Trojan Dropper Remcos

[itman 1,659]

11 minutes ago, Nightowl said:

I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script

Check if Python is installed on the targeted device which would confirm my theory:

Quote

Checking if Python is Already Installed on Your Windows Machine

Python can be accessed via the terminal or the Start Menu.

To check if Python is installed on your Windows machine using the terminal, follow these steps:

1. Open a command line tool such as Windows Terminal (the default on Windows 11) or Command Prompt (the default on Windows 10).
2. In the command line, type `python`. If Python is installed, you should see a message like “Python 3.x.x” followed by the Python prompt, which looks like this “>>>”. Note that “3.x.x” represents the version number of Python.
3. If Python is not installed on your machine, you will be automatically taken to the Microsoft Store installation of Python. Note that the page you are taken to may not be the latest version of Python.

To check if Python is installed on your Windows machine using the Start Menu, follow these steps:

1. Press the Windows key or click on the Start button to open the Start Menu.
   Type "python".
2. If Python is installed, it should show up as the best match. Press "Enter" or click on the version of Python you want to open. You should see a message like “Python 3.x.x” followed by the Python prompt, which looks like this “>>>”. Note that “3.x.x” represents the version number of Python.
3. If Python is not installed on your machine, you will only see results for web searches for "python", or a suggestion to search the Microsoft Store for "python".

 

https://www.datacamp.com/blog/how-to-install-python

Edited March 23, 2023 by itman

[Nightowl 202]

4 minutes ago, itman said:

Check if Python is installed on the targeted device which would confirm my theory:

https://www.datacamp.com/blog/how-to-install-python

It isn't bro , because when the trojan troubled me with coming back to life everytime I kill it

I thought to change strategy and remove Python from the computer that would render it's scripts useless , but there is no Python on the PC , I thought it was installed from before

then I used HIPS to monitor what access this area , and then I thought I should get more aggressive now , I blocked the whole area to prevent anything from reading or writing to it using HIPS and I restarted then , python.exe and python39.dll ceased to be used by something else, something held them and prevented anything to touch it , even I can't add a firewall rule for it because I wanted to block it from communicating.

I felt like maybe other scanner got it for restart cleaning? , but nope no scanner identified  the python39.dll as malicious , only as suspicous because it's not Signed , but all the rest of the files even the modified ones have the company names , like for Firefox , everything have Mozilla , even the modified ones.(Unsigned)

[itman 1,659]

The other and more likely scenerio is both legit versions of python.exe and vlc.exe were modified to insert Pyinstaller code within them. Then the .exe's resigned with hacked certificates.

Since the Pyinstaller code is legit, it would not be detected by AV sig.. Since the .exe's were signed, they would pass most reputation tests.

Bottom line - we are looking at an ATP level attack here.

[Nightowl 202]

2 hours ago, itman said:

Bottom line - we are looking at an ATP level attack here.

I think so also

[itman 1,659]

BTW - PyInstaller is not the only Python utility that will convert Python scripts to a .exe. There are others:

Quote

Python has many different tools you can use to convert your Python code into a Windows executable. Here are a few different tools you can use:

    PyInstaller
    py2exe
    cx_freeze
    Nuitka
    Briefcase

https://www.blog.pythonlibrary.org/2021/05/27/pyinstaller-how-to-turn-your-python-code-into-an-exe-on-windows/

The downside of using PyInstaller is the resultant created .exe is huge. Python is an interpretive language coded in byte-code. That huge .exe is a tell-tale sign something might be amiss with it. Additionally, the byte-code is easily identifiable in the .exe.

My deployment choice if I was an attacker would be Nuitka:

Quote

Nuitka, a third-party project, offers a radical solution. It compiles a Python program to a C binary—not by packaging the CPython runtime with the program bytecode, but by translating Python instructions into C. The results can be distributed in a zipped bundle or packaged into an installer with another third-party product.

https://www.infoworld.com/article/3673932/intro-to-nuitka-a-better-way-to-compile-and-distribute-python-applications.html

Edited March 23, 2023 by itman

[itman 1,659]

One finally comment about my prior posting:

23 hours ago, itman said:

A comment about the scheduled tasks behavior. They all employed; e.g.:

C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\python39.dll",#1

That is rundll32.exe spawning a copy of itself to run a malicious .dll. As far as I am aware of, I know of nothing that does likewise. I am adding a HIPS rule to alert when rundll32.exe starts itself.

