Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections

Malware Analysis
1

AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.

However, there have been recent cases indicating the resurgence of malware distributing SparkRAT through the installer of the same VPN company. The malware distribution had ceased for a certain period, but the similar attack flow and the use of SparkRAT during the attack process suggest the involvement of the same threat actor.

This post will cover the recent attack cases, highlighting the differences between the recent and past incidents. Differences include a dropper developed with GoLang being used instead of a packer developed with .NET, and how the MeshAgent of MeshCentral was installed for additional remote desktop features.


1. Attack Flow

The initial distribution method appears to be the same as before, as the threat actor had attacked the VPN company’s website and replaced the installation file with malware. As a result, when users download and execute the VPN installation file, they inadvertently install the malware along with the actual VPN installer.

Figure 1. Official VPN company website that contains SparkRAT

The following is a flow chart of the malware installation process. First, SparkRAT is downloaded by a downloader that had been created by the malicious installer. Afterward, the threat actor sends malicious commands to SparkRAT in order to also install MeshAgent on the infected system. The installed MeshAgent then connects to a remote control page and registers itself as an agent to be managed. The threat actor is able to control the devices registered on the public MeshCentral server.

Figure 2. Attack flow chart


2. GoLang Malware

One notable difference from previous attacks is the majority use of malware developed in GoLang instead of .NET. The threat actor employed droppers and downloaders developed in GoLang throughout the attack process. Since this also includes SparkRAT, this means that all the malware used in the attack was based on GoLang.

The disguised installer and the malware that installs MeshAgent are the two droppers used in the attacks, and, although they are both obfuscated GoLang malware, they have similar forms. Upon execution, the malware within the PE are created and executed. The disguised installer includes a feature that allows it to register the additionally generated “start.exe” file on the task scheduler.

Figure 3. Malware within the PE file

schtasks.exe /Create /ru SYSTEM /f /SC ONLOGON /rl highest /tn “system update” /tr [%LOCALAPPDATA%]/start.exe

“start.exe” is a downloader that was also developed in GoLang. It is not obfuscated and is primarily responsible for downloading and executing additional malware from an external source. Like in the previous attack cases, SparkRAT is downloaded from the specified address.

Figure 4. Downloader routine
Figure 5. Log of SparkRAT being downloaded


3. SparkRAT

The SparkRAT used in the attack is a RAT malware developed in GoLang, providing basic functionalities such as command execution, information theft, and control over processes and files. Additionally, it has the notable feature of supporting not only Windows but also Linux and MacOS.

Figure 6. Decrypted configuration data of SparkRAT
Figure 7. Encrypted HTTPS packet of SparkRAT

The threat actor utilized SparkRAT to deliver PowerShell commands and install MeshAgent. The dropper gives the “-fullinstall” argument to execute MeshAgent so that it can install in the background without the user’s knowledge.

Figure 8. SparkRAT installing MeshAgent


4. MeshAgent

Generally, threat actors tend to install additional malware or software that supports remote desktop even after installing a backdoor. This is most likely because it is more convenient to use the GUI method than the CLI one when performing additional malicious behaviors. Thus, a majority of the Remote Access Trojan (RAT) that has recently been distributed support remote desktop features such as VNC and RDP.

In a previous ASEC Blog post titled “Attackers Abusing Various Remote Control Tools”, the various remote control tools used by threat actors were covered in their respective case studies. While the threat actor used MeshAgent in the recent attack, similar attacks can employ a variety of tools such as AnyDesk, TeamViewer, Ammyy, Tmate [2], and NetSupport [3].

Although SparkRAT is classified as a RAT, it does not yet support remote desktop features since it is a relatively new malware. The threat actor may be able to execute malicious commands, collect information, and download additional payloads using the installed SparkRAT, but that is only after they have gained control. Due to this, it appears that the threat actor also installs MeshAgent to overcome this limitation.

