Overview
In order to attract victims to run programs and avoid alerting people to abnormal activities, malware often uses various disguises to hide real malicious behavior. Sandbox can provide us with a controlled environment to run these suspicious software and identify potential malicious operations under disguise. In addition, the program running behavior in the sandbox can also serve as guidance information to assist professional analysts in conducting more in-depth analysis.
Recently, the Qi'anxin Threat Intelligence Center discovered a suspicious compressed file during its daily operations. It also found that the open source intelligence of the compressed file mentioned that the sample came from a website with the domain name cdn.careers2find[.]com [1] . The homepage of the website describes itself as a job search website.
In order to quickly determine whether the captured compressed package contains malicious behavior, first upload it to the Qi'anxin Intelligence Sandbox ( https://sandbox.ti.qianxin.com/sandbox/page) for analysis.
Sandbox Analysis
The basic information of the sample is as follows:
| - | - |
|---|---|
| Qi'anxin Intelligence Sandbox Report Link | https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZMJ5Lm1SZq0HOVfdN9Z |
| Sample file name | SignedConnection.zip |
| Sample MD5 | bb4c8f42cc624c628e4b98bd43f29fa6 |
| Sample Type | ZIP archive |
| Sample size | 1022011 bytes |
After the upload analysis is completed, you can see the basic information of the sample: including file size, type, hash, etc. Qi'anxin Intelligence Sandbox has identified the file as suspicious based on intelligent malicious behavior comprehensive judgment and gave it a malicious score of 10 points. RAS detection has the label "Maybe_Sideloading", indicating that the sample may use DLL side loading. The sample has been run in multiple different sandbox environments. On the right, you can switch the analysis environment to view the sandbox reports of different analysis environments.
Immediately below the basic information of the sample is the summary of the sandbox analysis results by the threat intelligence AI assistant for users' reference.
The AV engine section displays the detection results of dozens of antivirus engines on the sample. It can be seen that multiple antivirus engines have determined that the sample is malicious.
Behavioral anomalies summarize the suspicious behavior of the sample. Entries with a downward arrow symbol on the right can be expanded to provide detailed information.
This sample has some noteworthy unusual behaviors, including a startup item written to the registry with a name that mimics OneDrive and a path pointing to “C:\Users\admin\AppData\Local\Microsoft\WindowsInsights\workstation\FileCoAuth.exe”.
Perform an HTTP request to access a link hosted on Github.
Find the public IP address through api.ipify.org.
Access Google Drive.
Create an executable file, one of which has a file path that is exactly the path pointed to by the previous registry startup item.
the in-depth analysis section lists the file names contained in the ZIP archive. Some of these names are the same as the executable file names mentioned in the above anomaly , indicating that the files in the archive may be copied to other directories.
the host behavior shows that after the SignedConnection.exe in the compressed package is run, the "C:\Users\admin\AppData\Local\Microsoft\WindowsInsights\workstation\FileCoAuth.exe" file will be started.
Click SignedConnection.exe to further see some of the operations performed by the process, including creating the "C:\Users\admin\AppData\Local\Microsoft\WindowsInsights\workstation" directory, writing EXE and DLL files to the created directory, and setting the autostart item in the registry.
Network behavior shows that in addition to accessing api.ipify.org, Github, and Google Drive, the sample also accesses a suspicious domain name xboxapicenter.com.
Combined with the information in the host behavior, the access to these domain names all comes from the started FileCoAuth.exe process.
In the running screenshot, the sample provides a user interface for connecting to the server after running. The domain name connected is quiz.careers2find[.]com, which is the same as the domain name of the compressed package download webpage.
According to the information provided by Qi'anxin Intelligence Sandbox, we have a preliminary understanding of the ZIP compressed package sample: the ZIP compressed package contains EXE and DLL files, which may use DLL side loading to execute malicious code; after the SignedConnection.exe of the compressed package is run, a directory is created and EXE and DLL files are written in the created directory. Because the written file name is the same as the compressed package file name, this may involve a file copy operation, and then persistence is established through the registry, and the startup item points to the EXE file FileCoAuth.exe in the new directory, and then the EXE file is started; the started FileCoAuth.exe accesses a series of domain names; in addition, the sample will also create a UI, which may be used as a disguise to cover up the above malicious operations.
Detailed analysis
Compressed package
The download link for the compressed package is " hxxps://cdn.careers2find.com/assets/app/SignedConnection.zip" . Click the button on the right side of the download page to download the ZIP compressed package, and the button on the left side opens the PDF file , which contains the installation and usage guide for the downloaded compressed package.
