PhantomControl returns with Ande Loader and SwaetRAT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

In November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl
threat actor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.

The user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com. Tracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect client (MD5: 412e11d3ff7659c7d05194cc5e0e1f32) as shown in Figures 1-2.

Upon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com, which is the threat actor’s controlled ScreenConnect instance.

The instance domain resolves to 147.75.81[.]214, which was observed to be used previously by PhantomControl threat actor(s).

Approximately 9 minutes after launching ScreenConnect, the threat actor(s) dropped File_Vbs.vbs (MD5: 91570b30470e0375c62972a268fcaee7) file under DocumentsConnectWiseControlTemp.

Ande Loader Analysis

The VBS script contains garbage strings that conceal the malicious code. Upon cleaning up the script, we see a reference to paste[.]ee domain as shown in Figure 3.

The VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200. If the response is 200, it stores the response text in a variable named “response”.

The script then executes the content of the variable using the Execute statement.

The VBS script retrieved from paste[.]ee contained garbled data and reversed strings. After some cleanup, it transformed into the reversed base64-encoded obfuscated PowerShell snippet (Figure 4).

Further deobfuscating the PowerShell script (Figure 5), we can try to break down what the script does:

1. The script sets the URL of an image, creates a WebClient object, and downloads the data from the URL as a byte array.
2. The byte array of the image is converted into a UTF-8 encoded string.
3. The script looks for specific start and end flags in the converted text, indicating the presence of Base64 encoded content.
4. The decoded bytes are loaded as a .NET assembly.
5. The script retrieves a type named Fiber.Home from the loaded assembly. It then invokes a method named VAI on this type, passing several parameters to it.

Upon retrieving the base64-encoded data from the downloaded image Figure 6), we obtain the .NET binary payload, which we dubbed as Ande Loader (MD5: 92fc4d4a1f6cad69ab11484e74815b50) based on the previous method name used in the previous loaders (MD5: 48b6064beec687fc110145cf7a19640d). The Yara rule on Ande Loader can be access here.

We have observed Ande Loader used previously by the Blind Eagle threat actors specifically focused on delivering RATs to Latin American countries.

From Ande Loader, we can see 7 parameters are being passed to the method VAI (Figure 7).

The first parameter contains the link to another paste[.]ee which contains a reversed base64-encoded blob (Figure 8).

The decoded base64-encoded blob is a core payload which we dubbed as SwaetRAT based on the group name/ID (Figure 18). The core payload gets injected into RegAsm.exe via process hollowing (T1055.012), as shown in Figure 9 via Fiber.Class1 class.

The second parameter is null, which means no AntiVM option was enabled. The AntiVM feature would check for processes that contain “vmtoolsd” or “VBoxService” (Figure 10).

The third parameter is “2” which makes the binary check for the presence of the initial VBS payload named “VbsName” under C:ProgramData
folder on the infected machine via switch-case structures.

If the file doesn’t exist, it proceeds with creating a persistence via Startup (T1547.001) with the shortcut file named “LnkName” as shown in Figure 11.

SwaetRAT Analysis

SwaetRAT (MD5: d6d29037517bb1d8202efbf39534df7a) is a 32-bit RAT written in .NET. Like other RATs, SwaetRAT has keylogging capabilities. The logged keystrokes are recorded and saved under %TEMP%/Log.tmp
file (Figure 12).

The RAT enters an infinite loop with the pause of 2 seconds for each iteration and looks for mentions of Paypal and Binance in the Log.tmp file and if found, it appends “Banking Found: ”
and sends it over to C2 (Figure 13).

Within Info method, the RAT collects system information (Figure 14).

It constructs this string by concatenating several pieces of data, separated by a delimiter defined in Settings.Splitter, which is “<Remote>”.

The information includes:

• A fixed string “info”.
• The unique ID of the system. We will talk about the ID generation algorithm later in the article.
• The current user’s username (Environment.UserName).
• Information about the operating system.
• Whether the operating system is 32-bit or 64-bit, determined by Environment.Is64BitOperatingSystem.
• Antivirus information obtained from a method call to Helper.Antivirus().
• A group identifier or categorization from Settings.Group (“SWAET_NOVEMBER”).
• The result of a User Account Control (UAC) status check from Helper.UAC(), indicating whether the current user has administrative privileges.

The UAC Method checks if the current user has administrative privileges. It attempts to create a WindowsPrincipal
object for the current user WindowsIdentity.GetCurrent() and then checks if this user is in the role of WindowsBuiltInRole.Administrator.

If the user has administrative privileges, it returns true; otherwise, false.

An example of the traffic for the SwaetRAT is shown in Figure 15.

The ID generation algorithm is as follows:

• The Hash method collects various pieces of system information, including the number of processors, the current user’s name, the machine name, the operating system version, and the total size of the system’s primary drive.
• The collected information is concatenated into a single string.
• The concatenated string is passed to the GetHashT method, which uses the MD5 hashing algorithm to generate a hash value from this string.
• The hash is converted into a hexadecimal string. This string is then truncated to the first 20 characters and converted to uppercase, forming the final ID.

ReadPacket
class (Figure 17) is responsible for command parsing from C2. It receives the data, which is converted to a string and split into parts using a delimiter.

Based on the first element of the array (text), it determines what action to perform. Several commands are handled:

• “pong”: gets a “pong” response back from the server from “ping” messages. Possibly used for connection status checking.
• “Sendfile”: Executes RunDisk method, which writes and executes a PowerShell file from received data.
• “Memory”: Executes the Memory method, which loads and executes an assembly from the given byte array in-memory.
• “Web”: Downloads a file from a URL and executes it.
• “Close”: Disconnects the TCP socket and exits the application.
• “Restart”: Restarts the application.
• “Uninstall”: uninstall the RAT via the batch script.
• “$Cap”: Captures a screenshot and sends it back to the server in a base64-encoeded and GZIP-compressed format.
• “RemoteDesktop”: Sends back the screen size information.
• “RD+”: Captures live screen data.
• “DeskDrop”: Writes a file to the desktop from received data that is base64-encoded and GZIP-compressed.
• “UAC”: Attempts to elevate privileges if not running as administrator.
• “OfflineGet”: Sends the content of a log file to the server.

SwaetRAT creates the mutex “qVnqcuDNS5fGFGb”, which is defined under the Settings class in the configuration (Figure 18). If the mutex already exists, the process exits.

A Yara rule on SwaetRAT can be accessed here.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.

What can you learn from this TRU Positive?

• The use of ScreenConnect, a legitimate remote access tool, by the PhantomControl threat actors underscores the trend of threat actors leveraging legitimate software for malicious activities.
• The final payload loader from Ande Loader is dubbed as SwaetRAT. The creation of persistence via startup folders and the use of process hollowing techniques shows how the RAT tries to maintain its presence on infected systems.
• The RAT’s capabilities include monitoring for specific keywords (like PayPal and Binance), exfiltrating the data, and retrieving additional payloads via various commands.

Recommendations from our Threat Response Unit (TRU):

Protecting against malware requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services. Therefore, we recommend:

Indicators Of Compromise

References

Source: https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat