UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

Key Takeaways

Cyble Research and Intelligence Labs (CRIL) recently came across a malware campaign involving a malicious lnk file associated with the UAC-0184 threat actor group.

Previously, UAC-0184 targeted Ukrainian entities in Finland, utilizing the Remcos RAT in their operations.

In their latest campaign, there are signs suggesting the group may be focusing on Ukraine, using disguised lure documents to distribute the XWorm RAT.

When the LNK shortcut file is executed, it triggers a PowerShell script that downloads a ZIP file containing both legitimate and malicious Python components, including an encrypted payload.

The current attack employs DLL sideloading and Shadowloader to execute the XWorm RAT as the final payload.

Ultimately, the XWorm RAT malware attempts to connect to a Command-and-Control (C&C) server for remote access activities. At the time of analysis, the C&C server was inactive, resulting in no observed malicious activities.

Overview

CRIL recently observed a malware campaign targeting Ukraine using the Remote Access Trojan (RAT) known as XWorm. Upon investigation, it was found that this campaign is associated with the Threat Actor (TA) group UAC-0184. Previously, UAC-0184 has targeted Ukrainian entities in Finland, employing the Remcos RAT in their operations. They have utilized techniques such as steganographic image files and the IDAT Loader (SHADOWLADDER, GHOSTPULSE) to distribute malware payloads.

At the end of May, CRIL observed a campaign in which the TA is using Python-related files as part of its strategy to evade detection. The exact initial attack method is still unknown, but it may involve dissemination through phishing or spam emails with ZIP attachments.

Our investigation commences with an analysis of the .lnk file found within the ZIP archive. Upon execution of the LNK shortcut, it initiates a PowerShell script that downloads an additional ZIP file and lure document. This ZIP file houses several items, including a genuine Python executable, a malicious Python DLL, and an encrypted payload binary. The infection technique employs DLL sideloading and Shadowloader to execute the final payload, identified as XWorm RAT.

The figure below depicts the infection chain of the UAC-0184 TA to deliver the XWorm payload.

Figure 1 – Infection chain

Technical Analysis

When extracting the contents of the ZIP file, revealing an LNK shortcut file named “NewCopy.xlsx.lnk.” If the user incorrectly assumes this LNK file is a real Excel worksheet and double-clicks on it, a deceptive Excel file will appear, as illustrated in the figure below.

Figure 2 – Lure Excel document

The content of the Excel worksheet does not reveal the victim of this campaign. When the lure document is displayed to the user, the LNK shortcut file executes in the background, launching the embedded PowerShell command from %appdata%, as shown in the figure below.

Figure 3 – Command-line of the LNK shortcut file

The PowerShell script is designed to download two files named pkg.zip and NewCopy.xlsx from the below URL to the current directory:

hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzpkg.zip

hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzcip/NewCopy.xlsx

Initially, the script downloads “pkg.zip,” extracts its contents, and creates a folder named “SecurityCheck” in %appdata%. It then saves the extracted files in the folder and proceeds to execute “pythonw.exe” using the start command.

Following this, the script downloads “NewCopy.xlsx” (a lure Excel document) and initiates its execution with the start command, as shown in the code snippet below. CRIL has noted that the TA UAC-0184 utilized a similar PowerShell script in a previous campaign, as mentioned by CERT-UA.

Figure 4 – Code snippet of the PowerShell script

The figure below illustrates the presence of the downloaded files “pkg.zip” and “NewCopy.xlsx,” along with the extracted files saved within the “% appdata%SecurityCheck” and “% appdata%ZY_Manage_testv4” directories.

Figure 5 – Downloaded files

Upon execution of “pythonw.exe,” it duplicates all files from that location and stores them in a new folder named “%appdata%ZY_Manage_testv4”. It then proceeds to execute “pythonw.exe” from this newly created directory, as shown in the below process tree figure.

Figure 6 – Process tree

DLL Sideloading

The “pythonw.exe” loads the malicious DLL named “python310.dll” through the DLL side-loading method, which in turn creates a cmd.exe process that initiates a suspended MSBuild process. Then, the loader decrypts the file named “daikon.tif” (which is Shadowladder) and injects the shellcode into the previously created “MSBuild.exe” using the Process Hollowing technique. The figure below illustrates the process in which pythonw.exe loads python310.dll and injects shellcode from daikon.tif.

Figure 7 – DLL sideloading method

XWorm

The injected content, identified as XWorm, then proceeds to perform malicious operations on infected systems. XWorm is categorized as commodity malware, designed to be easily accessible to threat actors, even those with limited technical expertise, who can purchase and use it for various cybercrimes. This versatile malware offers a wide range of capabilities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble Research & Intelligence Labs (CRIL) has conducted a thorough analysis of XWorm and previously shared detailed insights about this malware on our blog.

