Attack campaign analysis and interdiction: Async RAT

-

 

Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye:

The file "astro-grep-setup.exe.doc" (available on Any.Run here) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called "AstroGrep" (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT. This technique is known as using a "binder" putting two apps in one, see it in action on YouTube here and on GitHub here.

Using the built-in features by the sandbox we can see the process tree utilised in the RAT attack:

We can see that WINDWORD.EXE drops ms.exe, which leads to two files: ASTRO-GREP.EXE (the malware) and ASTROGREP_SETUP_V4.4.7.EXE (the legitimate installer): 

  • Document: astro-grep-setup.exe.doc
    • SHA256: 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
    • Abuse.ch - available here
  • Executable: ms.exe
    • SHA256: d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
    • Abuse.ch - available here
  • Executable: ASTRO-GREP.EXE
    • SHA256: 17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb
    • Abuse.ch - available here
  • Installer: astrogrep_setup_v4.4.7.exe
    • SHA256:  5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423
    • Legitimate app - VT here, Sourceforge here

Threat Cartography

If you have been reading my blog or following me on Twitter It is no secret that one of my favourite parts about threat analysis is mapping campaigns. I like to use several platforms for this including VirusTotal, Maltego, and draw.io, among others. Using the IOCs we have gathered from the sandbox I investigated the infrastructure used by the threat actor further. Using the VirusTotal relations tab I (admittedly with the help of @Arkbird_SOLG who beat me to it 😉) was able to locate the C&C server used to deliver the second stage payload: 

The file ASTRO-GREP.EXE contained a Pastebin link, which concealed the C&C server IP address and Port used by the RAT operator. Interestingly enough, the same C&C server has been used by other payloads, indicating it is the attacker's main staging server:

We now have a clearer picture of the scope of the campaign and additional IOCs to prevent any further attacks from this infrastructure. Although the other EXEs were not necessarily used in these attack, they are malicious and I would consider blocking them too.

Research

Further investigation into the malware samples used in this campaign revealed some more interesting features. According to VirusTotal, the file ASTRO-GREP.EXE was created on 2020-05-10 yet the document was created on 2021-07-17. It turns out the first file (the second stage payload) has been seen before by VirusTotal several months ago and was previously called Stub.exe. This could indicate that the threat actor behind these attacks has not altered the payload for other campaigns, but is changing the delivery technique. This does, however, benefit defenders as it is much more likely to get detected by AV/EDR tools if it has been seen previously before in the wild. 

Also, you may have missed it, but the Pastebin link contained a username and the number of how many times it was viewed. Using this information we can tell the threat actor is called "Serverconnector" and, at the time of finding it, the link had been visted 671 times! I submitted a takedown and Pastebin suspended it within 24 hrs:


Additional Resources:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more