples use lnk files as downloaders for the next stage payload.

Some attack samples package the decoy and Warzone RAT into a zip file in a virtual disk image file.

Or there is no decoy file and the lnk file is directly disguised as a folder to lure victims to click on it.

We have sorted out links to download the relevant payloads, as shown in the table below:

Links Remarks
http://179.60.150.118/new.exe Warzone RAT
http://89.22.233.149/ms7.hta Unknown
http://193.149.129.151/vmsys Unknown
http://45.61.137.32/www.exe Warzone RAT
http://45.61.137.32/svvhost.rar Loda RAT
http://45.61.137.32/Scanned_document.exe Loda RAT

Warzone RAT

Warzone RAT, also known as AveMaria RAT, is a commercial trojan developed in pure C/C++, which has been sold publicly on the internet as a software subscription since 2018 and is compatible with systems below Windows 10, with remote desktop, password stealing, keylogging, remote commands, permission elevation, download execution and many other remote control functions. It has been used by several APT groups, including Confucius, Bitter, Blind Eagle (APT-Q-98) and other groups .

This captured Warzone RAT eventually establishes a TCP connection to the server hbfyewtuvfbhsbdjhjwebfy.net (193.188.20.163) .

It has a wide variety of remote control commands, including the following functions.:

Function number Function
0x0 Obtain information about the controlled machine
0x2 Get process list information
0x4 Get drive information
0x6 Get directory information
0x8 Retrieving files from the victim device's folder
0xA Delete the specified file
0xC Ends the specified process
0xE Remote shell
0x10 Ends the specified thread
0x12 List the victim's camera device information
0x14 Turn on the camera
0x16 Stop the camera
0x18 Get the title of the active program
0x1A Exit and delete your own files
0x1C Downloading files to the controlled end
0x20 Get browser password
0x22 Download the file from the given URL to the controlled end and execute it
0x24 Online keylogging
0x26 Offline keylogging
0x28 Install HRDP Manager on the victim's device
0x2A Enable reverse proxy
0x2C Stop reverse proxy
0x30 Start remote VNC
0x32 Shutting down remote VNC
0x38 Reverse proxy port settings
0x3A Execute or open the specified file
0x48 Injection into the specified process
0x4A Traversing to get file information
0x4C Multiple post-command breakdowns, including shutdown, network test, exit, etc

Loda RAT

Loda RAT is a proprietary malware written in AutoIt script language, first captured and disclosed in the wild by Proofpoint in September 2016, the name 'Loda' derives from the malware author's choice of directory to write keylogger logs to as Loda.Subsequently Cisco discovered multiple variants of Loda RAT and found that the RAT added spying capabilities to the Android platform. After a series of investigations, Cisco concluded that the group using the malware was based in Morocco and named the group Kasablanka (the largest city in Morocco) [1].

Analysis of the captured sample showed that it was written in C# and obfuscated so extensively that common tools could not decompile it, and added a large amount of 00 data at the end of the PE file, swelling the entire file size to 741MB.

After execution, the sample first releases and executes the Loda RAT packaged with AutoIt in the %appdata% directory, and the AutoIt script can be restored by using the deep analysis function of QiAnXin's Threat Intelligence Center Cloud Sandbox, and the behavior and functions of the trojan can be seen by analyzing the script.

Loda RAT first detect antivirus products installed on victim machines through WMI commands.

Followed operation is collecting some information of victim host, including permissions, operating system version, etc.

And adding persistentence by creating %appdata%\Windata\svshost.exe and NFOKQN.lnk shortcut to svshost.exe in windows startup directory.

Uploading the collected information and then takeing screenshots.

Subsequently enter the remote control loop, by processing the data returned by C2, and then correspond to the detailed remote control instructions, and its remote control instructions divided into a relatively fine function, rough statistics have 144 remote control instructions, due to the reasons of space, we will not do a detailed introduction, a general overview of its remote control functions.

