eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In July 2024, eSentire's Threat Response Unit (TRU) detected an infection affecting a customer in the government sector. This incident involved multiple malware threats – XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT – leveraging a WebDAV server hosted on TryCloudflare.
WebDAV (Web Distributed Authoring and Versioning) is a protocol that allows users to manage files on remote web servers, making it an effective method for threat actors to host and distribute malicious files because it facilitates easy remote access and file manipulation.
TryCloudflare is a free offering from Cloudflare intended for web development and testing. Its primary use case is the creation of internet-accessible servers proxied through CloudFlare’s infrastructure. The TryCloudflare tool uses a simple command to serve traffic from the internet to a local machine using a randomly generated subdomain under trycloudflare.com.
The initial access vector was a phishing email, like one reported by Security Researcher Germán Fernández. The user received a ZIP archive containing a URL shortcut, which led to a shortcut file (.lnk) hosted on a TryCloudflare-proxied WebDAV server. The shortcut file contained instructions to execute malicious batch files responsible for retrieving and executing additional Python payloads.
The shortcut file leads to the execution of the new.bat file (MD5: 0d79c56f9198117a98334ead5d033974). Threat actors obfuscated the batch files by prepending the bytes “FF FE 26 40 63 6C 73” to the beginning of the batch file, causing the contents to be interpreted as UTF-16LE encoding (Figure 1).
Figure 1: Content of new.bat file (UTF-16LE)
Upon opening the file in a hex editor, we can see the obfuscation is based on a substitution cipher where characters are not directly stored; instead, they are represented by indices within a predefined key string. Each index refers to a position in this string from which the actual character can be retrieved.
Figure 2: Contents of new.bat file viewd in a hex editor
The new.bat file is responsible for the following actions:
Launch a decoy PDF file hosted on the WebDAV server (stickers-ext-payment-print.trycloudflare[.]com/kbsfaw.pdf)
Download the ZIP archives from the WebDAV server (stickers-ext-payment-print.trycloudflare[.]com) with PowerShell and extract them under the “Downloads” folder.
Add the hidden attribute to Downloads/Python and Downloads/Print folders that were extracted from ZIP archives (DXJS.zip and FTSP.zip).
Download the startuppppp.bat (MD5: 1e5fa94c5be0d6f6d57c181c60622b80) file and move the batch file to the Startup Folder.
Runs multiple malicious Python files such as moment.py, update.py, upload.py, time.py and kamp.py
The startuppppp.bat file is responsible for running malicious Python files such as 1.py, 2.py, 3.py, 4.py, 5.py and 6.py.
It’s worth noting that the decrypted payloads from the malicious Python files within the DXJS.zip archive are identical to those found in the FTSP.zip archive (Figure 3).
Figure 3: Decrypted payloads from DXJS.zip and FTSP.zip with the same hashes
Let’s take a closer look at one of the Python scripts, 2.py (MD5: a84994e9e9de4fd82f721dbf2c8d9c58). The shellcode is base64-encoded and encrypted with RC4 encryption. The RC4 KSA (Key Scheduling Algorithm) and PRGA (Pseudo-Random Generation Algorithm) algorithms are shown in Figure 4.
Figure 4: Contents of the 2.py Python script including the RC4 decryption algorithm
After decrypting the shellcode, the malicious Python script executes it directly in memory. The script first allocates a buffer using ctypes.create_string_buffer() to hold the decrypted shellcode. It then changes the protection on this region of memory to PAGE_EXECUTE_READWRITE using VirtualProtect, accessed through the ctypes library. This step allows the previously non-executable memory region to run executable code.
While analyzing the decrypted shellcode (MD5: c741fbaeeb14a9a95d6fb201e9e0bd6e), we found that it appears to be Donut loader leveraging Chaskey cipher implementation.
The decrypted payload (the injector) within the shellcode performs the decryption of another shellcode payload via AES decryption. The initial step involves creating a set of round keys derived from the main encryption key, which are used throughout the decryption process. During decryption, data is handled in blocks, undergoing several transformations.
First, each byte of the block is substituted according to a predefined table, reversing the encryption's scrambling effect.
Next, the positions of bytes within the block are rearranged to their original order. The process also involves mixing the block’s data with the round keys using XOR operations, which combine the data bits with the key bits to undo the encryption. An additional custom function (Figure 5) further modifies the data by performing additional transformations, such as rotations and substitutions.
Finally, another XOR operation is applied to each byte of the data block, ensuring the decryption process is complete.
Figure 5: The function performs additional custom transformations on the data blocks during the AES decryption process, involving byte rotations, substitutions, and bitwise operations to ensure thorough decryption
The injector payload uses direct syscalls (Figure 6) to call native API functions such as NtClose, NtResumeThread, NtAllocateVirtualMemory, NtQuerySystemInformation, NtProtectVirtualMemory, NtDelayExecution, and NtWriteVirtualMemory.
This technique is primarily used to evade Endpoint Detection and Response (EDR) systems and other security monitoring tools.
The injector is also responsible for injecting the decrypted shellcode containing the encrypted final payload into the notepad.exe process via Early Bird APC Queue Code Injection using native APIs such as NtQueueApcThread, NtProtectVirtualMemory, NtWriteVirtualMemory, and NtResumeThread.
Figure 6: Snippet of the code using a direct syscall
The decrypted shellcode containing the encrypted final payload is similar to the initial decrypted shellcode (Donut Loader) we analyzed. The decryption of the final payload also relies on the implementation of the Chaskey cipher within Donut Loader.
We were able to extract the configuration for the final payloads – XWorm, VenomRAT and AsyncRAT. You can access them here, along with indicators of compromise.
In summary, this malware campaign involving XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT was initiated via a phishing email. The threat actors deployed obfuscated batch and encrypted Python files from a WebDAV server to deliver multiple RATs mentioned above.
These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection. A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection on the customer’s behalf.
What can you learn from this TRU Positive?
The XWorm, VenomRAT PureLogs Stealer, and AsyncRAT malware were distributed using a WebDAV server proxied through TryCloudflare links, showcasing how threat actors exploit legitimate file management protocols and web services to host and distribute malicious content.
The infection chain began with a phishing email, highlighting the ongoing risk of phishing as an effective initial attack vector and the importance of robust email filtering and user education.
The threat actors deployed multiple scripts that performed actions like launching decoy documents, downloading further payloads, and modifying file attributes to evade detection, emphasizing the layered approach to malware deployment.
The use of direct syscalls to bypass Endpoint Detection and Response (EDR) systems illustrates the advanced methods employed to evade detection, stressing the need for security solutions that monitor at the kernel or syscall level.
We recommend modifying the default 'open-with' settings for script files to ensure they open with a basic text editor like Notepad instead of executing.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
