eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In a recent case in June 2023, our Security Operations Center was alerted to suspicious code written to registry in an endpoint in a manufacturing customer’s network. The investigation identified Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.
What is Google Firebase Hosting?
Google Firebase Hosting is a cloud-based hosting service provided by Google as part of its Firebase platform that allows developers to easily deploy and serve web applications and static websites.
Projects are hosted as a subdomain to either “web.app” or “firebaseapp.com” and are automatically configured with SSL and served using Google’s Content Delivery Network (CDN) edge servers.
Figure 1 Snippet from https://firebase.google.com/docs/hosting
These factors make identifying malicious content using
metadata such as domain age, reputation or SSL certificate details difficult
since they are tied to a generic Google service. A cursory look at Twitter
mentions involving “web.app” and the terms “phishing” or “malware” yields
around three thousand tweets, primarily from researchers reporting malicious
content abusing the platform. These mentions have seen a noted increase since
September 2022.
A look at submissions to VirusTotal yields 20,000+
*.web.app subdomains with ten or more security vendors reporting malicious
content such as phishing or malware.
Figure 2 VirusTotal search results for subdomains hosted on Firebase Hosting classified as malicious by at least 10 security vendors.
Sorillus RAT Activity
Sorillus RAT is a Java-based and cross-platform commercial
malware offering various information stealing and remote access capabilities.
Figure 3 Example of Sorillus capabilities from the control panel.
In this case, Sorillus was delivered to the victim via an email containing a tax-themed zip file (tax-document.zip). The zip contained an HTML file called “2022tax-extension.html” that smuggled the Java payload Tax-document_PDF.jar (MD5: e93b8dddfc9715f1785ff8f554d538a8).
When clicked, the .jar file is executed by the Java executable (if present on the system) then writes a copy of itself to %AppData%\Roaming\Microsoft\.tmp\ with the extension .tmp and defines a registry run key called “Home” to execute the Java payload when the user logs in.
Figure 4 Sorillus registry run key.
Examining the decompiled Jar file, we see multiple
obfuscated class files:
Figure 5 Decompiled class files.
These contain hints at the program’s RAT-like functionality:
Figure 6 Strings common with remote access malware found among obfuscated code.
The root folder holds a file titled “checksum” which
contains the RAT’s configuration:
Figure 7 Configuration file. Sorillus has been known to use decoy configs in the past, but that doesn't appear to be the case here.
Unfortunately, during subsequent analysis the original zip file could not be retrieved due to lack of telemetry. Open-source analysis of similar Sorillus samples using Tax-themed lures around the time yielded several samples (1,2,3) which
utilized Firebase Hosting for delivering the zip payloads:
canmond[.]web[.]app/W2_and_1095A.zip
savuom[.]web[.]app/Tax-documents.zip
osaomnc[.]web[.]app/Tax-document.zip
Sorillus Attribution and Adwind Confusion
Initially, analysts mistook this RAT as Adwind, an older commercial Java-based RAT with similar capabilities. Sandbox analysis of samples identified network traffic as Adwind, but little else matched previously known samples, particularly the configuration file shown in Figure 6. Certain class files (such as the one shown in Figure 5) and network traffic matched our previous Sorillus observations, leading us to believe this was an updated version of Sorillus.
Figure 8 Snippet of C2 traffic from a public sandbox analysis for a similar sample.
Sorillus 6.1 was released on January 19, 2023, and added new features including support for loading dynamic configuration settings via Pastebin.
We identified a cracked version 6.1 leaked on Telegram on June 9th, and another uploaded to VirusTotal
on May 31st. Examining the latter, we confirmed the configuration file produced by the control panel matches those samples seen in the wild.
Figure 10 Sorillus control panel configuration settings and subsequent configuration file written to the payload.
The latest version provides several information stealing
capabilities, including browser credentials.
Figure 11 Uploading the password stealing plugin to the victim machine.
It claims to extract credentials from Chromium-based
browsers such as Chrome and Edge, which we were able to confirm on the latest
Chrome build.
