MAR-10365227-1.v1 – Impacket | CISA

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR–Disclosure is not limited. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with CovalentStealer malware, which is designed to identify and exfiltrate files to a remote server. CISA obtained CovalentStealer malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.

CISA analyzed 19 files associated with CovalentStealer malware. The files are designed to identify file shares on a system, categorize the files, and upload the files to a remote server. The files include two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. The two remaining files were identified as open source utilities the threat actor utilized on the victim’s system. One file is a publicly available utility used to compress and archive other files. The second file is an open source utility used to extract the Master File Table (MFT) from a volume and can be used for file enumeration.

CISA is distributing this MAR to enable network defense and reduce exposure to APT sponsored malicious cyber activity.

For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Submitted Files (19)

09605981a072c604e6ef9ad2dd7d2a78b48b07ee3339589bfcf0a466a9190904 (msexch.log)

0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb (ntstatus.bat)

0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab (ntstatus_temp.log)

157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656 (ntstatus.exe)

25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2 (mqsvn.ini)

30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc (msexch.exe)

3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350 (mqsvn.exe)

517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d (onedrv.dat)

52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29 (msexch.ini)

5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3 (ntstatus.log)

603e75db59285734cfb5a469e984c4e359e660ccb7836ff9c209aec36931bc2b (mqsvn.log)

6a0cd866c849e62f9ccc26575d8794c2e0b14722387742b965d4358e1e0e8b3c (msexch_temp.log)

84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb (onedrv.exe)

91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b (onedrv.ini)

b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6 (ntstatus.bin)

bfa7adeda4597b70bf74a9f2032df2f87e07f2dbb46e85cb7c091b83161d6b0a (vmware.exe)

da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df (ntstatus.ini)

e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f (msexch.bin)

fae38156e9ce12368c846836b87861f4f12e14698cb65f14545205fa56d8c496 (vmware.ps1)

Additional Files (2)

1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da (result.exe)

d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8 (Uploader.exe)

Findings

84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb

Tags

information-stealeruploader

Details

Antivirus

YARA Rules

• rule CISA_10365227_03 : ClientUploader

  {

     meta:

         Author = “CISA Code & Media Analysis”

         Incident = “10365227”

         Date = “2021-12-23”

         Last_Modified = “20211224_1200”

         Actor = “n/a”

         Category = “n/a”

         Family = “n/a”

         Description = “Detects ClientUploader_onedrv”

         MD5_1 = “806998079c80f53afae3b0366bac1479”

         SHA256_1 = “84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb”

     strings:

         $s1 = “Decoder2”

         $s2 = “ClientUploader”

         $s3 = “AppDomain”

         $s4 = { 5F 49 73 52 65 70 47 ?? 44 65 63 6F 64 65 72 73 }

         $s5 = “LzmaDecoder”

         $s6 = “$ee1b3f3b-b13c-432e-a461-e52d273896a7”

     condition:

         uint16(0) == 0x5a4d and all of them

  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file has been identified as CovalentStealer malware. The actor utilized code from several open source projects, including ClientUploader. The retained the internal name “ClientUploader.exe”. The program is a file management system that is capable of uploading files to the Internet.

When the program is executed, it will spawn an instance of itself in memory called ‘koi’. This instance accesses several embedded resources that it uses to locate and manipulate files on the system. The following is a list of the primary embedded resources:

—Begin Embedded Resources—

BaseNetwork – This resource is used to create sessions and establish connections to the server.

FileContainer – This resource is used to access file shares via Server Message Block (SMB). It is also used to enumerate files and directories and sort them by Message Digest 5 (MD5) hash. It maintains Internet Protocol (IP) addresses, logins, domain names, passwords, and paths for shares on the network.

IFileWorker – This resource is a file management program that is capable of moving and categorizing files. It contains compression libraries for Gzip and Brotli, as well as a file blacklist.

Encryption – This resource handles file encryption, decryption and secure communications. It decrypts the configuration file, onedrv.ini (91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b) using the hard-coded Advanced Encryption Standard (AES) key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ and an Initialization Vector (IV) using the first half of the AES key (See Figure 1).

