Key Takeaways
• Cyble Research and Intelligence Labs (CRIL) came across Python malware capturing screenshots and sending them over FTP to remote attackers.
• Proofpoint has observed similar campaigns in the recent past targeting the United States and Germany, with the perpetrator tracked as “TA866”.
• This particular campaign targets Tatar language-speaking users who primarily reside in a particular region of Russia.
• This campaign was executed aiming to target its victims during the Tartar Republic Day, which, according to the campaign, would be during the end of August.
• This campaign involves the execution of PowerShell script, which is responsible for taking screenshots and uploading them to a remote FTP server.
• After sending the screenshots to the FTP server, the Threat Actors (TAs) can continuously monitor the systems and perform other malicious post-exploitation activities if the compromised victim is of interest to them.
Overview
Cyble Research and Intelligence Labs (CRIL) has recently encountered a RAR file containing a malware sample created using Python on VirusTotal. This campaign seems to focus on infecting users with additional malware designed to take screenshots of their computer screens and transmit these captured images to a remote FTP server.
We suspect that this campaign is potentially distributed via phishing emails containing a RAR file, which in turn contains two additional files: a video file and a Python-based executable file with a double extension disguising itself as an image file.
The executable file is a loader containing an image file and a PowerShell script designed to fetch a zip file from Dropbox. This zip file contains an additional executable file and two PowerShell scripts.
Among these two scripts, one is responsible for creating a scheduled task entry that executes the executable file present in a zip file, which, in turn, runs a PowerShell script responsible for capturing screenshots and transmitting them to a remote FTP server.
Proofpoint had reported a similar campaign, wherein TA866, a financially motivated threat actor, was observed targeting organizations in the United States and Germany.
The attack sequence initiates with malicious attachments or URLs within emails and subsequently leads to the deployment of malware named WasabiSeed and screenshotter by Proofpoint.
Proofpoint also noted post-exploitation activities involving AHK Bot and Rhadamanthys Stealer in certain instances.
Technical details
The attackers likely used phishing emails with either attachments or phishing links, but we currently do not have any proof to substantiate this claim. The initial infection vector involves a RAR file containing a genuine video file and a disguised executable file with a Republic Day celebration-themed icon. The video file is legitimate, while the executable file is malicious. The entire sequence of events in this attack is shown in the figure below.
The benign video file named in Tatar language as “С Днем Республики Татарстан!.mp4,” which translates to “Day of the Republic of Tatarstan!” and the malicious executable file is “С Днем Республики.jpg.exe,” which translates to “Happy Republic Day.”
The figure below shows the contents of the RAR file.
The malicious file “С Днем Республики.jpg.exe” is a 64-bit GUI-based executable created with PyInstaller, and its SHA256 hash is 285c078e9c79e395a735567431de91544c164cc99a52e09104b439b75d7d4b23.
Upon execution, the malicious executable performs two tasks:
• Decoding and displaying a base64 encoded image
• Executing a PowerShell script in the background to perform further malicious activities.
The figure below shows the decompiled Python code of “С Днем Республики.jpg.exe”.
The base64-encoded image shown by the malicious executable contains a message written in the Tatar language, translating to “30 AUGUST HAPPY REPUBLIC DAY!”. The message indicates that the campaign would likely have been executed at the end of August.
The figure below shows the aforementioned image.
Following the opening of the image, the executable “С Днем Республики.jpg.exe” executes a PowerShell script in the background. This PowerShell script downloads a zip file from a Dropbox URL and stores it as “filename.zip” in the “Pictures” folder. Subsequently, the PowerShell script extracts the zip file’s contents into a separate directory named “extracted_folder.”
The figure below shows the PowerShell script to download and execute malicious files from Dropbox.
Three files are inside the “filename.zip”: one executable and two PowerShell scripts, as shown in Figure 6.
After extracting the data, the PowerShell script executes “pyisgit.exe” from the “extracted_folder”.
The executable “pyisgit.exe” is a 64-bit GUI-based executable created using PyInstaller. Its SHA256 hash is “9af3754f2aa4b34a073805bacb1253aa44c26d7c6147f82fe2a15ac089f65c20.”
This executable executes the PowerShell scripts “with2.ps1” and “sc_new.ps1.”
Within the “with2.ps1” script, there is code to set up a scheduled task entry for “pyisgit.exe.” This task is configured to run “pyisgit.exe” upon user logon and repeat indefinitely, with a frequency of every 6 minutes.
The figure below shows the task scheduler entry.
The figure below shows the contents of the first PowerShell script “with2.ps1”.
The second PowerShell script, “sc_new.ps1” is designed to capture screenshots and transmit them to a remote FTP server. This script follows a sequence where it captures a series of 50 images in a loop, with a 12-second interval between each capture. These images are saved in a temporary folder with filenames based on their respective timestamps.
Once the script has collected 50 images, it compresses them into a ZIP file in the format of “Data_temp__.zip” and proceeds to send this to the remote FTP server using pre-configured credentials.