This was "wishful thinking" on my part. Note that the second rundll32.exe has no path associated with it. Assume that its' in reality a Python based .exe resident in the same directory where the command string was run from.

Finally, there's this Python "tidbit": https://www.bleepingcomputer.com/news/security/python-info-stealing-malware-uses-unicode-to-evade-detection/ "hot off" the malware news press.

Edited March 23, 2023 by itman

[Nightowl 202]

I have sent more archieves that are supposed to be threats , they all have same password of "infected"

they are attached on my email also with ESET sending.

example of files :

https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1

https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1

https://www.virustotal.com/gui/file/08739fea7bfdf3b641709a3d5b6e6d64be4ea75375dda9fe5cf7234e40cfbe12/detection

https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

[itman 1,659]

2 hours ago, Nightowl said:

https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1

https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1

https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

These appear to be benign .png files. That is unless steganography is being deployed: https://www.bleepingcomputer.com/news/security/worok-hackers-hide-new-malware-in-pngs-using-steganography/

In regards to the .vbs script that only Symantec detects, the VT behavior analysis note a YARA detection rule. That rule shows code which appears to scan for presence of AVG being installed. Since Avast appears to detect above linked steganography malware, those .png files might contain malware.

Edited March 27, 2023 by itman

[Nightowl 202]

4 minutes ago, itman said:

These appear to be benign .png files. That is unless stenography is being deployed: https://www.bleepingcomputer.com/news/security/worok-hackers-hide-new-malware-in-pngs-using-steganography/

In regards to the .vbs script that only Symantec detects, the VT behavior analysis note a YARA detection rule. That rule shows code which appears to scan for presence of AVG being installed. Since Avast appears to detect above linked stenography malware, those .png files might contain malware.

Those are the threats my brother , the trojan downloads them from imgur , to stay stealthy , and then will be changed to the wanted extention , fortinet already detects one of them , Fruit.png

With every fake program the Trojan uses , it will have a .png file for it

Notepad++ , VLC , Python , Firefox

They are all legit versions  , but probably some kind of old versions that have vulnerabilities , and Trojan uses them to acheive what need to be achieved , and communicates to C&C with Powershell , but ESET can stop it and remove it (powershell one).

Edited March 27, 2023 by Nightowl

[itman 1,659]

2 minutes ago, Nightowl said:

then will be changed to the wanted extention

Ahh, the old file renaming after download on the target device trick.

Of note is Eset doesn't consider a file rename to be a file modification which would result in a re-scan.

[Nightowl 202]

10 minutes ago, itman said:

Ahh, the old file renaming after download on the target device trick.

Of note is Eset doesn't consider a file rename to be a file modification which would result in a re-scan.

Most scanners doesn't care about images in their nature I think? , this is why now malware developers use this way

And since uploading the image to a very well known place like imgur, when the Trojan communicates with imgur , you will find it normal , someone is surfing photos.

And the trojan would evade any web/dns filters you would set , since Imgur is trusted.

Quote

<Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agent.c9ad!tr>

This is one of the Fruits.

Edited March 27, 2023 by Nightowl

[Nightowl 202]

So , since not most of the files are detected , most of them to be found in AppData/Roaming , with weird namings or Adobe , or in Local as Bhromium something like this , and somewhere in AppData you can find the firefox

Simply searching for vlc.exe , firefox.exe , python.exe , notepad++.exe in AppData , will show you where it is staying most likely, and you can manually remove them

Blocking *.imgur.com , and C&C server that is found on AnyRun report , will isolate the Trojan , the load cannot be downloaded from imgur again, and if there was infection , there is no connection to C&C

ESET can pick it and clean the infected Powershell , and clean the things that was reported earlier in Threat , other scanners like Hitman , didn't pick anything  , ESET did all the job , but still unpicked stuff , I deleted them manually.

Task Schedulers for VLC and Python and Notepad ++ which are the legit softwares , but they are using them to load the Loads

Once all cleaned , and schedulers disabled and removed , it shouldn't come back to life , nor be alive.

 

  

1 hour ago, itman said:

In regards to the .vbs script that only Symantec detects, the VT behavior analysis note a YARA detection rule. That rule shows code which appears to scan for presence of AVG being installed. Since Avast appears to detect above linked steganography malware, those .png files might contain malware.

Thanks for the note bro

Actually this photo from BleepingComputer post you mentioned

is actually how the trojan works

File(came through whatever way) --> dll with whatever vulnerable software --> PNG from IMGUR -->Powershell to C&C (communication blocked by Fortinet first) , then ESET was installed to clean Powershell , which was successful to do so.

