eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In late November 2024, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving a new and highly evasive malware installer dubbed “CleverSoar” by Rapid7 Labs. CleverSoar has been found targeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through poisoned web search results. The installer package deploys the advanced post-exploitation toolkit Winos4.0 framework and the Nidhogg rootkit.
As previously reported by Rapid7 Labs, a custom backdoor was identified, however we have found this is in fact a staging component of the Winos4.0 framework named “上线模块” which translates to “Online Module”.
Re-engineered from Gh0strat, Winos4.0 framework integrates several modular components and has become an increasingly prevalent threat targeting Windows users. The control panel for Winos4.0 features a vast amount of functionality, enabled by numerous plugins and can be seen in Figure 1 below.
Figure 1 - Winos4.0 control panel
Upon execution, the Winos4.0 stager parses a hard-coded configuration that is slightly obfuscated (reversed). Each configuration value is delimited by the “|” character (Figure 2).
Figure 2 - Stager config
The following table lists the configuration values that were identified in our analysis.
Key
Value
Description
p1
ti[.]twilight[.]zip
First C2 address
o1
8000
First C2 port
t1
0 (UDP)
First C2 communication protocol
p2
ti[.]twilight[.]zip
Second C2 address
o2
8000
Second C2 port
t2
0 (UDP)
Second C2 communication protocol
p3
127.0.0.1
Third C2 address
o3
80
Third C2 port
t3
1 (TCP)
Third C2 communication protocol
dd
1
Execution delay in seconds
cl
1
C2 communication interval in seconds
fz
默认 “default”
Group ID
bb
1.0
Version
bz
2024.11.18
Comment (Generation date)
jp
1
Keylogger
bh
0
End bluescreen
ll
0
Anti-traffic Monitoring
dl
0
Entrypoint
sh
0
Process Daemon
kl
0
Process Hollowing
bd
1
Unknown
If the registry value “HKEY_CURRENT_USER\Console\IpDate” is present, it is parsed and used rather than the hard-coded configuration described above (Figure 3).
Figure 3 - Update config if in registry
The stager then resolves the main C2 domain (p1) via the Windows API gethostname() and connects to the resolved address over UDP port 8000 using sockets. It is worth noting that TCP is also supported by the stager and packets look very similar.
Additionally, if after so many attempts communication fails with the main C2 server, the second and third servers are tried.
Figure 4 - Resolve C2 and connect
After the C2 is resolved and a connection is established over the port specified in the config (8000), the send function transmits the encryption key to the C2. This encryption key secures communications between the threat actor server and victim machine (Figure 4).
The first four bytes of the encryption key stream stem from a call to the Windows API timeGetTime(). The remaining bytes are hard-coded and vary between samples.
Figure 5 - Exchange encryption key with C2
The algorithm used to encrypt/decrypt communication can be seen below in Figure 6, where each byte of the encryption key is transformed by a modulus with 0x1C8 and 0x36 is added to the resulting byte, then the byte is XOR’d with each byte of the request or response to encrypt/decrypt.
Figure 6 - Encryption/decryption algorithm
The following python code can be utilized to encrypt and decrypt communications with the C2 (sample response data and encryption key are included).
The next packet sent from the C2 to the stager is an MD5 of the final stage (Login Module).
Upon decoding the encrypted data using the python script, we can see the MD5 “c9cb53ecfed9c0deec10651b37c64103” of the Login Module is returned in the buffer (wide string formatted).
Figure 8 - Decrypted MD5 from C2
Next, the stager sends a request to the C2 to retrieve the Login Module “登录模块.dll”. The response has been decrypted and is shown below:
Figure 9 – Request Login Module
After receiving it, the stager deletes the registry key/value HKEY_LOCAL_MACHINE\Software\IpDates_info via the Windows API RegDeleteW() prior to executing the Login Module. Note, this fails in the event the stager is running without elevated privileges. The registry value is then updated with the latest configuration information, including C2 addresses/ports, version, comment, etc.
The Login Module’s entrypoint is then called as shown in the last line of the following figure. Although not configured to do so in this instance, the stager also supports executing the Login Module via the Process Hollowing technique [T1055.012] against the legitimate Windows system binary, “C:\Windows\System32\tracerpt.exe”.
Figure 10 - Delete/replace config and execute Login Module
Figure 11 - Process hollowing support in stager
The following table contains a list of all of the registry keys used by the stager and their associated purpose.
Registry Key\Value
Description
HKEY_CURRENT_USER\Console\IpDate
Config storage, used in place of hard-coded config
We communicated what happened with the customer and helped them with remediation efforts.
What can you learn from this TRU Positive?
The CleverSoar campaign is a sophisticated threat targeting Chinese and Vietnamese speaking users that is primarily distributed via driver assistant and game optimization applications in web search results.
Across the threat landscape, MSI installers have become increasingly prevalent for initial access, highlighting the need to monitor these file types more closely.
Recommendations from the Threat Response Unit (TRU):
Ensure your organization has a corporate policy for acceptable use of corporate devices which prohibits the use of any unauthorized third-party software.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
