Ducktail and Peeling the Layers of PowerShell

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early December 2023, the eSentire Threat Response Unit (TRU) detected an attempted, and ultimately unsuccessful, Ducktail malware infection, targeting an employee in digital marketing at a customer within the business services industry. The Ducktail distributors contacted the employee via LinkedIn with a private message containing an attachment leading to a ZIP archive.

The ZIP archive contains bloated shortcuts that are over 800MB in size. The shortcuts contain the batch scripts that execute PowerShell commands.

An example of one of the shortcut files is shown in Figure 2.

Upon decoding the script, we get base64-encoded strings that decodes to the script shown in Figure 3.

The script downloads the file from hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/5f8f8c05db68cca200c6379b825648b5.jpg (MD5: 5f8f8c05db68cca200c6379b825648b5).

The downloaded file is another PowerShell script (Figure 4) that downloads the decoy PDF file from hxxp://gdfsgfdrgetgergdsf[.]tech/file/docs/ (Figure 5).

Next, the script (Figure 6) does the following:

• Creates the mutex – $mtx_child and $mtx are mutex objects used for synchronization, preventing multiple script instances from running simultaneously. It then attempts to acquire locks on both mutexes and if both locks are acquired, it indicates that no other instance is running this script.
• Checks the system’s UAC settings from the registry.
  • If UAC is disabled, it tries to download hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/d4e1a9191216420ce7989cf6c3e203cd.jpg
    file and executes it with administrative privileges.
  • If UAC is enabled, it attempts a UAC bypass technique using fodhelper.exe (a known method for bypassing UAC on Windows) and downloads the payload hxxps://gdfsgfdrgetgergdsf[.]tech/file/dll/5be7408b84fbd40c8e7930f4c28a585a.jpg
    then overwrites the legitimate propsys.dll file at C:WindowsSystem32 with it.
• If the script still holds the mutex lock after a countdown, it releases the mutex and tries to retrieve hxxps://gdfsgfdrgetgergdsf.tech/file/ps/d4e1a9191216420ce7989cf6c3e203cd.jpg
  file with administrative privileges.

As you can see in Figure 6, some of the commands are assigned to variables that are base64-encoded.

The payload retrieved contains another PowerShell script (Figure 7) that does the following:

• The script queries the Windows Management Instrumentation (WMI) to check if Windows Defender or any other antivirus product is active.
• If Windows Defender is running, the script adds an exclusion path to it using Add-MpPreference -ExclusionPath. This means Windows Defender will ignore files in C:WindowsTemp, potentially allowing malicious files to be stored there without detection.
• The script exits if no antivirus product is found to be running.
• It then attempts to download a file multiple times in case of failure, waiting for a specified delay between retries.
• The script then downloads a file (mainbot.exe) from a C2 and saves it as svczHost.exe in the C:WindowsTemp directory.
• The script creates a new scheduled task (zServicequyet) to execute the downloaded file (svczHost.exe or mainbot.exe) with the argument “quyet”. The task is configured to run with the highest privileges (SYSTEM user) and is set to trigger at logon.

The retrieved file 5be7408b84fbd40c8e7930f4c28a585a.jpg (MD5: 5be7408b84fbd40c8e7930f4c28a585a ) contains the obfuscated PowerShell command to retrieve the d4e1a9191216420ce7989cf6c3e203cd.jpg file as shown in Figure 8. The command is being decrypted via the hardcoded XOR key, but the threat actors made sure to make it hard to find it via numerous bitwise operations and conditional jump instructions (Figure 8).

The payload mainbot.exe retrieved from C2 is responsible for establishing the connection with the C2 server and taking remote commands. Upon successful bot registration, the infected host obtains myRdpService.exe (MD5: 1ade74bbf88c1a41a352682a8f2265f9) from C2 and RDP Wrapper configuration (hxxp://138.201.8[.]186:8000/file/rdpwrap.txt).

