Overview
APT groups often use some uncommon file types to host malicious code in order to increase the probability of immunity against antivirus software, such as CD-ROM image files (.iso) and virtual hard disk files (.vhd), which we have monitored for abuse in recent years. And the use of these two formats can effectively circumvent the MOTW mechanism (a security measure in which Windows displays a warning message when a user tries to open a file downloaded from the Internet). The effectiveness of the Lazarus group's attack campaign was evident back in November '22 when we disclosed that its attack components using the vhdx format had a detection rate of 0 on VirusTotal.
When combing through the recently uploaded vhdx files we found that from September to December 2022, Kasablanka group is suspected of attacking Russia, and its targets include the Russian Federal Government Cooperation Agency, the Ministry of Foreign Communications of the Astrakhan Region of Russia, etc., and the detection rate of some samples is always 0.
Analyzing and organizing the captured samples, the Kasablanka group used a socially engineered phishing email as the entry point for the attack, with a virtual disk image file attached, which nested a variety of next-stage payload executions including lnk files, zip packages, and executables. In the early stages of the attack the final execution was the commercial Trojan Warzone RAT, in the later stages of the attack we observed that the executed Trojan changed to Loda RAT.
Decoy File
A phishing attack against the Agency of the Government of the Russian Federation for CIS Affairs, Aliens and International Humanitarian Cooperation, or "Россотрудничество".
The translation of the phishing email content is as follows:
Phishing email attack against the Ministry of Foreign Communications of the Astrakhan Region of Russia.
The translation of the phishing email is as follows:
One of the phishing email attachments uses the situation related to the Republic of Turkey in 2022 as a bait.
Attacks using articles related to Russian import substitution and migration policy in 2015 as bait.
In addition, the Kasablanka group intercepted the first page from Resolution No. 1725 published on the official website of the Government of the Russian Federation as a decoy.
And the relevant content of the draft Digital Code of Kyrgyzstan was used as a bait.
Sample Analysis
The captured samples are all virtual disk image files (.vhdx suffix), and the sample decoy names and contents are in Russian and uploaded from Russian regions. Some of the samples use lnk files as downloaders for the next stage payload.
Some attack samples package the decoy and Warzone RAT into a zip file in a virtual disk image file.
Or there is no decoy file and the lnk file is directly disguised as a folder to lure victims to click on it.
We have sorted out links to download the relevant payloads, as shown in the table below:
| - | - |
|---|---|
| Links | Remarks |
| http://179.60.150.118/new.exe | Warzone RAT |
| http://89.22.233.149/ms7.hta | Unknown |
| http://193.149.129.151/vmsys | Unknown |
| http://45.61.137.32/www.exe | Warzone RAT |
| http://45.61.137.32/svvhost.rar | Loda RAT |
| http://45.61.137.32/Scanned_document.exe | Loda RAT |
Warzone RAT
Warzone RAT, also known as AveMaria RAT, is a commercial trojan developed in pure C/C++, which has been sold publicly on the internet as a software subscription since 2018 and is compatible with systems below Windows 10, with remote desktop, password stealing, keylogging, remote commands, permission elevation, download execution and many other remote control functions. It has been used by several APT groups, including Confucius, Bitter, Blind Eagle (APT-Q-98) and other groups .
This captured Warzone RAT eventually establishes a TCP connection to the server hbfyewtuvfbhsbdjhjwebfy.net (193.188.20.163) .
It has a wide variety of remote control commands, including the following functions.:
| - | - |
|---|---|
| Function number | Function |
| 0x0 | Obtain information about the controlled machine |
| 0x2 | Get process list information |
| 0x4 | Get drive information |
| 0x6 | Get directory information |
| 0x8 | Retrieving files from the victim device's folder |
| 0xA | Delete the specified file |
| 0xC | Ends the specified process |
| 0xE | Remote shell |
| 0x10 | Ends the specified thread |
| 0x12 | List the victim's camera device information |
| 0x14 | Turn on the camera |
| 0x16 | Stop the camera |
| 0x18 | Get the title of the active program |
| 0x1A | Exit and delete your own files |
| 0x1C | Downloading files to the controlled end |
| 0x20 | Get browser password |
| 0x22 | Download the file from the given URL to the controlled end and execute it |
| 0x24 | Online keylogging |
| 0x26 | Offline keylogging |
| 0x28 | Install HRDP Manager on the victim's device |
| 0x2A | Enable reverse proxy |
| 0x2C | Stop reverse proxy |
| 0x30 | Start remote VNC |
| 0x32 | Shutting down remote VNC |
| 0x38 | Reverse proxy port settings |
| 0x3A | Execute or open the specified file |
| 0x48 | Injection into the specified process |
| 0x4A | Traversing to get file information |
| 0x4C | Multiple post-command breakdowns, including shutdown, network test, exit, etc |
Loda RAT
Loda RAT is a proprietary malware written in AutoIt script language, first captured and disclosed in the wild by Proofpoint in September 2016, the name 'Loda' derives from the malware author's choice of directory to write keylogger logs to as Loda.Subsequently Cisco discovered multiple variants of Loda RAT and found that the RAT added spying capabilities to the Android platform. After a series of investigations, Cisco concluded that the group using the malware was based in Morocco and named the group Kasablanka (the largest city in Morocco) [1].
