eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
In November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl
threat actor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.
The user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com. Tracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect client (MD5: 412e11d3ff7659c7d05194cc5e0e1f32) as shown in Figures 1-2.
Upon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com, which is the threat actor’s controlled ScreenConnect instance.
The instance domain resolves to 147.75.81[.]214, which was observed to be used previously by PhantomControl threat actor(s).
Approximately 9 minutes after launching ScreenConnect, the threat actor(s) dropped File_Vbs.vbs (MD5: 91570b30470e0375c62972a268fcaee7) file under Documents\ConnectWiseControl\Temp\.
Ande Loader Analysis
The VBS script contains garbage strings that conceal the malicious code. Upon cleaning up the script, we see a reference to paste[.]ee domain as shown in Figure 3.
The VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200. If the response is 200, it stores the response text in a variable named “response”.
The script then executes the content of the variable using the Execute statement.
Figure 3: Reference to paste[.]ee domain
The VBS script retrieved from paste[.]ee contained garbled data and reversed strings. After some cleanup, it transformed into the reversed base64-encoded obfuscated PowerShell snippet (Figure 4).
Figure 4: Snippet of the script retrieved from paste[.]ee and the clean-up PowerShell script
Further deobfuscating the PowerShell script (Figure 5), we can try to break down what the script does:
The script sets the URL of an image, creates a WebClient object, and downloads the data from the URL as a byte array.
The byte array of the image is converted into a UTF-8 encoded string.
The script looks for specific start and end flags in the converted text, indicating the presence of Base64 encoded content.
The decoded bytes are loaded as a .NET assembly.
The script retrieves a type named Fiber.Home from the loaded assembly. It then invokes a method named VAI on this type, passing several parameters to it.
Figure 5: Deobfuscated PowerShell script
Upon retrieving the base64-encoded data from the downloaded image Figure 6), we obtain the .NET binary payload, which we dubbed as Ande Loader (MD5: 92fc4d4a1f6cad69ab11484e74815b50) based on the previous method name used in the previous loaders (MD5: 48b6064beec687fc110145cf7a19640d). The Yara rule on Ande Loader can be access here.
We have observed Ande Loader used previously by the Blind Eagle threat actors specifically focused on delivering RATs to Latin American countries.
Figure 6: Content of the retrieved image
From Ande Loader, we can see 7 parameters are being passed to the method VAI (Figure 7).
Figure 7: Parameters passed to "VAI" method
The first parameter contains the link to another paste[.]ee which contains a reversed base64-encoded blob (Figure 8).
Figure 8: Reversed base64-encoded blob
The decoded base64-encoded blob is a core payload which we dubbed as SwaetRAT based on the group name/ID (Figure 18). The core payload gets injected into RegAsm.exe via process hollowing (T1055.012), as shown in Figure 9 via Fiber.Class1 class.
Figure 9: Injection of the core payload via process hollowing
The second parameter is null, which means no AntiVM option was enabled. The AntiVM feature would check for processes that contain “vmtoolsd” or “VBoxService” (Figure 10).
Figure 10: AntiVM feature
The third parameter is “2” which makes the binary check for the presence of the initial VBS payload named “VbsName” under C:\ProgramData
folder on the infected machine via switch-case structures.
If the file doesn’t exist, it proceeds with creating a persistence via Startup (T1547.001) with the shortcut file named “LnkName” as shown in Figure 11.
Figure 11: Creating persistence via Startup
SwaetRAT Analysis
SwaetRAT (MD5: d6d29037517bb1d8202efbf39534df7a) is a 32-bit RAT written in .NET. Like other RATs, SwaetRAT has keylogging capabilities. The logged keystrokes are recorded and saved under %TEMP%/Log.tmp
file (Figure 12).
Figure 12: Keylogging feature
The RAT enters an infinite loop with the pause of 2 seconds for each iteration and looks for mentions of Paypal and Binance in the Log.tmp file and if found, it appends “Banking Found: ”
and sends it over to C2 (Figure 13).
Figure 13: Looking for specific strings in the Log.tmp file
Within Info method, the RAT collects system information (Figure 14).
It constructs this string by concatenating several pieces of data, separated by a delimiter defined in Settings.Splitter, which is “<Remote>”.
The information includes:
A fixed string “info”.
The unique ID of the system. We will talk about the ID generation algorithm later in the article.
The current user’s username (Environment.UserName).
Information about the operating system.
Whether the operating system is 32-bit or 64-bit, determined by Environment.Is64BitOperatingSystem.
Antivirus information obtained from a method call to Helper.Antivirus().
A group identifier or categorization from Settings.Group (“SWAET_NOVEMBER”).
The result of a User Account Control (UAC) status check from Helper.UAC(), indicating whether the current user has administrative privileges.
The UAC Method checks if the current user has administrative privileges. It attempts to create a WindowsPrincipal
object for the current user WindowsIdentity.GetCurrent() and then checks if this user is in the role of WindowsBuiltInRole.Administrator.
If the user has administrative privileges, it returns true; otherwise, false.
Figure 14: Info method
An example of the traffic for the SwaetRAT is shown in Figure 15.
Figure 15: Traffic capture
The ID generation algorithm is as follows:
The Hash method collects various pieces of system information, including the number of processors, the current user's name, the machine name, the operating system version, and the total size of the system's primary drive.
The collected information is concatenated into a single string.
The concatenated string is passed to the GetHashT method, which uses the MD5 hashing algorithm to generate a hash value from this string.
The hash is converted into a hexadecimal string. This string is then truncated to the first 20 characters and converted to uppercase, forming the final ID.
Figure 16: ID generation algorithm
ReadPacket
class (Figure 17) is responsible for command parsing from C2. It receives the data, which is converted to a string and split into parts using a delimiter.
Based on the first element of the array (text), it determines what action to perform. Several commands are handled:
"pong": gets a "pong" response back from the server from “ping” messages. Possibly used for connection status checking.
"Sendfile": Executes RunDisk method, which writes and executes a PowerShell file from received data.
"Memory": Executes the Memory method, which loads and executes an assembly from the given byte array in-memory.
"Web": Downloads a file from a URL and executes it.
"Close": Disconnects the TCP socket and exits the application.
"Restart": Restarts the application.
"Uninstall": uninstall the RAT via the batch script.
"$Cap": Captures a screenshot and sends it back to the server in a base64-encoeded and GZIP-compressed format.
"RemoteDesktop": Sends back the screen size information.
"RD+": Captures live screen data.
"DeskDrop": Writes a file to the desktop from received data that is base64-encoded and GZIP-compressed.
"UAC": Attempts to elevate privileges if not running as administrator.
"OfflineGet": Sends the content of a log file to the server.
Figure 17: ReadPacket class
SwaetRAT creates the mutex “qVnqcuDNS5fGFGb”, which is defined under the Settings class in the configuration (Figure 18). If the mutex already exists, the process exits.
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.
What can you learn from this TRU Positive?
The use of ScreenConnect, a legitimate remote access tool, by the PhantomControl threat actors underscores the trend of threat actors leveraging legitimate software for malicious activities.
The final payload loader from Ande Loader is dubbed as SwaetRAT. The creation of persistence via startup folders and the use of process hollowing techniques shows how the RAT tries to maintain its presence on infected systems.
The RAT's capabilities include monitoring for specific keywords (like PayPal and Binance), exfiltrating the data, and retrieving additional payloads via various commands.
Recommendations from our Threat Response Unit (TRU):
Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