OneDriveClient – This resource targets a user’s OneDrive account and creates an upload session to send the files to a remote server. It is able to access files in the victim’s OneDrive by unique ID (See Figure 2). Files are uploaded to a Microsoft Azure client identified in the configuration file onedrv.ini by client ID.

—End Embedded Resources—

The program runs a debugging routine and will output debugging data to a file with the same name as the malware and with the .dat extension, e.g. onedrv.dat (517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d).

Screenshots

Figure 1 – This is the AES encryption routine. The routine uses the hard-coded string ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ as the AES key and the first half of the key as the IV.

Figure 2 – This is the configuration for the upload session. This module is able to access items in the user’s OneDrive by unique ID.

517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file contains output from the debugging routine in onedrv.exe (84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb).

91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b

Tags

information-stealer

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file ondrv.exe (84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb). The data is decrypted using the hard-coded key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’.

The file contains paths to two archives targeted by the attacker. The file includes the IP address of the server, stolen credential information, and a key to encrypt the uploaded data. NOTE: The decrypted configuration contains confidential client information and therefore is not included in this report.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration.

157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656

Tags

information-stealerobfuscatedtrojanuploader

Details

Antivirus

YARA Rules

• rule CISA_10365227_01 : APPSTORAGE

  {

     meta:

         Author = “CISA Code & Media Analysis”

         Incident = “10365227”

         Date = “2021-12-23”

         Last_Modified = “20211224_1200”

         Actor = “n/a”

         Category = “n/a”

         Family = “APPSTORAGE”

         Description = “Detects AppStorage_ntstatus_msexch samples”

         MD5_1 = “c435d133b45783cce91a5d4e4fbe3f52”

         SHA256_1 = “157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656”

         MD5_2 = “baa634fdd2b34956524b5519ee97b8a8”

         SHA256_2 = “30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc”

     strings:

         $s1 = “026B924DD52F8BE4A3FEE8575DC”

         $s2 = “GetHDDId”

         $s3 = “AppStorage”

         $s4 = “AppDomain”

         $s5 = “$1e3e5580-d264-4c30-89c9-8933c948582c”

         $s6 = “hrjio2mfsdlf235d” wide

     condition:

         uint16(0) == 0x5a4d and all of them

  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This artifact is an obfuscated .NET executable that is used to decode a variant of the CovalentStealer malware. When executed, the program will check the present name of the program and then look in the current directory for a file with the same name and a .bin extension, e.g. ntstatus.bin (b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6).

The program seeks to generate a key called ‘HDDId’ to decode ntstatus.bin. The embedded string ‘hrjio2mfsdlf235d’ is used to decode instructions within the program to generate the key (See Figure 3). The first command identifies the machineName of the system. The second command reads the Windows Management Instrumentation (WMI) namespace root/cimv2 to locate the volumeserialnumber of the current drive. Both variables are then modified using an exclusive OR (XOR) routine and the same string above is used to generate the key (See Figure 4). The first part of the key is generated from the volumeserialnumber, and during analysis resolved to ‘76D55BD2’. The machineName resolved to ‘F3124EDD’ creating the key ‘76D55BD2F3124EDD’ (See Figure 5). Note: The key is an example.

To generate the correct key the machineName and volumeserialnumber must match the victim’s system, otherwise it fails to decode ntstatus.bin and the program will terminate. This method is used to thwart independent analysis of the file, ntstatus.bin.

Screenshots

Figure 3 – Screenshot of the XOR routine using the string ‘hrjio2mfsdlf235d’.

Figure 4 – The program collects the machineName and volumeserialnumber to generate the HDDId key.

Figure 5 – This is the generated HDDId key used to decode ntstatus.bin

b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6

Tags

information-stealerobfuscateduploader

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This is an obfuscated version of CovalentStealer malware. The file is decoded by ntstatus.exe (157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656) using the key ’76D55BD2F3124EDD’. The decoded file is called result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da) and is detailed in this report.

1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da

Tags

information-stealeruploader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

PE Metadata

PE Sections

Relationships

Description

This artifact has been identified as CovalentStealer malware. When the program is executed it will decrypt and read the configuration file ntstatus.ini (da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df) in the current directory. It uses the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ to decrypt the file. The configuration file will include a path to the directory containing the targeted files, compression parameters, and connection parameters for connecting to a system on the Internet to upload data.

