jRAT += Houdini: New Year 2019

In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c).

Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days.

Insights

The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that leaves you thinking at some tender detail of Turkey Ministry of Defense. One of the file name related to the threat in question is in fact

RFQ-Ministry of Defence Turkey Tender details 2019.doc”.

This document is armed with obfuscated macro code designed to download and execute a remote content from the URL

hxxps://djleoms.com/jenqtgIyHB_newaso.vbs.

Following a frame about the first stage malicious macro code:


If 9 = 8 Then
Dim ivfefnyqtvgeuakqrxcmurbu
Else
Dim zdfznqqxefsbhyneeh
Dim zxswpcjjodbpcfibtpczpeavykqflynmws As String
zxswpcjjodbpcfibtpczpeavykqflynmws = "vmkNRssI"
Dim oinzxs As String
oinzxs = "ZgTrxfqw"
Dim umclwjgpdqfjkp As String
umclwjgpdqfjkp = "."
Application.Run zxswpcjjodbpcfibtpczpeavykqflynmws & umclwjgpdqfjkp & oinzxs
End If

This first piece of code is designed to call the module name  ‘vmkNRssI’ that is responsible to make an outgoing request in order to retrieve the second stage payload.

The 1st level CnC is encoded with the corrisponding wide characters of the URL

h t t p s : / / d j l e s m s . c o m / j e n q t g I y H B _ n e w a s o . v b s

Following as they appeared originally:

ChrW(104.4) & ChrW(116.2) & ChrW(116.1) & ChrW(112.2) & ChrW(115.1) & ChrW(58.4) & ChrW(47.3) & ChrW(47.1) & ChrW(100.3) & ChrW(106.1) & ChrW(108.4) & ChrW(101.3) & ChrW(111.1) & ChrW(109.4) & ChrW(115.4) & ChrW(46.1) & ChrW(99.4) & ChrW(111.2) & ChrW(109.3) & ChrW(47.3) & ChrW(106.4) & ChrW(101.2) & ChrW(110.3) & ChrW(113.1) & ChrW(116.2) & ChrW(103.4) & ChrW(73.3) & ChrW(121.3) & ChrW(72.2) & ChrW(66.3) & ChrW(95.3) & ChrW(110.1) & ChrW(101.1) & ChrW(119.3) & ChrW(97.2) & ChrW(115.4) & ChrW(111.2) & ChrW(46.3) & ChrW(118.4) & ChrW(98.2) & ChrW(115.1)

Once the download is executed, a new file named beo.vbs is created under %temp% and then launched.

The content of the beo.vbs file is retrieved previoulsy from djleoms.com.

A second stage operation is so performed through this script for which a screenshot is shown below:

res_1This second stage code includes two different malicious payloads. The first one is included into the variable “longText1” and the second is included into the variable “longText“. According to the operating logic observed, this code was designed to carry out the execution of two different malicious components, represented with the following graphic:

res_2

 

The longText1 base64 encoded content is first decoded and then written under %appdata%. It’s named UwwogLCzsN.vbs. This piece of code is nothing more than a H-worm VBS variant.

The payload is simply a VBS file with a clear config section pointing to pm2bitcoin.com and goz.unknowncypter.com.

res_3

 

H-Worm

Upon successfull compromize, it sends various sensitive information to the CnC servers repoterd above. Persistency achieved through reg keys

“HKCU\software\microsoft\windows\currentversion\run\”

and

“HKLM\software\microsoft\windows\currentversion\run\”

After acquiring and sending frames of information about the victim machine, it joins an infinite loop in order to wait further commands to execute:

res_4

jRAT

The dropped jRAT variant is an heavly obfuscated jar executable [md5: CDEE1E867980580A55BC34BC240FB12B]. jRAT is java developed cross-platform remote access tool that make use of obfuscation and encryption (RSA+AES) in order to make static analysis and detection more complex.

It’s able to perform many malicious activity and drop further malicious components through the which to execute and lauch commands in order to perform system recoinnassance and data exfiltration.   Extracting the jar file, i m able to see common files related to Adwind /jRat samples:

res_5

The interesting thing here is the serialized object within sky.drive. Nothing more to do, but we can clearly see,as expected, some references to a RSA Key confirming the presence of some encrypted content.

res_6

If we look at META-INF/MANIFEST.MF  we can get reference to the main class witch is, as expected, operational.JRat.

After decompiling it, we get the following main method:

res_7

No much time to spent as the core logic is the same of older jRat samples. Following that logic, basically what it’s going to do here is to retrieve a first key within sky.drive in order to use that key to decrypt the AES key in drop.box. Finally, it uses this AES key to decrypt the content of mega.download, which is the configuration file containing the RAT server path, the RSA and AES key.

res_8

Simple enough to guess, making a  decryptor in order to chain these basic operations is not too hard. Luckily for all us, there is someone that already thinked to this:  https://github.com/mhelwig/adwind-decryptor.

In this specific case the following are the 1st group of configuration parameters of the sample retrieved:

<entry key=”SERVER_PATH”>/IO/e/sYU.ZCP</entry>

<entry key=”PASSWORD_CRYPTED”>/RsT/w/nrg.WGK</entry>

<entry key=”PRIVATE_PASSWORD”>/OG/D/fGv.gx</entry>

Using these parameters is quite simple to recover the main server RAT archive.

The file config.json is the main configuration file serving RAT operations. File Key1.json is a serialized KeyRep object and Key2.json is the AES key. Applying the same previous principles, we can decrypt config.json and get the following:

res_9

In the NICKNAME entry, the string “NEW YEAR 2019” came out, suggesting the recent birth of the campaing in question.

It achieves persistency through the adding of the REG_KEY

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MFHMpIvWAxs

and is able to perform reconnaissance and malicious actions (like a search for security products installed) via WMI.  It drops and executes different .vbs files  under %TEMP% and fills them through the following function

res_10

The RAT is highly efficient and configurable through the use of JSON files and it has the the possibility of extending its functions by further downloading specific modules. For the main server module, it works making use of encrypted strings resolved in runtime through functions like the following:

res_11

Do we light it ?

Considering the domain creation date and the history of djleoms.com, may be this is a website serving accidentally this cyber operation or may be it’s under the control of the threat actor for a very long time. According to a waybackmachine research, this website is showing nearly the same content in the last few years.

Following a statistical image about:

res_12

 

Anyway, at the time of analysis , it is still serving this malicious campaign.

The following are the countries were i can observe activities of jRAT samples with an high similarity rate:

res_13

Pivoting further through the research of jRAT samples spreading in these days with a little smaller similary rate, the map extends to other countries:

res_14

 

Conclusions

jRat + Houdini is not a new combo to write on. More or less a similar campaign was observed in mid-2018. Likely, in this case, the threat actor is from middle-est. Someone told me that the name of the phishing document is rather strange.

Indicators of compromise

TypeObservableValue
DomainDropperdjleoms.com
DomainDropperthegoldfingerinc.com
DomainCnCwcbradley.duckdns.org
DomainCnCasorock0011.ddns.net
DomainCnCpm2bitcoin.com
DomainCnCoz.unknowncypter.com
IPDropper212.1.210.180
IPDropper86.106.93.230
IPCnC173.46.85.14
IPCnC185.125.205.77
IPCnC105.112.33.181
MD5DOC0d3b1c3c4287fe12399dc29d88905e9c
MD5JARcdee1e867980580a55bc34bc240fb12b
MD5VBS6925f02089e1fddce8861e496fec4c38

Leave a Reply

Your email address will not be published. Required fields are marked *