Troublesome Quartet: XWorm, AsyncRAT, VenomRAT, and PureLogs Stealer

“`html
Short Summary:

This article discusses a recent malware campaign detected by eSentire’s Threat Response Unit (TRU) that involved multiple malware threats targeting a government sector customer. The attack utilized phishing emails to gain initial access and leveraged a WebDAV server for distributing malicious payloads, showcasing advanced evasion techniques against security monitoring tools.

Key Points:

  • eSentire operates 24/7 SOCs with elite threat hunters and cyber analysts.
  • Recent detection of malware threats: XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT.
  • Initial access was gained through a phishing email containing a malicious ZIP archive.
  • Threat actors used a WebDAV server hosted on TryCloudflare to distribute malicious files.
  • Obfuscated batch files and encrypted Python scripts were employed to execute malicious actions.
  • Direct syscalls were used to evade detection by Endpoint Detection and Response (EDR) systems.
  • The TRU team isolated the affected host to contain the infection.
  • Recommendations include robust email filtering and user education to combat phishing attacks.

MITRE ATT&CK TTPs – created by AI

  • Phishing (T1566)
    • Initial access vector was a phishing email containing a ZIP archive with a malicious URL shortcut.
  • Command and Scripting Interpreter (T1059)
    • Malicious batch files and Python scripts were executed to perform various actions.
  • Remote File Copy (T1105)
    • Malicious files were downloaded from a WebDAV server.
  • Process Injection (T1055)
    • Injected decrypted shellcode into the notepad.exe process using Early Bird APC Queue Code Injection.
  • Obfuscated Files or Information (T1027)
    • Batch files were obfuscated to evade detection.
  • Exploitation for Client Execution (T1203)
    • Exploited a vulnerability in user behavior through the execution of malicious files.

“`

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In July 2024, eSentire’s Threat Response Unit (TRU) detected an infection affecting a customer in the government sector. This incident involved multiple malware threats – XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT – leveraging a WebDAV server hosted on TryCloudflare.

WebDAV (Web Distributed Authoring and Versioning) is a protocol that allows users to manage files on remote web servers, making it an effective method for threat actors to host and distribute malicious files because it facilitates easy remote access and file manipulation.

TryCloudflare is a free offering from Cloudflare intended for web development and testing. Its primary use case is the creation of internet-accessible servers proxied through CloudFlare’s infrastructure. The TryCloudflare tool uses a simple command to serve traffic from the internet to a local machine using a randomly generated subdomain under trycloudflare.com.

The initial access vector was a phishing email, like one reported by Security Researcher Germán Fernández. The user received a ZIP archive containing a URL shortcut, which led to a shortcut file (.lnk) hosted on a TryCloudflare-proxied WebDAV server. The shortcut file contained instructions to execute malicious batch files responsible for retrieving and executing additional Python payloads.

The shortcut file leads to the execution of the new.bat file
(MD5: 0d79c56f9198117a98334ead5d033974). Threat actors obfuscated the batch files by prepending the bytes “FF FE 26 40 63 6C 73” to the beginning of the batch file, causing the contents to be interpreted as UTF-16LE encoding (Figure 1).

Content of new.bat file (UTF-16LE) used to Leverage TryCloudflare.
Figure 1: Content of new.bat file (UTF-16LE)

Upon opening the file in a hex editor, we can see the obfuscation is based on a substitution cipher where characters are not directly stored; instead, they are represented by indices within a predefined key string. Each index refers to a position in this string from which the actual character can be retrieved.

Contents of new.bat file viewd in a hex editor used to Leverage TryCloudflare.
Figure 2: Contents of new.bat file viewd in a hex editor

The new.bat file is responsible for the following actions:

  • Launch a decoy PDF file hosted on the WebDAV server (stickers-ext-payment-print.trycloudflare[.]com/kbsfaw.pdf)
  • Download the ZIP archives from the WebDAV server (stickers-ext-payment-print.trycloudflare[.]com) with PowerShell and extract them under the “Downloads” folder.
  • Add the hidden attribute to Downloads/Python and Downloads/Print folders that were extracted from ZIP archives (DXJS.zip and FTSP.zip).
  • Download the startuppppp.bat (MD5: 1e5fa94c5be0d6f6d57c181c60622b80) file and move the batch file to the Startup Folder.
  • Runs multiple malicious Python files such as moment.py, update.py, upload.py, time.py and kamp.py

The startuppppp.bat file is responsible for running malicious Python files such as 1.py, 2.py, 3.py, 4.py, 5.py and 6.py.

It’s worth noting that the decrypted payloads from the malicious Python files within the DXJS.zip archive are identical to those found in the FTSP.zip archive (Figure 3).