The malware has several primary modules. The module IFileWorker contains the following functions:

—Begin IFileWorker Functions—

Brotli. – This function contains the Brotli compression library to compress and decompress files.

ContainersFilesWorker. – This function keeps track of uploaded files. It compares the files to a hash list for the file and path before uploading and also compares them to a whitelist and a blacklist by file extension. It also logs the status of each file in the upload process.

Extension. – This function checks the file extension to determine if the file needs to be compressed.

File Archive. – This function verifies the size of the file and disposition before compressing the file.

FileBlock. – This function converts the file data into a byte stream.

FileContainers. – This function segregates files by file type based on the extension.

GZip. – This function contains the Gzip compression library to compress and decompress files.

Logger. – This function logs debug status messages and telemetry data from other functions and outputs them to a file using the base name and the .dat extension, e.g. ntstatus.dat (See Figure 6).

WhiteAndBlackList. – This function maintains a list of files by name and a list of files by extension that match the whitelist or blacklist from the configuration file.

—End IFileWorker Functions—

Note: The actor utilized this code from the open source project IFileWorker.

The module OneDriveClient contains the following functions:

—Begin OneDriveClient Functions—

OneDrive. – This function uploads files to a Uniform Resource Locator (URL). It configures speed, buffer size, time, etc. based on the parameters in the configuration file, ntstatus.ini. Then, it reports the status of each file to the IFileWorker.Logger function. The following are examples of the OneDrive commands:

    —Begin OneDrive Commands—

    OneDriveClient.OneDriveChannel+<Send>

    OneDriveClient.OneDrive+<GetAccessToken>

    OneDriveClient.OneDrive+<UploadData>

    OneDriveClient.OneDrive+<UploadFile>

    OneDriveClient.OneDrive+<UploadLargeFile>

    OneDriveClient.OneDrive+<GetUploadUrl>

    OneDriveClient.OneDrive+<UploadPartWithStopwatch>

    OneDriveClient.OneDrive+<UploadPart>

    OneDriveClient.OneDrive+<UploadSmallFileWithStopWatch>

    OneDriveClient.OneDrive+<UploadSmallFile>

    —End OneDriveClient Functions—

OneDriveChannel. – This function establishes the connection to the server.

OneDriveChannelSettings. – This function reads the ClientID, Redirect, Refresh Token, and Scopes from the configuration file, ntstatus.ini to negotiate the connection to the client.

UploadedFiles. – This function logs the hash and the file path of the uploaded files and records the information into two files where ntstatus.log contains a list of file hashes and ntstatus_temp.log contains a list of file path hashes (See Figure 7).

—End OneDriveClient Functions—

The program also contains supporting libraries for the SMB protocol versions 2 and 3. The libraries have the capacity to maintain a list of IP addresses, logins, domainNames, passwords, and SMB clients that can be used to attempt to search for and log into SMB file stores. Files can be searched by file path, file status (e.g., open or closed), and file attributes (e.g. shared, read only, etc.).

Screenshots

Figure 6 – The IFileWorker.Logger function is used to generate the log file for debug and telemetry data.

Figure 7 – The OneDriveClient.UploadedFiles function records MD5 hashes of uploaded files into the file ntstatus.log and MD5 hashes of the file paths into the file ntstatus_temp.log.

da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df

Tags

information-stealeruploader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da) detailed in this report. The data is decrypted using the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’. The algorithm uses an IV that is derived from the first half of the encryption key (See Figure 8).

The file contains multiple paths to archives targeted by the attacker. The file includes the IP address of the server, stolen credential information, and a key to encrypt the uploaded data. NOTE: The decrypted configuration contains confidential client information and therefore is not included in this report.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration.

Screenshots

Figure 8 – This is the AES encryption routine. The routine uses the hard-coded string ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ as the AES key and the first half of the key as the IV.

0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a batch file (.bat) that terminates the current process of ntstatus.exe (157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656). It then changes to the directory C:windowsmodemlogs and invokes a new instance of ntstatus.exe.