  • Recording
  • Upload and download files
  • Execute the specified file
  • Shutdown
  • Close the specified process
  • Stealing user cookies, passwords
  • Turn on keylogger
  • Delete keylogger data
  • Download and execute the file from the specified URL
  • Get file or directory size
  • Allow RDP connections by modifying the registry
  • Compressing/uncompressing files
  • Copy files or directories
  • Enumerate connected drives
  • Enumerate hot folder locations
  • Detect UAC settings
  • Send mouse clicks (to the left or right is a separate command)
  • Capture screenshots and send to C2
  • Open/close CD trays
  • Recording
  • Turn off Windows Firewall
  • Send the name of running processes to C2
  • Exit, uninstall
  • Create a GUI chat window to save the victim/attacker conversation to a file

In addition, in the previous version, LodaRAT downloaded SQLite3.dll from the official AutoIt website because it was needed to extract sensitive information from the browser database, but the embedded URL had been unavailable for download. So in the latest version, the Kasablanka group transcoded it directly to hex, embedded in in the script.

Association & Attribution

In C2:193.149.129.151, we trace back to Trojan "systeml.dll", written in C# and only 8.5KB in size, whose function is to download WinScp tools to synchronize files with remote computers and set scheduled tasks to persist, making it a potential backdoor.

In another C2: 179.60.150.118, we associate two files packaged by Pyinstaller, both of them are downloaders and have the same core code.

After Base64 decoding, you can clearly see that by requesting port 443 of 179.60.150.118 to get the follow-up payload to execute, and the payload is Warzone RAT or CS Trojan.

Some security vendors believe that Loda RAT is the exclusive trojan of Kasablanka group, but since Loda RAT is compiled from AutoIt scripts and its source code can be obtained by decompiling it, 'false flag' activities by other threat actors using the decompiled source code are also possible.

In terms of attack motivation, we believe that the purpose of this attack is mainly for information gathering and espionage. Considering the current situation between Russia and Ukraine, intelligence spying and espionage are more in line with the motivation of nation-sponsered hacker groups, so we attribute this attack to Kasablanka group with moderate confidence.

Summary

In previous disclosures of the Kasablanka group's operations, its targets included Bangladesh, South America and the United States, and its Loda RAT includes Windows version and Android version.Now this group often uses commercial RATs in its attack activities, which not only reduces the development cost but also makes it difficult for tracing attackers’ footprints.

The RedDrip team would like to remind all users not to open links of unknown origin shared by social media, not to click on email attachments from unknown sources, not to run unknown files with exaggerated titles, not to install APPs from informal sources, to back up important files in a timely manner, and to update and install patches.

If you need to run or install an application of unknown origin, you can first identify it through the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page). At present, it supports deep analysis of files in various formats including Windows and Android platforms.

Currently, a full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, QiAnXin Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., already support the accurate detection of such attacks [2].

IOCs

MD5

4d75d26590116a011cbebb87855f4b4f

574e031a4747d5e6315b894f983d3001

56d1e9d11a8752e1c06e542e78e9c3e4

db9f2d7b908755094a2a6caa35ff7509

8f52ea222d64bbc4d629ec516d60cbaf

c3b3cb77fcec534763aa4d3b697c2f8c

9ea108e031d29ee21b3f81e503eca87d

23d5614fcc7d2c54ed54fb7d5234b079

6be3aecc5704c16bf275e17ca8625f46

e4a678b4aa95607a2eda20a570ffb9e1

11ed3f8c1a8fce3794b650bbdf09c265

8a548f927ab546efd76eeb78b8df7d4c

6d710d1a94445efb0890c8866250958e

6b42e4c5aecd592488c4434b47b15fbb

d82743e8f242b6a548a17543c807b7b0

32a0a7fa5893dd8d1038d1d1a9bc277a

bd5c665187dfb73fc81163c2c03b2ddf

a07c6e759e51f856c96fc3434b6aa9f8

0dcd949983cb49ad360428f464c19a9e

87125803f156d15ed3ce2a18fe9da2b8

4f7e2f5b0f669599e43463b70fb514ad

00b9b126a3ed8609f9c41971155307be

C2

179.60.150.118

45.61.137.32

89.22.233.149

193.149.129.151

193.149.176.254

Reference Links

[1] https://blog.talosintelligence.com/kasablanka-lodarat/

[2] https://ti.qianxin.com/

KASABLANKA APT THE MIDDLE EAST