Blog

PhantomControl returns with Ande Loader and SwaetRAT

BY eSentire Threat Response Unit (TRU)

December 20, 2023 | 8 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

In November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl threat actor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.

The user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com. Tracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect client (MD5: 412e11d3ff7659c7d05194cc5e0e1f32) as shown in Figures 1-2.

Figure 1: Compromised website serving malicious ScreenConnect client (1)
Figure 2: Opendir: compromised website serving malicious ScreenConnect client (2)

Upon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com, which is the threat actor’s controlled ScreenConnect instance.

The instance domain resolves to 147.75.81[.]214, which was observed to be used previously by PhantomControl threat actor(s).

Approximately 9 minutes after launching ScreenConnect, the threat actor(s) dropped File_Vbs.vbs (MD5: 91570b30470e0375c62972a268fcaee7) file under Documents\ConnectWiseControl\Temp\.

Ande Loader Analysis

The VBS script contains garbage strings that conceal the malicious code. Upon cleaning up the script, we see a reference to paste[.]ee domain as shown in Figure 3.

The VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200. If the response is 200, it stores the response text in a variable named “response”.

The script then executes the content of the variable using the Execute statement.

Figure 3: Reference to paste[.]ee domain

The VBS script retrieved from paste[.]ee contained garbled data and reversed strings. After some cleanup, it transformed into the reversed base64-encoded obfuscated PowerShell snippet (Figure 4).

Figure 4: Snippet of the script retrieved from paste[.]ee and the clean-up PowerShell script

Further deobfuscating the PowerShell script (Figure 5), we can try to break down what the script does:

  1. The script sets the URL of an image, creates a WebClient object, and downloads the data from the URL as a byte array.
  2. The byte array of the image is converted into a UTF-8 encoded string.
  3. The script looks for specific start and end flags in the converted text, indicating the presence of Base64 encoded content.
  4. The decoded bytes are loaded as a .NET assembly.
  5. The script retrieves a type named Fiber.Home from the loaded assembly. It then invokes a method named VAI on this type, passing several parameters to it.
Figure 5: Deobfuscated PowerShell script

Upon retrieving the base64-encoded data from the downloaded image Figure 6), we obtain the .NET binary payload, which we dubbed as Ande Loader (MD5: 92fc4d4a1f6cad69ab11484e74815b50) based on the previous method name used in the previous loaders (MD5: 48b6064beec687fc110145cf7a19640d). The Yara rule on Ande Loader can be access here.

We have observed Ande Loader used previously by the Blind Eagle threat actors specifically focused on delivering RATs to Latin American countries.

Figure 6: Content of the retrieved image

From Ande Loader, we can see 7 parameters are being passed to the method VAI (Figure 7).

Figure 7: Parameters passed to "VAI" method

The first parameter contains the link to another paste[.]ee which contains a reversed base64-encoded blob (Figure 8).

Figure 8: Reversed base64-encoded blob

The decoded base64-encoded blob is a core payload which we dubbed as SwaetRAT based on the group name/ID (Figure 18). The core payload gets injected into RegAsm.exe via process hollowing (T1055.012), as shown in Figure 9 via Fiber.Class1 class.

Figure 9: Injection of the core payload via process hollowing

The second parameter is null, which means no AntiVM option was enabled. The AntiVM feature would check for processes that contain “vmtoolsd” or “VBoxService” (Figure 10).

Figure 10: AntiVM feature

The third parameter is “2” which makes the binary check for the presence of the initial VBS payload named “VbsName” under C:\ProgramData folder on the infected machine via switch-case structures.

If the file doesn’t exist, it proceeds with creating a persistence via Startup (T1547.001) with the shortcut file named “LnkName” as shown in Figure 11.

Figure 11: Creating persistence via Startup

SwaetRAT Analysis

SwaetRAT (MD5: d6d29037517bb1d8202efbf39534df7a) is a 32-bit RAT written in .NET. Like other RATs, SwaetRAT has keylogging capabilities. The logged keystrokes are recorded and saved under %TEMP%/Log.tmp file (Figure 12).

Figure 12: Keylogging feature

The RAT enters an infinite loop with the pause of 2 seconds for each iteration and looks for mentions of Paypal and Binance in the Log.tmp file and if found, it appends “Banking Found: ” and sends it over to C2 (Figure 13).

Figure 13: Looking for specific strings in the Log.tmp file

Within Info method, the RAT collects system information (Figure 14).

It constructs this string by concatenating several pieces of data, separated by a delimiter defined in Settings.Splitter, which is “<Remote>”.

The information includes:

The UAC Method checks if the current user has administrative privileges. It attempts to create a WindowsPrincipal object for the current user WindowsIdentity.GetCurrent() and then checks if this user is in the role of WindowsBuiltInRole.Administrator.

If the user has administrative privileges, it returns true; otherwise, false.

Figure 14: Info method

An example of the traffic for the SwaetRAT is shown in Figure 15.

Figure 15: Traffic capture

The ID generation algorithm is as follows:

Figure 16: ID generation algorithm

ReadPacket class (Figure 17) is responsible for command parsing from C2. It receives the data, which is converted to a string and split into parts using a delimiter.

Based on the first element of the array (text), it determines what action to perform. Several commands are handled:

Figure 17: ReadPacket class

SwaetRAT creates the mutex “qVnqcuDNS5fGFGb”, which is defined under the Settings class in the configuration (Figure 18). If the mutex already exists, the process exits.

Figure 18: SwaetRAT configuration

A Yara rule on SwaetRAT can be accessed here.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:

Indicators Of Compromise

Name

Indicator

Initial website serving as a redirector

receipt-view.blogspot[.]com

Compromised URL

jewelrycleaningmachine[.]com

ScreenConnect

412e11d3ff7659c7d05194cc5e0e1f32

ScreenConnect URL

legal-advocate.screenconnect[.]com

ScreenConnect IP

147.75.81[.]214

File_Vbs.vbs

91570b30470e0375c62972a268fcaee7

Ande Loader

92fc4d4a1f6cad69ab11484e74815b50

SwaetRAT

d6d29037517bb1d8202efbf39534df7a

SwaetRAT C2

dns-govv[.]ink

URL hosting SwaetRAT binary

paste[.]ee/d/k7m1f/0

URL hosting Ande Loader

uploaddeimagens.com[.]br/images/004/666/676/original/vbs.jpg?1700182879

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire