National Cyber Warfare Foundation (NCWF) Forums


Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader


0 user ratings
2024-04-10 13:09:14
milo
Red Team (CNA)

 - archive -- 
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).

In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

While utilization of MSIX packages by threat actors to distribute malicious code is not new, what distinguished this incident was the attack flow of the compromise. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 1 - Attack Flow

MSIX Installers

In January of 2024, Red Canary released an article attributing different threat actors to various deployments of malicious MSIX installers. The MSIX installers employed a variety of techniques to deliver initial payloads onto compromised systems.

All the infections began with users navigating to typo squatted URLs after using search engines to find specific software package downloads. Typo squatting aka URL hijacking is a specific technique in which threat actors register domain names that closely resemble legitimate domain names in order to deceive users. Threat actors mimic the layout of the legitimate websites in order to lure the users into downloading their initial payloads.

Additionally, threat actors utilize a technique known as SEO poisoning, enabling the threat actors to ensure their malicious sites appear near the top of search results for users.

Technical Analysis

Typo Squatted Malvertising


In our most recent incident involving the IDAT Loader, Rapid7 observed a user downloading an installer for an application named ‘Room Planner’ from a website posing as the legitimate site. The user was searching Google for the application ‘Room Planner’ and clicked on the URL hxxps://roomplannerapp.cn[.]com. Upon user interaction, the users browser was directed to download an MSIX package, Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 2 - Malvertised Site for Room Planner Application

PowerShell Scripts


During execution of the MSIX file, a PowerShell script, 1.ps1 , was dropped into the folder path C:\Program Files\WindowsApps\RoomPlanner.RoomPlanner_7.2.0.0_x86__s3garmmmnyfa0\ and executed. Rapid7 determined that it does the following:

  • Obtain the IP address of the compromised asset
  • Send the IP address of the compromised asset to a Telegram bot
  • Retrieve an additional PowerShell script that is hosted on the Telegram bot
  • Delete the message containing the IP address of the compromised asset
  • Invoke the PowerShell script retrieved from the Telegram bot
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 3 - PowerShell script 1.ps1 contained within MSIX file Room_Planner-x86.msix

In a controlled environment, Rapid7 visited the Telegram bot hosting the next stage PowerShell script and determined that it did the following:

  • Retrieve the IP address of the compromised asset by using Invoke-RestMethod which retrieved data from the domain icanhazip[.]com
  • Enumerate the compromised assets Operating System, domain and AV products
  • Send the information to the Telegram bot
  • Create a randomly generated 8 character name, assigning it to the variable $JAM
  • Download a gpg file from URL hxxps://read-holy-quran[.]group/ld/cr.tar.gpg, saving the file to %APPDATA% saving it as the name assigned to the $JAM variable
  • Decrypt the contents of the gpg file using the passphrase ‘riudswrk’, saving them into a newly created folder named after the $JAM variable within C:\ProgramData\$JAM\cr\ as a .RAR archive file
  • Utilize tar to unarchive the RAR file
  • Start an executable named run.exe from within the newly created folder
  • Create a link (.lnk) file within the Startup folder, named after the randomly generated name stored in variable $JAM, pointing towards run.exe stored in file path C:\ProgramData\$JAM\cr\ in order to create persistence
  • Read in another PowerShell script hosted on a Pastebin site, hxxps://pastebin.pl/view/raw/a137d133 using downloadstring and execute its contents (the PowerShell script is a tool used to bypass AMSI) with IEX (Invoke-Expression)
  • Download data from URL hxxps://kalpanastickerbindi[.]com/1.jpg and reflectively load the contents and execute the program starting at function EntryPoint (indicating the downloaded data is a .NET Assembly binary)
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 4 - API Bot hosting PowerShell Script
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 5 - PowerShell AMSI Bypass Tool

After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps://rastamosue[.]memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.

AMSI is a scanning tool that is designed to scan scripts for potentially malicious code after a scripting engine attempts to run the script. If the content is deemed malicious, AMSI will tell the scripting engine (in this case PowerShell) to not run the code.

