{"id":130,"date":"2022-03-29T18:58:04","date_gmt":"2022-03-29T18:58:04","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=130"},"modified":"2022-03-29T18:58:04","modified_gmt":"2022-03-29T18:58:04","slug":"a-polymorphic-malware-distributed-by-usb-devices-in-mexico","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/03\/29\/a-polymorphic-malware-distributed-by-usb-devices-in-mexico\/","title":{"rendered":"A polymorphic malware distributed by USB devices in Mexico"},"content":{"rendered":"

In recent months, SCILabs detected a new threat distributed via USB devices with the ability to self-replicate, modify multiple operating system files to harm them, download dynamic new malicious code, and add the infected computer to a botnet. This malware operates through polymorphic code with multiple environment validations and evasion techniques, making it difficult to detect.<\/span>\u00a0<\/span><\/p>\n

SCILabs performed extensive research on the threat to identify other similar artifacts with greater coverage and detection, however, no more artifacts were identified with similar behavior. On the other hand, in a segment of the malware code, the cybercriminal uses a field which is sent to the C2 site to identify the version of the malware that infected the device, which could represent that there are other versions of malware.<\/span>\u00a0<\/span><\/p>\n

Artifact capabilities<\/span><\/b>\u00a0<\/span><\/p>\n

When analyzing the artifact, we observe that it is <\/span>a Visual Basic Script<\/span><\/i> file that contains very few functions and most of the code is commented. This code is mixed and concatenated to make it difficult to analyze. On the other hand, the malware itself will be able to re-read its own commented code and modify itself through execution. Additionally, there are multiple delays of several minutes for each step of the malware to avoid being analyzed by a sandbox or automated tools.<\/span>\u00a0<\/span><\/p>\n

\"\"
Figure 1 Code for Runtime Environment Verification<\/figcaption><\/figure>\n
    \n
  • The first phase of the malware oversees verifying that the computer was not previously compromised and then copies the malware onto the victim\u2019s computer.\u00a0 The verification is done through <\/span>WMI<\/span><\/i> and the malware will check that the “<\/span>Urm_At_Tawill<\/span><\/b>” process does not exist, if it does, this could be considered a kill switch.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
      \n
    • On the other hand, the malware will create a file called <\/span>fuckyou_powershell.bat<\/span><\/b> which will be used to modify execution permissions and elevate privileges. The directory where all files will be copied will be <\/span>%ProgramFiles%\\Windows<\/span><\/b>\u00a0<\/span><\/li>\n<\/ul>\n
        \n
      • The malware will modify the shortcuts (.lnk files) on the victim’s device, as well as the shortcut icons on the taskbar, in order to generate persistence.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
          \n
        • Subsequently, the malware will try to spread massively on all removable drives on the computer.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
            \n
          • Once the malware installation process is complete, the information gathering will begin. The malware will get antivirus information, username, operating system version, computer domain, malware version, and a list of file names in the computer’s user folder. This information will be stored in different files, which are named “<\/span>servant<\/span><\/b>“, “<\/span>map<\/span><\/b>” and “<\/span>Dreams<\/span><\/b>“.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
              \n
            • The malware will obtain the IP address of the C2 site from a predefined URL in the code corresponding to the Pastebin site. The information will be downloaded in a file called <\/span>coordinates_of_Rlyeh<\/span><\/b>.\u00a0<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
                \n
              • Once all the necessary files have been created, they will be read and concatenated, encrypted with the XOR and finally encoded with base64 to be sent to the C2 site of the cybercriminal to register the victim\u2019s computer.\u00a0<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
                  \n
                • Once the malware has registered, a new series of data will be downloaded that will serve as a token to establish continuous communication with the C2 server.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
                    \n
                  • The device will listen to it trying to connect to the C2 server and execute the code it receives, turning the computer into a bot.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n
                    \"\"
                    Figure 2 Rewriting the artifact<\/figcaption><\/figure>\n

                    TTPs observed aligned to MITRE\u2019s ATT&CK framework.<\/span><\/b>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n
                    Initial Access<\/span><\/b>\u00a0<\/span><\/td>\nExecution<\/span><\/b>\u00a0<\/span><\/td>\nDefense Evasion<\/span><\/b>\u00a0<\/span><\/td>\nDiscovery<\/span><\/b>\u00a0<\/span><\/td>\nLateral Movement<\/span><\/b>\u00a0<\/span><\/td>\nCollection<\/span><\/b>\u00a0<\/span><\/td>\nCommand and Control<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
                    T1091 <\/span>– <\/span>Replication Through Removable Media<\/span>\u00a0<\/span><\/td>\nT1059.005 – Command and Scripting Interpreter: Visual Basic<\/span>\u00a0<\/span><\/td>\nT1140 – Deobfuscate\/Decode Files or Information<\/span>\u00a0<\/span><\/td>\nT1083 – File and Directory Discovery<\/span>\u00a0<\/span><\/td>\nT1091 – Replication Through Removable Media<\/span>\u00a0<\/span><\/td>\nT1005 – Data from Local System<\/span>\u00a0<\/span><\/td>\nT1132.001 – Data Encoding: Standard Encoding<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
                    \u00a0<\/span><\/td>\nT1204.002 – User Execution: Malicious File<\/span>\u00a0<\/span><\/td>\nT1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification<\/span>\u00a0<\/span><\/td>\nT1518.001 – Software Discovery: Security Software Discovery<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\nT1025 – Data from Removable Media<\/span>\u00a0<\/span><\/td>\nT1071.001 – Application Layer Protocol: Web Protocols<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
                    \u00a0<\/span><\/td>\nT1047 – Windows Management Instrumentation<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\nT1082 – System Information Discovery<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\nT1573.001 – Encrypted Channel: Symmetric Cryptography<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
                    \u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\nT1033 – System Owner\/User Discovery<\/span>\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                    Attack flow<\/span><\/b>\u00a0<\/span><\/p>\n

                    \"\"
                    Figure 3 Attack flow<\/figcaption><\/figure>\n

                    IOC<\/span><\/b>\u00a0<\/span><\/p>\n

                    89AF91CD188781990143916D585706B3<\/span>\u00a0<\/span><\/p>\n

                    9B48FBD8141EFB90A4F2DCD862ADE2694EDB0B0D<\/span>\u00a0<\/span><\/p>\n

                    CE4CDB2D768185936C11BA4EF30EB6EAD5F59046C0E5D5475831CEF3DAE80422<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

                    In recent months, SCILabs detected a new threat distributed via USB devices with the ability to self-replicate, modify multiple operating<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-130","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=130"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/130\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}