Since dll beside a trusted application is a stealthy way for a malware to proceed , since everything mark is Trusted/Safe then trojan have no problem to proceed however it likes

With pngs being downloaded from a Trusted/Safe place , no webfilter/dns filter would stop imgur.com unless it was filtered on purpose to stop users from accessing it

Powershell would silently communicate with it's c2c server without being detected by anyone unless the c2c and the shell are detected by security vendors.

If shell is not detected, and will be always revived by Schedulers if something happened to it , then access would be granted to the device all the time , and then anything can happen , ransomware or any other attacks.

 

Edited March 27, 2023 by Nightowl

[itman 1,659]

1 hour ago, Nightowl said:

Actually this photo from BleepingComputer post you mentioned is actually how the trojan works

I find it interesting that Eset which actually discovered this attack method;

Quote

This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok's activity in early September 2022.

ESET warned that Worok targeted high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa, but their visibility into the group's attack chain was limited. 

Avast's report is based on additional artifacts the company captured from Worok attacks, confirming ESET's assumptions about the nature of the PNG files and adding new information on the type of malware payloads and the data exfiltration method.

can't stop the .dll based loaders from running.

[Nightowl 202]

15 hours ago, itman said:

I find it interesting that Eset which actually discovered this attack method;

can't stop the .dll based loaders from running.

I can confirm detections of what I sent because I sent same folder to both ESET and Fortinet because that what endpoints work with.

<Regenererede.vbs> with MD5: e627f016283c17b4badc6f5b47f677d3 - <VBS/Agent.77d3!tr>
<SciLexer.dll> with MD5: 688c0480ed192ed336911d7ed3730561 - <W32/Rugmi.0561!tr>
<Fruit.png> with MD5: c2a09a3c72717c71a6ac22c9f342a0d2 - <Data/Agent.STGP!tr>
<ms.png> with MD5: 7b2f3421621a080c2043e6c90821c618 - <Data/Agent.STGP!tr>
<Fruit.png> with MD5: fd5cb5160053fcd028ad81016357dff5 - <Data/Agent.STGP!tr>
<Pine.png> with MD5: 7f5546e1202e06e17c3eabe86107a504 - <Data/Agent.STGP!tr>
<Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agent.STGP!tr>

 

Edited March 28, 2023 by Nightowl

[Peter Randziak 1,130]

17 hours ago, itman said:

Of note is Eset doesn't consider a file rename to be a file modification which would result in a re-scan.

 

17 hours ago, Nightowl said:

Most scanners doesn't care about images in their nature I think? , this is why now malware developers use this way

 

File rename does not change the file contents, but the scanner checks the real file type, based on the contents of the file. 

 

I passed the info provided to the research lab to check it further.

Thank you guys, Peter

[Nightowl 202]

3 minutes ago, Peter Randziak said:

 

File rename does not change the file contents, but the scanner checks the real file type, based on the contents of the file. 

 

I passed the info provided to the research lab to check it further.

Thank you guys, Peter

Thanks to everyone involved in topic with help for this threat , I believe endpoints are clean now , will keep monitoring for weird things , if something happens I will report back

And also thanks to ESET and Fortinet.

[Peter Randziak 1,130]

Hello @Nightowl,

thank you for the submissions.
 

Png files are encrypted blobs, they can't be executed without loader decrypting them.

This is multicomponent malware, there is a chain of files used.

Our detection brakes the chain, making the undetected component useless and that is our goal here.

btw. the Vbs script is already detected.

Peter

[Nightowl 202]

Thank you also Peter for assistance

One last note is after clearing everything , one should reset Windows Firewall settings incase it's used because the Trojan will open ports for itself in Windows Firewall

[itman 1,659]

1 hour ago, Nightowl said:

One last note is after clearing everything , one should reset Windows Firewall settings incase it's used because the Trojan will open ports for itself in Windows Firewall

Glad you brought up this point.

The Eset firewall by default will check if a Win inbound firewall rule exists and allow the traffic in the following instance; if the inbound network traffic has not been previously blocked by an existing Eset inbound firewall rule. This is a "double edged sword" scenario in that it's rather trivial for malware to add a new Win firewall rule. On the other hand, the capability facilitates Microsoft based Win apps running unimpeded.

Edited March 28, 2023 by itman

[itman 1,659]

4 hours ago, Peter Randziak said:

Our detection brakes the chain, making the undetected component useless and that is our goal here.