Qt5Core.dll and secur32.dll , all other PE files in the compressed package are digitally signed, and the modification time of these two files is recent.
in the compressed package is actually the OneDrive-related program FileCoAuth.exe.
After SignedConnection.exe runs, it runs secur32.dll in the same directory through DLL side loading.
Secur32.dll
secur32.dll is written in C# and its main functions are to create a user interface to confuse the victim, move the backdoor DLL file and establish persistence.
| - | - |
|---|---|
| File Name | secur32.dll |
| MD5 | 3528837b4088a22f0043551431809b3d |
| File Size | 342.50 KB (350720 bytes ) |
DllMain calls CreateThread to execute the OnAPIENTRY function, which further executes MainThread and UIThread. The former completes the malicious operation, while the latter implements the UI for disguise.
MainThread
The operations performed by MainThread are in StateValidation.Instantion.
The process of StateValidation.Instantion execution is as follows:
(1) Check whether the directory "%LocalAppData%\\Microsoft\\WindowsInsights\\workstation" exists. If it does, call CreateToolhelp32Snapshot, Process32FirstW, Process32NextW and other system APIs to find whether there is a FileCoAuth.exe process. If found, terminate the FileCoAuth.exe process and delete the above directory.
(2) Recreate the directory "%LocalAppData%\\Microsoft\\WindowsInsights\\workstation";
(3) Call StateValidation.CPR to copy files, copy the backdoor DLL file and other DLL files that the program depends on to the above directory, among which LoggingPlatform.dll, msvcp140.dll, UpdateRingSettings.dll, and vcruntime140.dll are copied directly, SignedConnection.exe is copied to FileCoAuth.exe in the new directory, and Qt5Core.dll is copied to secur32.dll in the new directory. The original secur32.dll is not copied;
(4) Call StateValidation.Subscriber to create persistence in the registry. Add a value named "OneDrive" under the key "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" (the name contains a space to avoid conflict with the original OneDrive), and the path string points to FileCoAuth.exe in the new directory;
(5) Call xLnCh to run FileCoAuth.exe in the new directory through ShellExecuteExW.
UIThread
The user interface created by UIThread is derived from MicroftSignConnection.MainForm, imitating the login procedure.
Qt5Core.dll
in the original compressed package is a backdoor DLL that has the function of collecting information and obtaining subsequent malware. After being copied, the file name is changed to secur32.dll, so when FileCoAuth.exe in the workstation directory is started, the DLL is run by side loading.
| - | - |
|---|---|
| File Name | Qt5Core.dll / secur32.dll |
| MD5 | f9914c7d6e09d227b2cecea50b87e58b |
| File Size | 163.50 KB (167424 bytes ) |
First, check whether there is a telementry.cab file in the same directory, which stores the victim ID information; if it does not exist, generate a GUID as the victim ID and write it into the file.
backdoor DLL connects to “hxxps://www.microsoft.com” to determine whether it is connected to the Internet, and then tries to send GET requests to the following three URLs in turn to obtain the C2 server information that is actually connected.
hxxps://raw\.githubusercontent\.com/msdnedgesupport/msdn/main/README\.md
hxxps://drive\.google\.com/uc?export=download&id=1prtuA0jGP3TvjJyR\_o\-10tF29Mpamrc2
hxxps://xboxapicenter\.com/
The Github link is no longer accessible, but the Google Drive link downloads the readme.txt file, which contains the following string. The backdoor DLL separates the acquired data with the "#" symbol, and converts the numbers after the separation into characters as ASCII codes to obtain the name of the connected C2 server, which is also "xboxapicenter.com".
The backdoor establishes a connection with port 443 of the C2 server and sends a POST request. The X-Forwarded-For and UserAgent in the request header are custom content. X-Forwarded-For is spliced with the public IP address obtained through api.ipify.org. The storage information of UserAgent includes the specific C2 request type, victim ID and related parameters, separated by "/".
various C2 request types used in the backdoor are as follows:
| - | - | - |
|---|---|---|
| Request Type | UserAgent format | illustrate_ |
| Get backdoor instructions | 15 / <victim_id>/ |
The two parameters indicate the sleep type and whether the subsequent payload has been executed, which is convenient for the C2 server to send related backdoor instructions. The POST request does not contain text data. |
| Return and collect device information | 12 /< victim_id>/ |
Related to backdoor instruction 1, the P OST request carries the returned data, and the parameter is the key used to XOR encrypt the data. |
| Return process list information | 13 /< victim_id>/ |
to backdoor instruction 7 , the P OST request carries the returned data, and the parameter is the key used to XOR encrypt the data. |
| Get subsequent load data | 9/ <victim_id>/ |
Related to backdoor instruction 2, the POST request does not contain body data , and the parameter is the offset value of the subsequent payload data |
When encrypting the returned data, the original plaintext is processed by byte XOR with a randomly generated number (range 1 ~ 100 ) , and then converted into a HEX-encoded string.