The figure below shows the script to capture and send the screenshots to the FTP server.
The figure below shows the screenshots captured by sc_new.ps1 stored in the C:User folder for exfiltration.
The figure below shows the network communication during data exfiltration to the remote FTP server.
The figure below shows the complete process tree of the malware.
Conclusion
The malware campaign employs a multifaceted approach to compromise user systems. It begins with a deceptive RAR file containing both benign and malicious files, leveraging Tatar language filenames to obscure their true nature.
Once executed, the malicious executable conceals its intent by initially displaying an image while covertly running PowerShell scripts to capture and exfiltrate screenshots of the victim machine to an FTP server. Previous campaigns have observed threat actors continuously monitoring the victim system for its activities.
If the victim is a subject of interest, TAs then drop additional post-exploitation tools into the victim system, such as Cobalt Strike beacon, RATs, stealers, and other malicious programs. This campaign underscores the sophistication and persistence of threat actors in their attempts to compromise user systems.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
• Enhance email security with advanced filtering and scanning to detect and block phishing attempts, malicious attachments, and suspicious file extensions.
• Encourage users to verify file extensions and names, especially when opening attachments, to avoid executing disguised executable files.
• Restrict PowerShell script execution from unauthorized locations.
• Monitor if PowerShell is used to download files from Dropbox.
• Continuously monitor and review scheduled tasks on systems for suspicious entries and unauthorized executions.
• Monitor FTP connections and examine the connecting domains thoroughly.
• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Procedure |
| Initial Access (TA0001) | Phishing (T1566.001) | This malware could reach users via phishing emails. |
| Execution (TA0002) | User Execution (T1204) | The user opens the malicious executable file from the spam attachment. |
| Execution (TA0002) | Command and Scripting Interpreter (T1059) | PowerShell scripts are used for malicious operations such as taking screenshots, transferring via FTP, etc. |
| Defense Evasion (TA0005) | Indirect Command Execution (T1202) | PowerShell commands are executed using malicious executables. |
| Collection (TA0009) | Screen Capture (T1113) | PowerShell script taking screenshots. |
| Collection (TA0009) | Automated Collection (T1119) | PowerShell script takes screenshots in a loop and stores them locally. |
| Persistence (TA0003) | Scheduled Task (T1053.005) | pyisgit.exe getting executed at every user login and periodically. |
| Exfiltration (TA0010) | Scheduled Transfer (T1029) | FTP is used for transferring the data. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 675fcbfcd07026269302eb2efcadaf98 16a78de42683a4524918fde525d5449f4442efaf 8f60de2780490b46083d774eb9921d823c6761f252c7a216265ce7339b8d90e1 | MD5 SHA1 SHA256 |
Malicious RAR File |
| 6e11eba3f5fcf7f0324c3f5694f45f04 2c1af69cdd83c63319428ce2a1c3b5ce32d8931f e1eda66264e0a2746e725f66b62da7ff49484b008b2888897379e249f69e47c8 | MD5 SHA1 SHA256 |
С Днем Республики Татарстан!.mp4 |
| 70889a35b3c0dbc67327594628c4d370 60dd77e31255d14c1829bd588a2abfcd3f792ec6 285c078e9c79e395a735567431de91544c164cc99a52e09104b439b75d7d4b23 | MD5 SHA1 SHA256 |
С Днем Республики.jpg.exe |
| a4bd9783e7c308534eaa04cf4655378c 9fa72f630ba8b269d0569dd5929dcc9ad637efdb 04f37916ba922f78d30949967181f141d95c9d30ee4a7c3049e253d642d204da | MD5 SHA1 SHA256 |
filename.zip |
| 62658473c97cd5719860bd2b95f5b608 6d3acaa670a2a986d3e3147025852b997eb627a2 9af3754f2aa4b34a073805bacb1253aa44c26d7c6147f82fe2a15ac089f65c20 | MD5 SHA1 SHA256 |
pyisgit.exe |
| e462a5f2b8b7c30a8bd15b0797b76133 2445f58945d7a052c81a24b14d1149d322a8f669 294151af58b665ec144e0bc1bf92ad7495ff29b9410ff810b25db2b369a49732 | MD5 SHA1 SHA256 |
sc_new.ps1 |
| a71f924de543ef0d5ffa39b0f7a32820 3bc25d474abe8a266f789a8e1fda962c7228ad30 4fb1149e66c2d71be0d96dd33ddf6442969bff4afc6f2c175d965e846e3be704 | MD5 SHA1 SHA256 |
with2.ps1 |
| fxp://ftpupload3.dfiles[.]eu/ | Domain | Remote FTP server |
| hxxps://www.dropbox[.]com/scl/fi/hq90fosq6l819auwti5u4/sc3.zip?rlkey=hxnt4ujg2r61cvdim77cwqnlc&dl=1 | URL | Download File |
References
Related
Source: https://cyble.com/blog/tatar-language-users-in-the-crosshairs-of-python-screenshotter/