In this instance, yes, since Eset had signatures for the payload components. If those components were 0-day ones, the attack would have succeeded.

[itman 1,659]

I will also state this about this attack. It's a classic example for implementing the zero trust security template in corp. environments that both Microsoft and almost all security experts recommend presently.

Ref.: https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it

Edited March 28, 2023 by itman

[itman 1,659]

Another Remcos attack, this time using;

Quote

DBatLoader, also called ModiLoader and NatsoLoader, is a Delphi-based malware that's capable of delivering follow-on payloads from cloud services like Google Drive and Microsoft OneDrive, while also adopting image steganography techniques to evade detection engines.

Of note in regards to Microsoft Defender:

Quote

This enables the attackers to conduct elevated activities without alerting users, including establishing persistence and adding the "C:\Users" directory to the Microsoft Defender exclusion list to avoid getting scanned.

https://thehackernews.com/2023/03/stealthy-dbatloader-malware-loader.html

-EDIT-

Notice the similarity in attack method to the Remcos variant used as the subject of the original posting;

Quote

A caveat here is that the directories cannot be directly created from within the Windows Explorer user interface, instead requiring the attacker to rely on a script to accomplish the task and copy to the folder a rogue DLL and a legitimate executable (easinvoker.exe) that's vulnerable to DLL hijacking in order to load the DLL payload.

 

Edited March 28, 2023 by itman

[itman 1,659]

It also appears vlc.exe is a favorite among hackers for exploiting. Might be time to label it a PUA:

Quote

Definitely Not Just Vlc.exe

Since October 2022, CrowdStrike Intelligence has observed abuse of particular DLL side-loading to further various intrusions.³ In November and early December 2022, CrowdStrike identified a number of ransomware intrusions targeting the health sector which also had similar TTPs. In these cases, The threat actors used a copy of vlc.exe masquerading as the Windows binary msdtc.exe (Microsoft Distributed Transaction Coordinator). This file normally resides in C:\Windows\System32 whereas these executions were often from user-related folders such as C:\Users\<username>\Documents. The renamed vlc.exe would load a malicious DLL, libvlc.dll, which contained a Cobalt Strike payload.

https://www.crowdstrike.com/blog/dll-side-loading-how-to-combat-threat-actor-evasion-techniques/

Edited March 28, 2023 by itman

[itman 1,659]

As far as Microsoft Defender (joke software) goes, here's how the REvil ransomware group exploited it using dll side loading:

Quote

The malware uses DLL side loading to execute the ransomware code. This technique allows the attacker to execute malicious DLLs that spoof legitimate ones. This technique has been used in many APTs to avoid detection. In this attack, MsMpEng.exe loads the functions of MpSvc.dll during the time of execution. However, the attacker has replaced the clean MpSvc.dll with the ransomware binary of the same name. The malicious DLL file has an export function named ServiceCrtMain, which is further called and executed by the Microsoft Defender file. This is a clever technique used by the attacker to execute malicious file using the Microsoft digitally signed binary.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/

[itman 1,659]

Speaking of dll side loading attacks is the one currently highlighted at the top of the Eset forum home web page. This one is your worst nightmare since its embedded in a trusted installer or update:

Quote

SentinelOne and Sophos also revealed in reports published Thursday evening that the trojanized 3CX desktop app is being downloaded in a supply chain attack.

This supply chain attack, dubbed 'SmoothOperator' by SentinelOne, starts when the MSI installer is downloaded from 3CX's website or an update is pushed to an already installed desktop application.

Update process installing the malicous files (Sophos)

When the MSI or update is installed, it will extract malicious ffmpeg.dll [VirusTotal] and the d3dcompiler_47.dll [VirusTotal] DLL files, which are used to perform the next stage of the attack.

While Sophos states that the 3CXDesktopApp.exe executable is not malicious, the malicious ffmpeg.dll DLL will be sideloaded and used to extract and decrypt an encrypted payload from d3dcompiler_47.dll.

This decrypted shellcode from d3dcompiler_47.dll will be executed to download icon files hosted on GitHub that contain Base64 encoded strings appended to the end of the images, as shown below.

Base64 strings embedded in ICO files (BleepingComputer)

The GitHub repository where these icons are stored shows that the first icon was uploaded on December 7th, 2022.

SentinelOne says the malware uses these Base64 strings to download a final payload to the compromised devices, a previously unknown information-stealing malware downloaded as a DLL.

This new malware is capable of harvesting system info and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.

https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/

Edited March 30, 2023 by itman