{"id":137,"date":"2022-07-01T16:36:50","date_gmt":"2022-07-01T16:36:50","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=137"},"modified":"2022-07-01T16:36:50","modified_gmt":"2022-07-01T16:36:50","slug":"blackparty-trojan","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/07\/01\/blackparty-trojan\/","title":{"rendered":"BlackParty Trojan"},"content":{"rendered":"

\"\"<\/h1>\n

Overview<\/h1>\n

The following post provides TTPs and IoCs identified by SCILabs related to a campaign detected in Mexico delivering a new trojan named by SCILabs as BlackParty<\/strong>. Our team discovered high activity for this threat as part of security monitoring in the region using our telemetry. The main goal of the trojan is to add infected devices to a botnet and then carry out malicious activities such as information theft and full control of the infected computer.<\/p>\n

By analyzing the artifacts and TTPs used by the threat, such as the use of the Mexican government’s page of the “Servicio de Administraci\u00f3n Tributaria (SAT)<\/em>“, SCILabs considers with high confidence that this campaign is directed at users from Mexico. It should be noted that according to the geopolitical context of the country, in the last days of April this government webpage is quite used by taxpayers, so it is very common to see SAT impersonation sites. On the other hand, we are not sure if the URL is being distributed through phishing emails, however, most similar threats in LATAM are distributed in this way, so it is highly likely that this is their distribution vector.<\/p>\n

It is worth mentioning that when we hunt for more artifacts like this threat, we observe in VirusTotal<\/a> that it has been present in the wild for several months, and detection is very low by most security solutions, and some artifacts are not detected as malicious. For this reason, it is very important for SCILabs to alert about this threat to prevent organizations from being victims.<\/p>\n

How could it affect an organization?<\/h1>\n

The main objective of this campaign is the theft of information and total control of the infected computer; If the attack is successful, the confidentiality, integrity and availability of the organizations’ information could be affected. Furthermore, as we have seen with similar trojans such as BlackMarley, the device can be used to perform lateral movements in the network and carry out a more dangerous attack.<\/p>\n

Analysis<\/h1>\n

Threat Context<\/h2>\n

In the security monitoring in the region, we observed an apocryphal website which was supplanting the Mexican SAT through the url hxxps[:]\/\/elindio[.]com[.]mx\/sat<\/strong> whose interface is identical to the legitimate site of the “Servicio de Administraci\u00f3n Tributaria\u201c<\/em>, for this reason, we carried out a detailed analysis and investigation and observed that it was a new malware campaign. SCILabs is not sure how the link to this website is being distributed, however, it is possible that it is distributed through emails as has happened with similar threats.<\/p>\n

When analyzing the code of the site, we observe that it performs a verification of the country from which it is being visited, if it had previously been visited and the details of the device. After doing the verification process, it will show the apocryphal SAT site if it passes the verification tests and if not, it will show the legitimate SAT site.<\/p>\n

\"Figure
Figure 1 Main page of the apocryphal site<\/figcaption><\/figure>\n

After a few seconds, the site will display a pop-up in which it will ask the victim to enter a captcha and then download the so-called user manual on how to use the website.<\/p>\n

\"Figure
Figure 2 Pop-up requesting to download the malware<\/figcaption><\/figure>\n

Technical Summary<\/h1>\n

The downloaded artifact is compressed and is named “Sat.zip”. When decompressing it, there is a file in batch file format called “Sat.bat” whose objective is to download, decompress and execute the file from the URL hxxps[:]\/\/elindio[.]com[.]mx\/sat\/redir[.]php<\/strong> through of a PowerShell command.<\/p>\n

\"Figure
Figure 3 Obfuscated dropper code<\/figcaption><\/figure>\n
\"Figure
Figure 4 Deobfuscated dropper code<\/figcaption><\/figure>\n

It is important to mention that the downloaded executable is digitally signed by the company HB Sistemas 2012<\/strong> C.A with the email totalsoftware.lzarate[@]gmail.com<\/strong><\/p>\n

\"Figure
Figure 5 Malicious artifact certificate<\/figcaption><\/figure>\n

Once the compressed artifact is executed, it will generate a file called bs_gu.d<\/strong> with malicious code, verify the architecture of the operating system and abuse the Windows complement called LaunchWinApp.exe<\/strong> to load this malicious code. Additionally, it will generate persistence in the path %AppData%\\Local\\Microsoft\\Windows\\Explorer<\/strong> and in the path %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup.<\/strong><\/p>\n

\"Figure
Figure 6 Persistence process in the infected operating system<\/figcaption><\/figure>\n

Finally, the artifact collects information from the infected device. The data collected includes the following:<\/p>\n