The specific functions of various backdoor commands issued by the C2 server are as follows:
| - | - |
|---|---|
| Backdoor instructions | illustrate |
| 1 | Collect device information and send it back. The collected information includes operating system version, whether the user is an administrator, host name and user name |
| 2 | Download the subsequent payload. Check whether the subsequent payload is running, terminate the related process, download the payload from the C2 server , save it as cabinet.zip in the log subdirectory of the backdoor directory , and decompress it. |
| 4 | Start the subsequent payload. Check whether the log subdirectory of the backdoor directory exists and run FileCoAuth.exe in it . |
| 5 | Terminate subsequent load-related processes |
| 6 | There are two options for the sleep time of the backdoor switch: 3 s and 30 s . |
| 7 | Collect all current process information and return it |
The collected device information is concatenated into a JSON string and the Microsoft domain name is added for disguise.
The collected process information also uses the JSON string format.
Traceability
The attack methods and code features involved in the malicious compressed package SignedConnection.zip are consistent with the attack activities of the Middle Eastern organization UNC1549 disclosed by Google in February 2024 [ 2 ] .
UNC1549 used job recruitment as bait, using the DLL loading combination of " FileCoAuth.exe + secur32.dll " , and the behavioral characteristics of bringthemhomenow.zip mentioned in the report are highly consistent with the compressed package captured this time.
bringthemhomenow.zip in the Qi'anxin Intelligence Sandbox are as follows:
| - | - |
|---|---|
| Qi'anxin Intelligence Sandbox Report Link | https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZMLO6MEONZSmF3-z4UO |
| Sample File Name | bringthemhomenow.zip |
| Sample MD5 | ef262f571cd429d88f629789616365e4 |
| Sample Type | ZIP archive |
| Sample Size | 8979790 bytes |
Similar behavioral characteristics include persistence through the registry and the startup item name imitating One Drive .
Copy the files to the newly created directory and run FileCoAuth.exe .
The sample communicates with the C2 server directly using HTTP without encryption, so the POST request content can be seen directly, and the User Agent uses the same construction format.
After further analysis, it was found that the Qt5Core.dll component in the SignedConnection.zip compressed package was the MINIBUS backdoor ( CoreUIComponent.dll , MD5: 816af741c3d6be1397d306841d12e206 ). The backdoor instructions were exactly the same, but the new version of the backdoor added some improvements, such as: the final C2 server address was obtained from the remote server; the network connection was tested by connecting to the Microsoft domain name and the traffic was disguised.
On the other hand, the domain name and certificate of the website careers2find [ .]com were created not long ago, and it is very likely a phishing website specially built by the attacker.
Based on the above information, we believe that the malware delivered by disguising as a job search website is a continuation of the UNC1549 attack activity.
Summarize
In recent years, there have been an endless stream of cyber attacks using job recruitment as bait. UNC1549 even uses job search websites as traps to launch phishing attacks, asking victims to install the connection program provided on the website, which actually runs UNC1549 's MINIBUS backdoor, providing a foothold for attackers to launch further actions.
Qi'anxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open unknown links shared on social media, do not click on and execute email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. Back up important files in a timely manner and update and install patches.
If you need to run or install an application of unknown origin, you can first use the Qi'anxin Intelligence Sandbox ( https://sandbox.ti.qianxin.com/sandbox/page) to identify it. Currently, it supports in-depth analysis of files in multiple formats including Windows and Android platforms.
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform ( TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situation Awareness, etc., already support accurate detection of such attacks .
IOC
MD5
bb4c8f42cc624c628e4b98bd43f29fa6
3528837b4088a22f0043551431809b3d
f9914c7d6e09d227b2cecea50b87e58b
Phishing Websites
careers2find.com
C&C
xboxapicenter.com
Reference Links
[1]. https://x.com/StrikeReadyLabs/status/1851438224834433154
[2]. https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east