Figure 12 Stored credentials were successfully exfiltrated from the latest Chrome build (insert).
Highly Obfuscated Phishing Page Rendered Using Code from Multiple Cloud Services
During our investigation, we identified the victim had also opened with and interacted with a phishing kit that heavily relied on Firebase Hosting for its components. The activity occurred just minutes prior to the Sorillus RAT activity but was likely unrelated. The phishing page used an invoice-themed HTM document “invoice.statemtent.htm” delivered to the victim via email (similar files
on VirusTotal enjoy extremely low detection rates).
The HTM file contains multiple layers of obfuscation and uses a decoding function ('_0x175d' in Figure _9 below) to rearrange and decode elements of array ‘_0xa2cc’ based on hex characters passed as parameters when the function is invoked.
Figure 13 Obfuscated JavaScript code found in HTM file. Similar JS is found in subsequent script files.
This appears to dynamically construct new HTML code when
the HTM file is opened in the browser, as demonstrated in Figure 10.
Figure 14 Encoded strings passed to function shown in Figure 9. This string returns a link to additional code hosted on Cloudflare.
Multiple obfuscated JavaScript files are ultimately loaded from vinapsminznusx[.]web[.]app and wispy-dawn-ea24.porschea50[.]workers[.]dev and are used to dynamically render a Microsoft 0365 login page using web content pulled from Microsoft (acctcdn.msftauth.net/images/).
Interestingly, the workers.dev domain is a domain extension provided by Cloudflare for their Cloudflare Workers platform. Cloudflare Workers is a serverless computing platform that allows developers to run JavaScript code on Cloudflare's network of data centers.
To summarize, this phishing kit uses a local HTM file to pull highly obfuscated JavaScript components from Google and Cloudflare cloud computing services before rendering the phishing page using real brand assets from Microsoft.
MDR for Endpoint
identified suspicious code loaded into registry and subsequent investigation identified the phishing attack.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the host and alerted the customer while an investigation took place.
What can you learn from this TRU Positive?
Cloud services can be an effective way to defeat reputation-based security filters. For example, a link such as hxxps://osaomnc[.]web[.]app/Tax-document.zip would contain generic registration and SSL certificate attributes linking it to Google services.
This not only inherits those trusted (or known good) reputation attributes, it also makes threat detection based on characteristics like domain registration age nearly impossible.
Storing individual code components in separate cloud services (Google and Cloudflare in this case) makes detection by automated scanners more difficult, since only partial functionality is revealed to each provider. It also creates redundancy should either provider remove code or accounts in isolation.
Tax-themed lures remain extremely popular during spring and early summer. The lures seen here are aimed at tax filing extensions after the April deadline.
Recommendations from our Threat Response Unit (TRU) Team:
Consider removing Java on systems where it is not needed.
Consider creating a new “Open With” parameters for .jar files so they open with notepad.exe. This setting is found in the Group Policy Management Console under User Configuration > Preferences > Control Panel Settings > Folder Options.
Applying this to other script files (.js, .jse, .hta, .vbs) is also recommended for most users to limit the risk of click-to-execute content.
Indicators of Compromise
Indicator
Note
osaomnc[.]web[.]app
Firebase Hosting Sorillus Zip Payloads
savuom[.]web[.]app
canmond[.]web[.]app
e93b8dddfc9715f1785ff8f554d538a8
Sorillus Java Payload Tax-document_PDF.jar
185.196.220.62
Sorillus C2
vinapsminznusx[.]web[.]app
Hosting various JS components for phishing pages
wispy-dawn-ea24.porschea50[.]workers[.]dev
5f74bc4dc4ed13805295ae2f249450bb
“Invoice.Statemtent.htm” phishing HTM files
eb1974840d85530ce42928edb27a2884
9251ca090c5b4d7fe7e309b5f8bbd0cf
66a13a6998a62bda15082b09980ca053
29fc65f116072a072d52dac21d33335f
2e277b66aed7aa20d399f115f4a7a2f8
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