MeshCentral is an open-source and free management tool that provides remote control capabilities. The MeshAgent provided by MeshCentral offers various system control commands such as command execution and file download, as well as remote desktop functionalities like VNC and RDP. While ordinary users would use these features to remotely manage their systems, these functionalities can also be exploited for malicious purposes.

Figure 9. Official MeshCentral website

A notable characteristic of MeshCentral is the fact that it supports various architectures. Users or threat actors can select the MeshAgent corresponding to their respective architectures from the MeshCentral server to obtain installation commands or download installation files.

Figure 10. Various architectures supported by MeshCentral

When executing the installation command or running the downloaded installation file for MeshAgent, it connects to the MeshCentral server and registers the running system as a system to be managed. In other words, if the threat actor runs the downloaded MeshAgent on the target system, the infected system becomes a managed target.

Figure 11. Devices where MeshAgent is installed

MeshAgent transmits the basic system information necessary for remote control and provides features such as power control, account management, chat or message pop-ups, file upload/download, and command execution. Additionally, it supports remote desktop functionality, particularly web-based support for remote desktop features like RDP and VNC. These characteristics can be said to be the benefits for threat actors when using MeshAgent to control infected systems. There is also the advantage of being able to use MeshAgent after only a simple email authentication.

Figure 12. Features supported by MeshAgent

In addition, when MeshAgent is downloaded from the MeshCentral server, the signature area at the end of the downloaded file contains the configuration information that has been set for the user. When installing itself to the “%PROGRAMFILES%\Mesh Agent” path, MeshAgent creates a configuration file in the same path named “MeshAgent.msh”. This file contains the configuration information that was inside the MeshAgent file.

Figure 13. Threat actor’s MeshAgent configuration information

MeshName=ad
MeshType=2
MeshID=0x50E8FD710C689DA3BC4019B7450F43FDFCF21AEDEB7690D5DFD07F74EE0A4E780EEB5D09831D6664E34838AAD12EECE0
ServerID=BEC956642E30BE68AB6B3ED2F40F4E784CBA349DE3EB7E116F5B22319425FB4FE4C5A6831A5CE5524C569F6F42190B24


5. Conclusion

ASEC had previously covered the case where SparkRAT was distributed while included inside a VPN installer. The same threat actor is suspected to have recently attacked the VPN company’s website again, where they distributed malware that installs SparkRAT along with MeshAgent to gain control over infected systems.

When users download and install the malicious installer from the official website, it not only installs the malware but also the actual VPN installer, making it difficult for users to notice that they have been infected with malware. Users must practice caution by updating V3 to the latest version to block malware infection in advance.

File Detection
– Dropper/Win.Agent.C5431031 (2023.05.21.03)
– Downloader/Win.Agent.C5431029 (2023.05.21.03)
– Backdoor/Win.SparkRAT.C5431028 (2023.05.21.03)
– Dropper/Win.MeshAgent.C5431027 (2023.05.21.03)
– Trojan/Win.MeshAgent.C5431026 (2023.05.21.03)

Behavior Detection
– Persistence/MDP.RunKey.M1038
– Malware/MDP.Download.M1197

IOC
MD5
– 0574f906b97f2e74ae49b6e900b5c60d: Malicious Installer (167775087_qy8iu7xo_*****VPNSetup.exe)
– 162e17324f63f2e1d2c32f7c842b3917: SparkRAT Downloader (start.exe)
– 8fce3a48d46b9c3d252806e7292647e6: SparkRAT (services.exe)
– 4a9369fcff5e934ab644c9aca6e42532: MeshAgent Dropper (update.exe)
– 15d24570f3844987acce866d6541ba21: Malicious MeshAgent (go-memexec-2989748128.exe)

Download URLs
– hxxp://54.180.27[.]29/cc/himart/api/kodbox-main/gr.png: SparkRAT Downloader
– hxxp://54.180.27[.]29/cc/himart/api/kodbox-main/ms-update.exe: MeshAgent Dropper

C&C URL
– aggbvdfbbafdg.moeuda[.]link:443: SparkRAT

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections appeared first on ASEC BLOG.

Article Link: Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections - ASEC BLOG