New Pyrogenic JAR-Based Malware Campaign - Indicators of Compromise

A new JAR-based phishing campaign has been seen delivered to Australian companies with the intent of credential stealing Office 365 account passwords as well as passwords stored in the browser. This campaign appears to have first occurred late September 2019 - November 2019.

Initial Infection
This campaign is delivered via a phishing email to corporate account users with an image of a PDF file which contains an embedded hyperlink
If a user clicks on the image of the PDF they are taken to the first C2 domain - in this instance it was to https://caygionghocviennongnghiep1.com/FRA.html which resulted in a download of the malicious JAR file 'BankPaymAdviceVend_LLCRep.jar' to the downloads folder:

User interaction is then required in order to execute the malware. Once execution occurs, the following process chain occurs where javaw.exe is spawned.

The javaw.exe process is stopped in memory and two DLLs are dropped into the AppData/Local/TEMP folder, loaded and then deleted.
  • sqlite-3.8.11.2-1b7102dd-9254-4808-9f1f-ceab23a11420-sqlitejdbc.dll
  • jna--1104490048\jna8218245902737124972.dll
The first network call out is to bot.whatismyipaddress.com to find the public facing IP address of the infected host. The subsequent network connections are direct communications to the C2 relaying the credentials found in registry keys and browser:


Network Indicators:
  • Communications to C2 domains appear to be done through javaw.exe process via port 80 
  • The first network callout aside from the C2 domain which 'drops' the JAR file, is to bot.whatsmyipaddress.com


Persistence Techniques:
  • 2 files dropped to AppData\Local\Temp:
    • sqlite-3.8.11.2-1b7102dd-9254-4808-9f1f-ceab23a11420-sqlitejdbc.dll
    • jna--1104490048\jna8218245902737124972.dllThese DLL files are used in a dll side-loading attack for java.exe and are then deleted from /TEMP folder.
  • Browser Extension modifications to Chrome and Firefox

File Deletion:
  • 2 main files are dropped & deleted upon being loaded into the java process. 
    • sqlite-3.8.11.2-1b7102dd-9254-4808-9f1f-ceab23a11420-sqlitejdbc.dll
    • jna--1104490048\jna8218245902737124972.dll
Data Exfiltrated:
  • Mailbox Login Credentials from:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • This is sent immediately within seconds of infection
  • Browser Passwords
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\key4.db
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xwt1js18.default\signons.sqlite
    • C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    • C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Initial Infection Process Chain
  • javaw.exe > cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command
Lateral Movement Across Network
  • This does not occur 

INDICATORS OF COMPROMISE


MD5
f0e21c7789cd57eebf8ecdb9fadab26b
SHA-1     
e1930b395b4c5cede6b442b0ce414ee1e2802960
SHA-256 .
43bb377d987a5f845b8d743d1d0388cb3cbe38d9aef4569c40fb14c48fbedcc0

https://protissobi.com
https://bandirmaad.com
https://malatyaafm.com
https://caygionghocviennongnghiep1.com
https://ddt-tech.com
https://basariragri.com
https://aricadecor.com
https://beydagiorganiksolucan.com
https://diyarbakirkardelenhaliyikama.com
https://beenchem.com
https://gaolutrang.com

157.245.160.150
66.171.248.178
45.252.248.29
185.12.108.109
103.221.223.122
157.245.160.150

Comments

Post a Comment

Popular posts from this blog

Forensic Analysis of AnyDesk Logs

Image
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.  There are two locations for where AnyDesk logs are stored on the Windows file system: %programdata%\AnyDesk\ad_svc.trace %appdata%\Anydesk\ad.trace The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed. Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log: Remote IP where the actor connected from File transfer activity Locating the Remote IP Connecting to AnyDesk Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake: info 2021-02-04 23:25:10.500       lsvc   9988  
Read more

How to Reverse Engineer and Patch an iOS Application for Beginners: Part I

Image
So you want to reverse and patch an iOS application? I got you >_< If you’ve missed the blogs in the series, check them out below ^_^ Part 1: How to Reverse Engineer and Patch an iOS Application for Beginners Part 2: Guide to Reversing and Exploiting iOS binaries: ARM64 ROP Chains Part 3: Heap Overflows on iOS ARM64: Heap Spraying, Use-After-Free  This blog is focused on reversing an iOS application I built for the purpose of showing beginners how to reverse and patch an iOS app. No fancy tools are required (IDA O.o), it's just you, me & a debugger <3 The app is a simple, unencrypted Objective-C application that just takes in a password and the goal of this is to bypass the password mechanism and get the success code. This blog post will focus on reversing/debugging the application and will not cover aspects of static analysis. The reason I wanted to write this is because I realised this topic is confusing for a lot of people and I wanted to try and write a blog that a
Read more

Successful 4624 Anonymous Logons to Windows Server from External IPs?

Image
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624. If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation. The reason for this is because when a user initiates an RDP or SMB c
Read more