eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In May 2024, eSentire's Threat Response Unit (TRU) detected an instance of fake updates delivering BitRAT and Lumma Stealer.
Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware. In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.
The infection chain began when the user visited an infected webpage containing injected malicious JavaScript code (Figure 1).
Figure 1: Fake Chrome update
Upon loading the compromised page, the injected malicious JavaScript code is triggered, which directs the user to the fake update page (Figure 2). After cleaning up the code, we found redirect code hidden within the JavaScript (Figure 3). The redirected site can only be accessed if the HTTP referrer matches the original malicious web page.
Figure 2: Injected malicious JavaScript code
Figure 3: Redirect site hidden within the JavaScript
The chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’, which is automatically downloaded onto the victim’s device. The archive is hosted on Discord’s Content Distribution Network (CDN) (Figure 4).
Figure 4: Download of Update.zip from Discord’s CDN
Fake Update
The fake browser update lure has become common amongst attackers as a means of entry to a device or network. The JavaScript file (Update.js) contained within the ZIP archive acts as an initial downloader to retrieve the payloads once executed by the victim. The archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31.
In the incident observed, there were multiple PowerShell scripts following the execution of Update.js, as seen in Figure 5 below:
The IP address identified in the PowerShell script is a known BitRAT Command-and-Control (C2) address, which hosts both the BitRAT and Lumma Stealer payloads. The files have the extension .png, but contain the loader, persistence mechanisms, and the payloads.
There were four unique files identified in this attack, all of which serve different purposes:
s.png – Loader + Lumma Stealer payload
z.png – PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload
a.png – Loader + BitRAT payload
0x.png – BitRAT persistence file that redownloads a.png and executes it
Starting with z.png, the PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:\Users\Public directory, and sets it to run at startup by modifying the Registry Run Key. It also retrieves and executes a.png, the loader and BitRAT payload (Figure 6).
Figure 6: z.png retrieving 0x.png and a.png
The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png. The 0x.log file downloads a.png and executes it (Figure 7).
Figure 7: 0x.png downloads and executes a.png via PowerShell
The two files containing the malicious payloads a.png and s.png include an AMSI bypass, the code that leverages reflection in .NET to dynamically load and execute the payload within RegSvcs.exe process (Figure 8).
Figure 8: Simplified version of a.png showing the AMSI bypass and loading
Loader
There are two parts to the payload files, a.png and s.png – the loader portion and the payload. The loader mechanism appears to be almost the same in both files; the only difference seems to be the hash itself.
The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x). The loader is tasked with loading the decrypted payload binary from the files PowerShell script and injecting it into RegSvcs.exe (Figure 9).
Figure 9: The deobfuscated loader
BitRAT
BitRAT is a feature-rich remote access tool with capabilities such as two modes of connections (direct reverse connection and Tor connection), UAC exploit for elevated privileges, process protection, and the ability to manage over 10,000 clients efficiently.
It offers a binder that binds up to 5 files, a remote browser feature supporting Chrome, password recovery for various applications, XMR miner for cryptocurrency mining, reverse proxy using SOCKS4 mode, remote desktop access, webcam live feed, file manager with zip compression, keylogger functions, audio live feed, and SOCKS5 proxy support.
The BitRAT sample analyzed in this case was UPX packed and contained an encrypted configuration. The configuration data is decrypted using the following steps:
First, a decoded string is loaded to memory.
A second string is loaded to memory to which the first string is appended.
The CRC-32 hash is generated for the string to which 8 is added.
An MD5 hash is generated from the lowercase version of the previously generated hash.
The first 16 characters from the MD5 hash are utilized as the key for the Camellia decryption routine.
The decryption routine with the same key is used for decryption of every encrypted string in the binary.
The decrypted configuration:
Host: 77.221.151[.]31
Port: 4444
Tor Process Name: Tor
Install Directory: 0
Install File: 0
Password: 7b13ff385b95cf25d53088d6b7c5d890
Lumma Stealer
Lumma Stealer, also known as LummaC2 Stealer, is an information stealing malware developed in C language. It has been operating as a Malware-as-a-Service in Russian-speaking forums since August 2022. Created by the threat actor "Shamel" using the alias "Lumma", this malware targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims' machines.
The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with "Mozilla/5.0". Additionally, Lumma Stealer includes a non-resident loader capable of deploying further malicious payloads in EXE, DLL, and PowerShell formats.
There are notable strings found in Lumma Stealer’s C2 communication, including the version and Lumma ID (lid), also referred to as the build ID, which uniquely identifies Lumma (Figure 10).
Figure 10: Notable strings in Lumma Stealer Payload
The payload includes the user-agent used by the malware (Figure 11).
Figure 11: User-agent field found in malware config
Another parameter, "act," reveals that it has been initialized with the value “life,” used to check-in with the C2 (Figure 12).
Figure 12: C2 check-in string
The sample contains 9 embedded domains used for C2 communications, seen as base64 encoded strings in Figure 13, left. During runtime, the C2 domains are extracted using the routine shown in Figure 13 and described below.
The C2 domain list decryption function is outlined as follows:
First, a base64 string from the above is loaded into memory.
This string then undergoes a base64 decode operation and the resulting bytes are stored in a buffer.
The key is present at an offset 0x20 from the start of the previous buffer.
This key is then used to XOR the buffer which reveals the C2 domains.
We have released a script that performs these operations for the above strings and produces the C2 domains, which is available here.
The decrypted configuration includes the following C2 domains:
demonstationfukewko[.]shop
liabilitynighstjsko[.]shop
alcojoldwograpciw[.]shop
incredibleextedwj[.]shop
shortsvelventysjo[.]shop
shatterbreathepsw[.]shop
tolerateilusidjukl[.]shop
productivelookewr[.]shop
accountasifkwosov[.]shop
The use of fake updates to deliver a variety of malware displays the operator's ability to leverage trusted names to maximize reach and impact. The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service. The malware payload is likely interchangeable and will result in a variety of different types being loaded in similar incidents in the future.
What did we do?
Our 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the client, and isolated the affected device.
What can you learn from this TRU Positive?
Fake browser update campaigns use sophisticated social engineering tactics by mimicking legitimate browser update prompts that match the user's browser type and language.
This targeted approach indicates the need for increased user awareness about the authenticity of update notifications and the sources from which updates are downloaded.
BitRAT and Lumma Stealer were the final payloads during this incident, although it is likely other malware may be loaded in future deliveries.
These final payloads allow attackers to perform reconnaissance, steal sensitive data, and provide remote access to the infected host.
Recommendations from our Threat Response Unit (TRU):
Ensure that all endpoints are protected with up-to-date antivirus software or Endpoint Detection and Response (EDR) tool capable of detecting and blocking malicious files
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