The commands upon checking in from mainbot.exe:

begin connect
begin sending DEVICEINFO|quyet!D5A7F263FE404D449438C649AA1E54EE|79b707124b0b4a92b2949acb220b1235|Admin|1.7.2

Further commands from the bot:

STATUS|23/12/2023 10:26:56|Set permission of C:UsersDefaultAppData
STATUS|23/12/2023 10:27:12|add exclude result 
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:UsersDefault UserAppData
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:UsersusernameAppData
STATUS|23/12/2023 10:26:56|role admin name Administrators
STATUS|23/12/2023 10:26:56|Set permission of C:WindowsTemp
STATUS|23/12/2023 10:26:56|RDP|False
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:26:56|Set permission of C:UsersDefaultAppData
STATUS|23/12/2023 10:26:56|role admin name Administrators
STATUS|23/12/2023 10:26:56|Success
STATUS|23/12/2023 10:27:29|status term service 
STATUS|23/12/2023 10:27:05|Success
STATUS|23/12/2023 10:27:08|create user result
STATUS|23/12/2023 10:27:12|term service install state True
STATUS|23/12/2023 10:27:20|delete old rdpwrap ok
STATUS|23/12/2023 10:27:20|delete file rdpwrap.ini ok
STATUS|23/12/2023 10:27:22|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt OK
STATUS|23/12/2023 10:27:22|start TermService againt
STATUS|23/12/2023 10:27:20|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt
STATUS|23/12/2023 10:27:20|delete old rdpwrap ok
STATUS|23/12/2023 10:27:20|delete file rdpwrap.ini ok
STATUS|23/12/2023 10:27:20|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt
STATUS|23/12/2023 10:27:22|try download from hxxp://138.201.8[.]186:8000/file/rdpwrap.txt OK
STATUS|23/12/2023 10:27:22|start TermService againt
STATUS|23/12/2023 10:27:29|status term service
STATUS|23/12/2023 10:27:34|check file hash 1ade74bbf88c1a41a352682a8f2265f9 of file <a href="http://138.201.8">http://138.201.8</a>[.]186:8001/file/t/RdpService[.]exe
STATUS|23/12/2023 10:27:34|download my rdp service new success, setup
STATUS|23/12/2023 10:27:37|result install myRdpService 
STATUS|23/12/2023 10:27:44|hide user
STATUS|23/12/2023 10:27:44|hide user success

As you can observe from the hints above, mainbot.exe checks the hash of the retrieved RdpService[.]exe file, attempts to create the user “User1” on infected machine, performs the exclusion of “C:Program Files” folder for Windows Defender and changes the access control list for specific folders. Periodically it also sends “TESTDATA”.

myRdpService.exe establishes the remote connection with hxxp://23.88.71[.]29:8000 sending the following command containing Device ID and the presumably threat actor’s name that is used as an argument to run mainbot.exe and myRdpService.exe payloads (DEVICEID_quyet_5C0B1DC44D4E637D1A6B43502D6F6167_1.6.5).

Two files are dropped in the working directory after successful exection of myRdpService.exe: deviceId.txt (contains device ID) and log_rdp_<ddmmyyyy_yy>.txt (contains log messages) (Figure 9).

The service “myRdpService” is created to start myRdpService.exe with an argument “quyet” under the working directory.

Two core payloads, named ‘mainbot.exe’ and ‘myRdpService.exe,’ are .NET payloads compiled using native Ahead-Of-Time (AOT) compilation to make the analysis process more complicated.

The rest of the shortcuts perform similar actions described above but the hashes for files for some shortcuts are different.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat, and notified the customer of suspicious activities.

What can you learn from this TRU Positive?

• The use of LinkedIn messages to deliver malware via a ZIP archive underscores the creativity of attackers in exploiting professional networks and platforms for distributing malware. This approach highlights the need for caution when interacting with unsolicited messages and attachments, even on reputable platforms.
• The creation of scheduled tasks and services, along with techniques to bypass User Account Control (UAC), indicates the attackers’ focus on avoiding detection and maintaining a persistent presence on the infected system. This highlights the need for robust security measures and continuous monitoring of system activities.
• The script’s ability to query the Windows Management Instrumentation for active antivirus products and to add exclusion paths to Windows Defender reveals the attackers’ intent to circumvent standard security defenses. This calls for enhanced security protocols and regular updates to antivirus software.
• The payload’s functionality is to establish a connection with a command-and-control server, execute remote commands, and potentially exfiltrate data points to the risk of sensitive information theft. This reinforces the necessity of network monitoring and the implementation of data loss prevention strategies.

Recommendations from our Threat Response Unit (TRU):

• Protect endpoints against malware by:
• Victims should review their Facebook Business users for unauthorized users.
• Raise awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program. An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.

Detection Rules

• You can access Yara rules for Ducktail here.
• You can access Sigma rules for Ducktail here.

Indicators Of Compromise

You can access the IOCs for Ducktail here.

References

Source: https://www.esentire.com/blog/ducktail-and-peeling-the-layers-of-powershell