Analysis of the captured sample showed that it was written in C# and obfuscated so extensively that common tools could not decompile it, and added a large amount of 00 data at the end of the PE file, swelling the entire file size to 741MB.
After execution, the sample first releases and executes the Loda RAT packaged with AutoIt in the %appdata% directory, and the AutoIt script can be restored by using the deep analysis function of QiAnXin's Threat Intelligence Center Cloud Sandbox, and the behavior and functions of the trojan can be seen by analyzing the script.
Loda RAT first detect antivirus products installed on victim machines through WMI commands.
Followed operation is collecting some information of victim host, including permissions, operating system version, etc.
And adding persistentence by creating %appdata%\Windata\svshost.exe and NFOKQN.lnk shortcut to svshost.exe in windows startup directory.
Uploading the collected information and then takeing screenshots.
Subsequently enter the remote control loop, by processing the data returned by C2, and then correspond to the detailed remote control instructions, and its remote control instructions divided into a relatively fine function, rough statistics have 144 remote control instructions, due to the reasons of space, we will not do a detailed introduction, a general overview of its remote control functions.
- Recording
- Upload and download files
- Execute the specified file
- Shutdown
- Close the specified process
- Stealing user cookies, passwords
- Turn on keylogger
- Delete keylogger data
- Download and execute the file from the specified URL
- Get file or directory size
- Allow RDP connections by modifying the registry
- Compressing/uncompressing files
- Copy files or directories
- Enumerate connected drives
- Enumerate hot folder locations
- Detect UAC settings
- Send mouse clicks (to the left or right is a separate command)
- Capture screenshots and send to C2
- Open/close CD trays
- Recording
- Turn off Windows Firewall
- Send the name of running processes to C2
- Exit, uninstall
- Create a GUI chat window to save the victim/attacker conversation to a file
In addition, in the previous version, LodaRAT downloaded SQLite3.dll from the official AutoIt website because it was needed to extract sensitive information from the browser database, but the embedded URL had been unavailable for download. So in the latest version, the Kasablanka group transcoded it directly to hex, embedded in in the script.
Association & Attribution
In C2:193.149.129.151, we trace back to Trojan "systeml.dll", written in C# and only 8.5KB in size, whose function is to download WinScp tools to synchronize files with remote computers and set scheduled tasks to persist, making it a potential backdoor.
In another C2: 179.60.150.118, we associate two files packaged by Pyinstaller, both of them are downloaders and have the same core code.
After Base64 decoding, you can clearly see that by requesting port 443 of 179.60.150.118 to get the follow-up payload to execute, and the payload is Warzone RAT or CS Trojan.
Some security vendors believe that Loda RAT is the exclusive trojan of Kasablanka group, but since Loda RAT is compiled from AutoIt scripts and its source code can be obtained by decompiling it, 'false flag' activities by other threat actors using the decompiled source code are also possible.
In terms of attack motivation, we believe that the purpose of this attack is mainly for information gathering and espionage. Considering the current situation between Russia and Ukraine, intelligence spying and espionage are more in line with the motivation of nation-sponsered hacker groups, so we attribute this attack to Kasablanka group with moderate confidence.
Summary
In previous disclosures of the Kasablanka group's operations, its targets included Bangladesh, South America and the United States, and its Loda RAT includes Windows version and Android version.Now this group often uses commercial RATs in its attack activities, which not only reduces the development cost but also makes it difficult for tracing attackers’ footprints.
The RedDrip team would like to remind all users not to open links of unknown origin shared by social media, not to click on email attachments from unknown sources, not to run unknown files with exaggerated titles, not to install APPs from informal sources, to back up important files in a timely manner, and to update and install patches.
If you need to run or install an application of unknown origin, you can first identify it through the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page). At present, it supports deep analysis of files in various formats including Windows and Android platforms.
Currently, a full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, QiAnXin Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., already support the accurate detection of such attacks [2].
IOCs
MD5
4d75d26590116a011cbebb87855f4b4f
574e031a4747d5e6315b894f983d3001
56d1e9d11a8752e1c06e542e78e9c3e4
db9f2d7b908755094a2a6caa35ff7509
8f52ea222d64bbc4d629ec516d60cbaf
c3b3cb77fcec534763aa4d3b697c2f8c
9ea108e031d29ee21b3f81e503eca87d
23d5614fcc7d2c54ed54fb7d5234b079
6be3aecc5704c16bf275e17ca8625f46
e4a678b4aa95607a2eda20a570ffb9e1
11ed3f8c1a8fce3794b650bbdf09c265
8a548f927ab546efd76eeb78b8df7d4c
6d710d1a94445efb0890c8866250958e
6b42e4c5aecd592488c4434b47b15fbb
d82743e8f242b6a548a17543c807b7b0
32a0a7fa5893dd8d1038d1d1a9bc277a
bd5c665187dfb73fc81163c2c03b2ddf
a07c6e759e51f856c96fc3434b6aa9f8
0dcd949983cb49ad360428f464c19a9e
87125803f156d15ed3ce2a18fe9da2b8
4f7e2f5b0f669599e43463b70fb514ad
00b9b126a3ed8609f9c41971155307be
C2
179.60.150.118
45.61.137.32
89.22.233.149
193.149.129.151
193.149.176.254
Reference Links
[1] https://blog.talosintelligence.com/kasablanka-lodarat/
[2] https://ti.qianxin.com/