Decrypted payloads from DXJS.zip and FTSP.zip with the same hashes used to Leverage TryCloudflare.
Figure 3: Decrypted payloads from DXJS.zip and FTSP.zip with the same hashes

Let’s take a closer look at one of the Python scripts, 2.py
(MD5: a84994e9e9de4fd82f721dbf2c8d9c58). The shellcode is base64-encoded and encrypted with RC4 encryption. The RC4 KSA (Key Scheduling Algorithm) and PRGA (Pseudo-Random Generation Algorithm) algorithms are shown in Figure 4.

Contents of the 2.py Python script including the RC4 decryption algorithm used to Leverage TryCloudflare.
Figure 4: Contents of the 2.py Python script including the RC4 decryption algorithm

After decrypting the shellcode, the malicious Python script executes it directly in memory. The script first allocates a buffer using ctypes.create_string_buffer() to hold the decrypted shellcode. It then changes the protection on this region of memory to PAGE_EXECUTE_READWRITE using VirtualProtect, accessed through the ctypes library. This step allows the previously non-executable memory region to run executable code.

While analyzing the decrypted shellcode (MD5: c741fbaeeb14a9a95d6fb201e9e0bd6e), we found that it appears to be Donut loader leveraging Chaskey cipher implementation.

The decrypted payload (the injector) within the shellcode performs the decryption of another shellcode payload via AES decryption. The initial step involves creating a set of round keys derived from the main encryption key, which are used throughout the decryption process. During decryption, data is handled in blocks, undergoing several transformations.

First, each byte of the block is substituted according to a predefined table, reversing the encryption’s scrambling effect.

Next, the positions of bytes within the block are rearranged to their original order. The process also involves mixing the block’s data with the round keys using XOR operations, which combine the data bits with the key bits to undo the encryption. An additional custom function (Figure 5) further modifies the data by performing additional transformations, such as rotations and substitutions.

Finally, another XOR operation is applied to each byte of the data block, ensuring the decryption process is complete.

The function performs additional custom transformations on the data blocks during the AES decryption process, involving byte rotations, substitutions, and bitwise operations to ensure thorough decryption used to Leverage TryCloudflare.
Figure 5: The function performs additional custom transformations on the data blocks during the AES decryption process, involving byte rotations, substitutions, and bitwise operations to ensure thorough decryption

The injector payload uses direct syscalls (Figure 6) to call native API functions such as NtClose, NtResumeThread, NtAllocateVirtualMemory, NtQuerySystemInformation, NtProtectVirtualMemory, NtDelayExecution, and NtWriteVirtualMemory.

This technique is primarily used to evade Endpoint Detection and Response (EDR) systems and other security monitoring tools.

The injector is also responsible for injecting the decrypted shellcode containing the encrypted final payload into the notepad.exe process via Early Bird APC Queue Code Injection using native APIs such as NtQueueApcThread, NtProtectVirtualMemory, NtWriteVirtualMemory, and NtResumeThread.

Snippet of the code using a direct syscall used to Leverage TryCloudflare.
Figure 6: Snippet of the code using a direct syscall

The decrypted shellcode containing the encrypted final payload is similar to the initial decrypted shellcode (Donut Loader) we analyzed. The decryption of the final payload also relies on the implementation of the Chaskey cipher within Donut Loader.

We were able to extract the configuration for the final payloads – XWorm, VenomRAT and AsyncRAT. You can access them here, along with indicators of compromise.

In summary, this malware campaign involving XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT was initiated via a phishing email. The threat actors deployed obfuscated batch and encrypted Python files from a WebDAV server to deliver multiple RATs mentioned above.

These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection. A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively.

What did we do?

  • Our team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection on the customer’s behalf.

What can you learn from this TRU Positive?

  • The XWorm, VenomRAT PureLogs Stealer, and AsyncRAT malware were distributed using a WebDAV server proxied through TryCloudflare links, showcasing how threat actors exploit legitimate file management protocols and web services to host and distribute malicious content.
  • The infection chain began with a phishing email, highlighting the ongoing risk of phishing as an effective initial attack vector and the importance of robust email filtering and user education.
  • The threat actors deployed multiple scripts that performed actions like launching decoy documents, downloading further payloads, and modifying file attributes to evade detection, emphasizing the layered approach to malware deployment.
  • The use of direct syscalls to bypass Endpoint Detection and Response (EDR) systems illustrates the advanced methods employed to evade detection, stressing the need for security solutions that monitor at the kernel or syscall level.

Indicators of Compromise

You can access the indicators of compromise here.

Recommendations from the Threat Response Unit (TRU):

References

Source: Original Post