5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da). The file contains the MD5 hash of each file that has been uploaded to the remote server.

0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da). The file contains the MD5 hash of the file path for each file that has been uploaded to the remote server.

3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350

Tags

downloaderinformation-stealertrojanuploader

Details

Antivirus

YARA Rules

• rule CISA_10365227_02 : ClientUploader

  {

     meta:

         Author = “CISA Code & Media Analysis”

         Incident = “10365227”

         Date = “2021-12-23”

         Last_Modified = “20211224_1200”

         Actor = “n/a”

         Category = “n/a”

         Family = “n/a”

         Description = “Detects ClientUploader_mqsvn”

         MD5_1 = “63cf36ac25788e13b41b1eb6bfc0c6b6”

         SHA256_1 = “3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350”

     strings:

         $s1 = “UploadSmallFileWithStopWatch”

         $s2 = “UploadPartWithStopwatch”

         $s3 = “AppVClient”

         $s4 = “ClientUploader”

         $s5 = { 46 69 6C 65 43 6F 6E 74 61 69 6E 65 72 2E 46 69 6C 65 41 72 63 68 69 76 65 }

         $s6 = { 4F 6E 65 44 72 69 76 65 43 6C 69 65 6E 74 2E 4F 6E 65 44 72 69 76 65 }

     condition:

         uint16(0) == 0x5a4d and all of them

  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This artifact is a variant of CovalentStealer malware. The program is a file management system that is capable of uploading files to the Internet.

This variant of CovalentStealer malware contains two main modules, FileContainer and OneDriveClient, with the following functions:

—Begin Functions—

ClientUploader.Program<Main>

FileContainer.FileArchive<Add>

FileContainer.FileStorage<GetData>

OneDriveClient.OneDriveChannel<Send>

OneDriveClient.OneDrive<GetAccessToken>

OneDriveClient.OneDrive<UploadData>

OneDriveClient.OneDrive<UploadFile>

OneDriveClient.OneDrive<UploadLargeFile>

OneDriveClient.OneDrive<GetUploadUrl>

OneDriveClient.OneDrive<UploadPartWithStopwatch>

OneDriveClient.OneDrive<UploadPart>

OneDriveClient.OneDrive<UploadSmallFileWithStopWatch>

OneDriveClient.OneDrive<UploadSmallFile>

—End Functions—

The FileContainer module is used to enumerate and categorize files on the system. This module is capable of generating an MD5 hash of each file and compressing files using the Gzip or Brotli algorithms. The OneDriveClient module is used to upload files to a Microsoft Azure server on the Internet.

The program will look for a configuration file with the same name as the application and the .ini extension, e.g. mqsvn.ini (25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2). Alternatively, if this file is not found it will look for the file ‘config.ini’ (See Figure 9).

The configuration file is decoded using the AES-256-CBC key M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h that is derived from the de-serialized string TSh4Y0hxODhxW3M9cGM3Xit1X0diX31KQyVRUXdQOmg= embedded in the file. The first 16 bytes of the key are then used as an IV (See Figure 8 above).

Other strings were de-serialized to provide additional parameters for the malware program. For example, the string LmJtcDsuanBnOy5qcGVnOy50aWZmOy50AWV7LnBuZw== decoded to a block list of files that the program is supposed to skip containing the extensions ‘.bmp;.jpg;.jpeg;.tiff;.tif;.png’ and the string LmRvY3g7Lnhsc3g7LnBwdHg= decoded to a list of file extensions that the program is supposed to compress before encrypting and exfiltrating. The extensions included ‘.docx;.xlsx;.pptx’ (See Figure 10).

The configuration file contains a refresh token for an OAuth client for Microsoft Azure as well as a ClientID. In addition, it contains a path to the files targeted for uploading, upload times, an encryption key to encrypt the files before uploading, and compression parameters.

Screenshots

Figure 9 – The ClientUploader program attempts to load a configuration file with an .ini extension from the current directory. The base64 encoded string ‘Lmlua@==’ represents the .ini extension.

FIgure 10 – The ClientUploader program uses the JavaScriptSerializer routine to decode the parameters required to harvest and upload the documents.

