Blog

Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer Leverage TryCloudflare

BY eSentire Threat Response Unit (TRU)

July 31, 2024 | 7 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In July 2024, eSentire's Threat Response Unit (TRU) detected an infection affecting a customer in the government sector. This incident involved multiple malware threats – XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT – leveraging a WebDAV server hosted on TryCloudflare.

WebDAV (Web Distributed Authoring and Versioning) is a protocol that allows users to manage files on remote web servers, making it an effective method for threat actors to host and distribute malicious files because it facilitates easy remote access and file manipulation.

TryCloudflare is a free offering from Cloudflare intended for web development and testing. Its primary use case is the creation of internet-accessible servers proxied through CloudFlare’s infrastructure. The TryCloudflare tool uses a simple command to serve traffic from the internet to a local machine using a randomly generated subdomain under trycloudflare.com.

The initial access vector was a phishing email, like one reported by Security Researcher Germán Fernández. The user received a ZIP archive containing a URL shortcut, which led to a shortcut file (.lnk) hosted on a TryCloudflare-proxied WebDAV server. The shortcut file contained instructions to execute malicious batch files responsible for retrieving and executing additional Python payloads.

The shortcut file leads to the execution of the new.bat file
(MD5: 0d79c56f9198117a98334ead5d033974). Threat actors obfuscated the batch files by prepending the bytes “FF FE 26 40 63 6C 73” to the beginning of the batch file, causing the contents to be interpreted as UTF-16LE encoding (Figure 1).

Content of new.bat file (UTF-16LE) used to Leverage TryCloudflare.
Figure 1: Content of new.bat file (UTF-16LE)

Upon opening the file in a hex editor, we can see the obfuscation is based on a substitution cipher where characters are not directly stored; instead, they are represented by indices within a predefined key string. Each index refers to a position in this string from which the actual character can be retrieved.

Contents of new.bat file viewd in a hex editor used to Leverage TryCloudflare.
Figure 2: Contents of new.bat file viewd in a hex editor

The new.bat file is responsible for the following actions:

The startuppppp.bat file is responsible for running malicious Python files such as 1.py, 2.py, 3.py, 4.py, 5.py and 6.py.

It’s worth noting that the decrypted payloads from the malicious Python files within the DXJS.zip archive are identical to those found in the FTSP.zip archive (Figure 3).

Decrypted payloads from DXJS.zip and FTSP.zip with the same hashes used to Leverage TryCloudflare.
Figure 3: Decrypted payloads from DXJS.zip and FTSP.zip with the same hashes

Let’s take a closer look at one of the Python scripts, 2.py
(MD5: a84994e9e9de4fd82f721dbf2c8d9c58). The shellcode is base64-encoded and encrypted with RC4 encryption. The RC4 KSA (Key Scheduling Algorithm) and PRGA (Pseudo-Random Generation Algorithm) algorithms are shown in Figure 4.

Contents of the 2.py Python script including the RC4 decryption algorithm used to Leverage TryCloudflare.
Figure 4: Contents of the 2.py Python script including the RC4 decryption algorithm

After decrypting the shellcode, the malicious Python script executes it directly in memory. The script first allocates a buffer using ctypes.create_string_buffer() to hold the decrypted shellcode. It then changes the protection on this region of memory to PAGE_EXECUTE_READWRITE using VirtualProtect, accessed through the ctypes library. This step allows the previously non-executable memory region to run executable code.

While analyzing the decrypted shellcode (MD5: c741fbaeeb14a9a95d6fb201e9e0bd6e), we found that it appears to be Donut loader leveraging Chaskey cipher implementation.

The decrypted payload (the injector) within the shellcode performs the decryption of another shellcode payload via AES decryption. The initial step involves creating a set of round keys derived from the main encryption key, which are used throughout the decryption process. During decryption, data is handled in blocks, undergoing several transformations.

First, each byte of the block is substituted according to a predefined table, reversing the encryption's scrambling effect.

Next, the positions of bytes within the block are rearranged to their original order. The process also involves mixing the block’s data with the round keys using XOR operations, which combine the data bits with the key bits to undo the encryption. An additional custom function (Figure 5) further modifies the data by performing additional transformations, such as rotations and substitutions.

Finally, another XOR operation is applied to each byte of the data block, ensuring the decryption process is complete.

The function performs additional custom transformations on the data blocks during the AES decryption process, involving byte rotations, substitutions, and bitwise operations to ensure thorough decryption used to Leverage TryCloudflare.
Figure 5: The function performs additional custom transformations on the data blocks during the AES decryption process, involving byte rotations, substitutions, and bitwise operations to ensure thorough decryption

The injector payload uses direct syscalls (Figure 6) to call native API functions such as NtClose, NtResumeThread, NtAllocateVirtualMemory, NtQuerySystemInformation, NtProtectVirtualMemory, NtDelayExecution, and NtWriteVirtualMemory.

This technique is primarily used to evade Endpoint Detection and Response (EDR) systems and other security monitoring tools.

The injector is also responsible for injecting the decrypted shellcode containing the encrypted final payload into the notepad.exe process via Early Bird APC Queue Code Injection using native APIs such as NtQueueApcThread, NtProtectVirtualMemory, NtWriteVirtualMemory, and NtResumeThread.

Snippet of the code using a direct syscall used to Leverage TryCloudflare.
Figure 6: Snippet of the code using a direct syscall

The decrypted shellcode containing the encrypted final payload is similar to the initial decrypted shellcode (Donut Loader) we analyzed. The decryption of the final payload also relies on the implementation of the Chaskey cipher within Donut Loader.

We were able to extract the configuration for the final payloads – XWorm, VenomRAT and AsyncRAT. You can access them here, along with indicators of compromise.

In summary, this malware campaign involving XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT was initiated via a phishing email. The threat actors deployed obfuscated batch and encrypted Python files from a WebDAV server to deliver multiple RATs mentioned above.

These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection. A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively.

What did we do?

What can you learn from this TRU Positive?

Indicators of Compromise

You can access the indicators of compromise here.

Recommendations from the Threat Response Unit (TRU):

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire