Threat Bulletin – New variant of IDAT Loader

Morphisec has successfully identified and prevented a new variant of IDAT loader 

This loader is used to deliver a range of malware payloads based on the attacker’s assessment of the victim’s system. Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders.   

Morphisec customers are protected against this threat.  

IDAT Loader HeaderAttack Name: New variant of IDAT Loader  

Severity: Critical  

Morphisec’s analysis indicates the attack begins by downloading a setup file UpdateSetup.UpdateSetup_1.3.36.292_x86 from the Windows app store.  

The application is delivered as an MSIX file – MSIX is a Windows app package format that provides a modern packaging experience to all Windows apps, delivered as a .ZIP-based container file. 

The MSI was edited to include a custom action that is executed through a PowerShell signed script – StartingScriptWrapper.ps1 (a part of the PsfLauncher which is delivered by Advanced Installer). The malicious action script is named update.ps1 which delivers the IDAT Loader. 

The signing of the PSFLauncher Script (StartingScriptWrapper.ps1) complicates detection and bypasses security controls such as EDRs and even application whitelisting solutions.  

This signing of the file reduces the chances of detection by NGAV/EDR solutions unless there is a specific indication this file is malicious.  

The update.ps1 script redirects to the first C2 https[:]//utm-msh[.]com/profile/ which loads the IDAT loader. 

Execution Command

powershell.exe ‘-ExecutionPolicy’ ‘RemoteSigned’ ‘-file’ ‘C:/ProgramFiles/WindowsApps UpdateSetup.UpdateSetup_1.3.36.292_x86__s3garmmmnyfa0/update.ps1 

Analysis of the files on VirusTotal at the time of the attack showed zero detections for the malicious script and minimal detections for the C2 URL. At the time of writing this report, detections have gradually increased, meaning the threat is still unknown to most endpoint protection and web filtering solutions.   

Morphisec Threat Prevention Trajectory 

IDAT Attack TrajectoryVirusTotal query of update.ps1 at the time of the attack: 

VirusTotal query of update.ps1 at the time of the attack: 

VirusTotal query of UpdateSetup.UpdateSetup_1.3.36.292_x86 

VirusTotal query of UpdateSetup.UpdateSetup_1.3.36.292_x86:  

VirusTotal query of https[:]//utm-msh[.]com/profile at the time of the attack: 

VirusTotal query of https[:]//utm-msh[.]com/profile at the time of the attack

The attack prevention by Morphisec showcases the capability of AMTD-powered solutions to prevent sophisticated and advanced attacks in the wild and augmenting the cyber-security stack and reducing attack surface exposure. In this case the attack was prevented when existing cyber-defense solutions had low detection ratio of the attack. 

Morphisec Protection Mechanisms

  • Anti-Tampering Prevention Mechanism  

Morphisec’s AMTD dynamically alters the application memory structure and disables the framework needed for an attack to succeed. The Morphisec Endpoint Anti-Tampering mechanism powered by AMTD prevented this attack at an early stage before it could impact the environment. This validates the pro-active protection power of AMTD against attacks and its hardening of the security stack by reducing attack surface exposure.  Morphisec’s AMTD uses an ultra-lightweight agent with a negligible performance impact that does not require prior knowledge – signatures, behavioral patterns, or indicators of attacks (IoAs). 

Mitigation Recommendations

  • Ensure all critical assets are protected by Morphisec  

IOC 

Details 

update.ps1 

4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad 

UpdateSetup.UpdateSetup_1.3.36.292_x86 (popupwrapper.exe)  

eb8ce3cbdc33dbc819fe5989bfd4c81dbd54239aa7ee18cfa781173b65b8d628 

C2 

https[:]//utm-msh[.]com/profile/ 

Schedule a demo to learn more about how Morphisec prevents IDAT loader, ransomware and other advanced threats. Reduce Risk Now. 

New call-to-action

Source: Original Post