25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file mqsvn.exe (3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350). The data is decrypted using the de-serialized key M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h found in mqsvn.exe, detailed in this report.

The file contains a path to an archive targeted by the attacker. The file includes the AES-256-CBC key 1khvo39Q2evpi**&R$*^Rjhko8tve2b7 that is used to encrypt the harvested documents before they are uploaded to the Internet.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration. NOTE: The decrypted configuration contains confidential client information and is therefore not included in this report.

603e75db59285734cfb5a469e984c4e359e660ccb7836ff9c209aec36931bc2b

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains encrypted MD5 hashes of files that have been uploaded to the Internet by the file mqsvn.exe (3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350).

30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc

Tags

information-stealerobfuscateduploader

Details

Antivirus

YARA Rules

• rule CISA_10365227_01 : APPSTORAGE

  {

     meta:

         Author = “CISA Code & Media Analysis”

         Incident = “10365227”

         Date = “2021-12-23”

         Last_Modified = “20211224_1200”

         Actor = “n/a”

         Category = “n/a”

         Family = “APPSTORAGE”

         Description = “Detects AppStorage_ntstatus_msexch samples”

         MD5_1 = “c435d133b45783cce91a5d4e4fbe3f52”

         SHA256_1 = “157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656”

         MD5_2 = “baa634fdd2b34956524b5519ee97b8a8”

         SHA256_2 = “30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc”

     strings:

         $s1 = “026B924DD52F8BE4A3FEE8575DC”

         $s2 = “GetHDDId”

         $s3 = “AppStorage”

         $s4 = “AppDomain”

         $s5 = “$1e3e5580-d264-4c30-89c9-8933c948582c”

         $s6 = “hrjio2mfsdlf235d” wide

     condition:

         uint16(0) == 0x5a4d and all of them

  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This artifact is an obfuscated .NET executable that is used to decode a variant of the CovalentStealer malware. When executed, the program will check the present name of the program and then look in the current directory for a file with the same name and a .bin extension, e.g. msexch.bin (e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f).

The program seeks to generate a key called ‘HDDId’ to decode msexch.bin. The embedded string ‘hrjio2mfsdlf235d’ is used to decode instructions within the program to generate the key (See Figure 3 above). This function is similar to the function described in ntstatus.exe detailed elsewhere in this report, however it will take one additional variable to generate the key. The first command identifies the current userName on the system while the second command identifies the machineName. The third command reads the WMI namespace root/cimv2 to locate the volumeserialnumber of the current drive. All of the variables are then modified using an XOR routine and the same string above is used to generate the key (See Figure 11). The first part of the key is generated from the volume serial number which, during analysis resolved to ‘76D55BD2’. The second part of the key is resolved from the userName, which during analysis resolved to ‘34BD153B’. The last part of the key is resolved from the machineName, which resolved to ‘F3124EDD’ creating the key ‘76D55BD234BD153BF3124EDD’ (See Figure 12). Note: The key is an example.

To generate the correct key, the userName, machineName, and volumeserialnumber must match the victim’s system, otherwise it fails to decode msexch.bin and the program will terminate. This method is used to thwart independent analysis of the file, msexch.bin.

Screenshots

Figure 11 – The program collects the userName, machineName, and Volume Serial Number to generate the HDDId key.

Figure 12 – Screenshot of the generated HDDId key used to decode msexch.bin.

e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f

Tags

information-stealerobfuscateduploader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This is an obfuscated version of CovalentStealer malware. The file is decoded by msexch.exe using the key ’76D55BD234BD153BF3124EDD’. The decoded file is called Uploader.exe (d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8) and is detailed in this report.

d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8

Tags

information-stealeruploader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

PE Metadata

PE Sections

Relationships

Description

This artifact is a variant of the CovalentStealer program. When the program is executed it will decrypt and read the configuration file msexch.ini (52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29) in the current directory. It uses the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ to decrypt the file. The configuration file will include a path to the directory containing the targeted files, compression parameters, and connection parameters for connecting to a system on the Internet to upload data.

ClientUploader has several primary modules. The module IFileWorker contains the following functions:

—Begin IFileWorker Functions—

Brotli. – This function contains the Brotli compression library to compress and decompress files.

ContainersFilesWorker. – This function keeps track of uploaded files. It compares the files to a hash list for the file and path before uploading and also compares them to a whitelist and a blacklist by file extension. It also logs the status of each file in the upload process.

Extension. – This function checks the file extension to determine if the file needs to be compressed.

File Archive. – This function verifies the size of the file and disposition before compressing the file.

FileBlock. – This function converts the file data into a byte stream.

FileContainers. – This function segregates files by file type based on the extension.

GZip. – This function contains the Gzip compression library to compress and decompress files.

Logger. – This function logs debug status messages and telemetry data from other functions and outputs them to a file using the base name and the .dat extension, e.g. msexch.dat (See Figure 4 above).

WhiteAndBlackList. – This function maintains a list of files by name and a list of files by extension that match the whitelist or blacklist from the configuration file.

—End IFileWorker Functions—

The module OneDriveClient contains the following functions:

—Begin OneDriveClient Functions—

OneDrive. – This function uploads files to a URL. It configures speed, buffer size, time, etc. based on the parameters in the configuration file, msexch.ini. Then, it reports the status of each file to the IFileWorker.Logger function. The following are examples of the OneDrive commands:

    —Begin OneDrive Commands—

    OneDriveClient.OneDriveChannel+<Send>

    OneDriveClient.OneDrive+<GetAccessToken>

    OneDriveClient.OneDrive+<UploadData>

    OneDriveClient.OneDrive+<UploadFile>

    OneDriveClient.OneDrive+<UploadLargeFile>

    OneDriveClient.OneDrive+<GetUploadUrl>

    OneDriveClient.OneDrive+<UploadPartWithStopwatch>

    OneDriveClient.OneDrive+<UploadPart>

    OneDriveClient.OneDrive+<UploadSmallFileWithStopWatch>

    OneDriveClient.OneDrive+<UploadSmallFile>

    —End OneDriveClient Functions—

OneDriveChannel. – This function establishes the connection to server.

OneDriveChannelSettings. – This function reads the ClientID, Redirect, Refresh Token, and Scopes from the configuration file, msexch.ini to negotiate the connection to the client.

UploadedFiles. – This function logs the hash and the file path of the uploaded files and records the information into two files where msexch.log contains a list of file hashes and msexch_temp.log contains a list of file path hashes (See Figure 7 above).

—End OneDriveClient Functions—

The program also contains supporting libraries for the SMB protocol versions 2 and 3. The libraries have the capacity to maintain a list of IP addresses, logins, domainNames, passwords, and SMB clients that can be used to attempt to search for and log into SMB file stores. Files can be searched by file path, file status (e.g., open or closed), and file attributes (e.g. shared, read only, etc.).

52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29

Tags

information-stealeruploader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file Uploader.exe (d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8) detailed in this report. The data is decrypted using the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’. The algorithm uses an IV that is derived from the first half of the encryption key (See Figure 8 above).

The file contains multiple paths to archives targeted by the attacker. The file includes the IP address of the server, stolen credential information, and a key to encrypt the uploaded data. NOTE: The decrypted configuration contains confidential client information and therefore is not included in this report.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration.

09605981a072c604e6ef9ad2dd7d2a78b48b07ee3339589bfcf0a466a9190904

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file Uploader.exe (d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8). The file contains the MD5 hash of each file that has been uploaded to the remote server.

6a0cd866c849e62f9ccc26575d8794c2e0b14722387742b965d4358e1e0e8b3c

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file Uploader.exe (d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8). The file contains the MD5 hash of the path for each file that has been uploaded to the remote server.

fae38156e9ce12368c846836b87861f4f12e14698cb65f14545205fa56d8c496

Tags

information-stealer

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a script called Export-MFT.ps1 written in PowerShell used to collect the MFT from a system volume. The benign open source script is available on GitHub.

bfa7adeda4597b70bf74a9f2032df2f87e07f2dbb46e85cb7c091b83161d6b0a

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This artifact is a benign publicly available version of the Roshal archiver (RAR), version 5.20.0. RAR.exe is used to compress and archive other files.

Relationship Summary

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Source: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a