RAR Contents


Contained within the RAR file were the following files:














































FilesDescription
Dharna.7zFile contains the encrypted IDAT Loader config
Guar.xslxFile contains random bytes, not used during infection
Run.exeRenamed WebEx executable file, used to sideload DLL WbxTrace.dll
Msvcp140.dllBenign DLL read by Run.exe
PtMgr.dllBenign DLL read by Run.exe
Ptusredt.dllBenign DLL read by Run.exe
Vcruntime140.dllBenign DLL read by Run.exe
Wbxtrace.dllCorrupted WebEx DLL containing IDAT Loader
WCLDll.dllBenign WebEx DLL read by Run.exe

After analysis of the folder contents, Rapid7 determined that one of the DLLs, wbxtrace.dll, had a corrupted signature, indicating that its original code was tampered with. After analyzing the modified WebEx DLL, wbxtrace.dll, Rapid7 determined the DLL contained suspicious functions similar to the IDAT Loader.

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
Figure 6 - Analysis showing Corrupt Signature of wbxtrace.dll


Upon extracting the contents of the RAR file to the directory path C:\ProgramData\cr, the PowerShell script executes the run.exe executable.

The IDAT Loader


During execution of run.exe (a legitimate renamed WebEx executable), the executable sideloads the tampered WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded, the DLL executes a section of new code containing the IDAT Loader, which proceeds to read in contents from within dharna.7z.

After reading in the contents from dharna.7z, the IDAT Loader searches for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99, which are used as the decryption key for decrypting the rest of the contents. Contained within the decrypted contents are additional code, specific DLL and Executable file paths as well as the final encrypted payload that is decrypted with a 200 byte XOR key.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code. This strategy enables the loader to evade antivirus detections and successfully load the final stage, SecTop RAT into the newly created process, msbuild.exe.

We recently developed a configuration extractor capable of decrypting the final payload concealed within the encrypted files containing the IDAT (49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.

After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity described:

  • Attacker Technique - Advanced Installer .MSI Executable Spawns Powershell
  • Suspicious Process - Execution From Root of ProgramData
  • Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
  • Suspicious Process - explorer.exe in Non-Standard Location

MITRE ATT&CK Techniques





























































TacticsTechniquesDetails
ExecutionCommand and Scripting Interpreter: PowerShell (T1059.001)1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scripts
ExecutionNative API (T1106)The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
ExecutionUser Execution: Malicious File (T1204.002)User executes the binary Room_Planner-x86.msix
Defense EvasionMasquerading: Match Legitimate Name or Location (T1036.005)Malicious MSIX masquerades as legitimate Room Planner installer
Defense EvasionDeobfuscate/Decode Files or Information (T1140)gpg.exe used to decrypt cr.tar.gpg
Defense EvasionHijack Execution Flow: DLL Search Order Hijacking (T1574.001)run.exe loads a malicious wbxtrace.dll
Defense EvasionReflective Code Loading (T1620)PowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpg
Defense EvasionProcess Injection (T1055)IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense EvasionProcess Injection: Process Doppelgänging (T1055.013)IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense EvasionVirtualization/Sandbox Evasion: Time Based Evasion (T1497.003)Execution delays are performed by several stages throughout the attack flow

IOCs














































IOCSha256Notes
Room_Planner-x86.msix6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23Initial installer containing PowerShell scripts
1.ps1928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23Dropped and executed by the Room_Planner-x86.msix
wbxtrace.dll1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845Malicious DLL executed by run.exe, the renamed Cisco Webex binary
Dharna.7zB7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2Encrypted payload decrypted by wbxtrace.dll
read-holy-quran[.]group/ld/cr.tar.gpgHosts GPG file containing RAR file
kalpanastickerbindi[.]com/1.jpgHosts .NET executable downloaded from API Bot PowerShell script
91.215.85[.]66SecTop RAT domain

References






























ArticleURL
MSIX installer malware delivery on the rise across multiple campaignshttps://redcanary.com/blog/msix-installers/
Process Doppelgänginghttps://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealershttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
Stories from the SOC Part 1: IDAT Loader to BruteRatelhttps://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/



Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.