Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT).  Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).

Even if the majority of the attacks seem to have impacted Italy, the network-based visibility over the malicious infrastructure C25 can dispose of about this event suggests similar implants impacted Germany and Turkey as well. More precisely Cluster25 observed around 100+ telemetry hits on Italy (with a single confirmed impacted entity operating in transportation sector) and a few dozen on Turkey and Germany (information is updated until Dec. 19, 2022, while the first hit on Italy has been registered on Dec. 06, 2022)

Some vendor refers to this event / actor as Alibaba2044 according to the name of a GitHub account used as one of the drop-points in the infection chain.

The final payload spread through the infection chain uses a complex level of obfuscation and packing techniques to hinder the analysis, that also makes difficult the attribution of the malware to a specific family. Some security firms identified it as the commercial infostealer known as PureLogs. As per  internal classification, the final payload overlapped with a .NET RAT / InfoStealer known as zgRAT.

The following report provides further details about the execution of the campaign, also giving more information about the threat actor’s TTPs and the observed samples.

INSIGHTS

The first stage of the attacks is executed through a phishing email that contains a malicious link that prompts the victim to download a .ZIP archive. Two of the analyzed attacks used the domains  dl[.]dropboxusercontent[.]com and downloadpdf-fattura[.]de as initial drop-points:

The ZIP is password protected (the password to extract its content is reported in the phishing email) and contain Windows Shortcut (LNK) files and Batch scripts (BAT). In one of the analyzed campaigns, a ZIP file contained the files named Fattura 06-12-2022.lnk and Fattura_IT9032003.bat.

The LNK executes the following PowerShell command, that downloads and executes an HTA file from a second drop-point. 

The HTA file executes a PowerShell command that writes two files in the directory C:ProgramData. The first one has the filename image.png and contains an image of a fake invoice that is later opened and shown to the user as bait, similar to the following:

The second is the BAT file Fattura_IT9032003.bat, which has the same name and content of the one contained in the ZIP file. This one deobfuscates and executes the following command, which downloads another ZIP from GitHub:

The GitHub account used to download the second stage is named NET-FrameWork-x64, while the ZIP archive has the name NETFramework.zip and contains the executable file start.exe, which is a legit PowerShell executable that is later renamed and copied to the path C:ProgramDataFattura_IT9032003.bat.exe (the files attributes are also changed to make it hidden).

This file is used to run the following command, that downloads a third ZIP archive (wininfo64.zip) from another GitHub profile (alibaba2044), and finally decompresses it to obtain and run the executable file lib32.exe :

The BAT script, before completing its execution, deletes the PowerShell executable from the directory C:ProgramData. The file lib32.exe is a malicious 64-bit PE executable written in Microsoft .NET. Cluster25 also observed other campaigns that spread the latter executable in a different way, with the help of a loader program that is responsible to unpack the malware and perform different kinds of anti-analysis techniques. 

To spread the loader the threat actor used a chain of phishing emails, LNK, BAT and CAB files (that may be used instead of the HTA file described above) similar to the one previously reported. At the end of the chain, a Microsoft .NET 64-bit PE (one sample showed the filename Solby.exe) is executed. The analysis of its code revealed a function named Array, in the class Trak, that deciphers a DLL file using a hardcoded key in memory and a XOR cycle.

The DLL, also written in .NET, is loaded using the method Load from the class Assembly and then a method with an obfuscated name is called in the loaded library.

The malware also uses an anti-tampering protection mechanism, similar to the one performed by the open-source protector for .NET applications ConfuserEx: a method executed in .cctor, which is called before any other method in the DLL, is responsible to modify the code in order to correctly reconstruct the methods to be executed.

The reconstructed code also exploits another anti-analysis technique, consisting in the obfuscation mechanism performed through code-flattening. Moreover, the malware uses dynamic calls to the needed function using wrapper methods with random names.

The first called method in the DLL allocates an array of 188 bytes, that is then passed to the GZipStream function to decompress it, obtaining a Json file of 31 elements:

The entries of the Json file include the name of the original executable (Solby.exe) and the strings “Xtxcunvjl” (which will be used to create a Mutex) and “Itself”, which in other analyzed sample was substituted with “AppLaunch” (that will be used as executable name to launch a new malware process). The remaining elements are binary values, digits, null values and nested lists of similar elements.

The JSON file is passed to the JsonConvert.DeserializeObject method to deserialize it. The malware proceeds by performing an evasion technique similar to the one observed in other malware as IceXLoader: it retrieves the host and the user names to check if it is running in an Windows Defender emulator, where the mentioned values are respectively “hal9th” and “johndoe”.

The latter string values are encrypted in the binary and used after a loop of different operations, including XORs and shifts.

Similarly, this happens for the string “start-sleep -seconds {0}”, which is then encoded in base64 and used to start a new process with PowerShell. The resulting command that is executed is the following, which just suspends the execution of PowerShell for 37 seconds:

Then, another anti-analysis check is performed by decrypting the string “SbieDll.dll”, which is the name of the Sandboxie User Mode DLL, and by iterating through the process modules to check if it is loaded in order to discover if the malicious program is being analyzed.

If this is not the case, the malware proceeds making a query using the ManagementObjectSearcher and the decrypted string “select * from Win32_BIOS”, where the value of the “Version” substring is selected. The malware also retrieves the serial number of the infected system, which is then concatenated with the version value to form a new string.

The latter is checked against the decrypted string “VMware|VIRTUAL|A M I|Xen” to find a possible match which would reveal the execution of the malware under a virtualized environment.

A second check is performed by executing another query after decrypting the strings  “select * from Win32_ComputerSystem”, “manufacturer” and “Virtual Machine”, and the result of the query is matched against the string “Microsoft|VMWare|Virtual”. A third Anti-VM check involves the checking of the display resolution size.

If the checks reveal the execution under a virtual environment,  the malware decrypts the strings “Start-Sleep -s 10; Remove-Item -Path “” and “-Force”. The string are concatenated with the path of the current process and encoded in base64 to build a PowerShell command that deletes the executable file.