Figure 8 – Presence of XWorm strings in the injected MSBuild exe

After execution, XWorm drops a VB Script file with a random name into the %temp% folder and runs it. This script then connects to the Command-and-Control (C&C) server, as shown below.

Figure 9 – C&C server

In mid-June, we came across other files in the campaign by the same threat actor, indicating a focus on Ukraine based on the lure. In this campaign, we have observed the LNK shortcut file exhibiting similar behavior as previously mentioned. However, unlike the earlier file that used an Excel worksheet as a lure document, this one uses a document viewer application as bait. The LNK shortcut file is named “Відомості про кредитора.dvs.”

When the user executes the LNK shortcut file, disguised as a .dvs file (possibly representing “document viewer software”), they will be confronted with a misleading GUI named “Державна виконавча служба: система документообігу,” which translates to State Executive Service: Document Management System, as shown below. The .dvs extension may be specific to the software employed by the State Executive Service for handling and displaying documents. We’ve noticed that the TA has employed a similar deceptive GUI in their past campaigns.

Figure 10 – Lure document viewer application

The following image displays another deceptive document from the campaign, which uses an electricity bill theme to target Ukrainians.

Figure 11 – Lure word document

The following figure displays a code snippet of a PowerShell script executed when launching the LNK shortcut file named “Відомості про кредитора.dvs.”

Figure 12 – Code snippet of the PowerShell script

In this case, the TA deploys the XWorm payload by leveraging IObit Driver Booster files instead of Python-related files. Here, RttHlp.exe (the IObit Driver Booster executable) loads a malicious DLL named vcl120.bpl via DLL side-loading. This DLL then spawns a cmd.exe process, which subsequently initiates a suspended MSBuild process. Following this, the loader decrypts a file named “bacteriostat.flac” and injects shellcode into the running “MSBuild.exe” process using the Process Hollowing technique.

Conclusion

UAC-0184 is relentlessly carrying out a malware campaign against Ukraine, continually refining its techniques to better evade detection. Notably, it leverages Python-related files to avoid detection in this campaign. The deployment of the final payload XWorm RAT in this campaign indicates a primary objective of establishing remote access to compromised systems. UAC-0184’s operations demonstrate a sustained effort to infiltrate Ukrainian targets for strategic purposes.

Our Recommendations

The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.

Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

Implement application whitelisting to ensure only approved and trusted applications and DLLs can execute on your systems.

Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.

Enhance system security by creating strong, distinct passwords for each account and, whenever feasible, activating two-factor authentication.

Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods cybercriminals employ.

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Execution  (TA0002)	Scripting (T1064)	Executes visual basic scripts
Execution  (TA0002)	PowerShell (T1059.001)	Powershell downloads PE & ZIP files
Persistence (TA0003)	Registry Run Keys / Startup Folder (T1547.001)	Creates a start menu entry (Start MenuProgramsStartup)
Privilege Escalation (TA0004)	DLL Side-Loading (T1574.002)	Adversaries may execute their own malicious payloads by side-loading DLLs.
Privilege Escalation (TA0004)	Process Injection (T1055)	Injects malicious content into MSBuild.exe process.
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	.Net Binary include packed or crypted data.
Defense Evasion (TA0005)	Deobfuscate/Decode Files or Information (T1140)	.NET source code contains calls to encryption/decryption functions
Discovery (TA0007)	Process Discovery (T1057)	Queries a list of all running processes.
Discovery (TA0007)	Security Software Discovery (T1518.001)	May try to detect the virtual machine to hinder analysis
C&C (TA0011)	Application Layer Protocol (T1071)	Malware exe communicate to C&C server.
C&C (TA0011)	Ingress Tool Transfer (T1105)	Downloads files from webservers via HTTP

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
bf5a2450f5287f775c2427590c29c27e28e3662c2f68296c64cdacdb639f3b97	Sha256	NewCopy.xlsx.lnk
hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzpkg[.]zip	URL	Malware download URL
38dea3732044129bd99314de582ba3d58a649c8967fe12b98cd867ca6e349ffe	Sha256	Pkg.zip
06adb754096f5853999038c000d8cdafa69bb1696b1011e781ab18bbea6107ce	Sha256	Python DLL
40fd3597c44d10e201304b80c20dd8f2a1ad1ee1032f90d83d7917e037a1d130	Sha256	vmtcuv.vbs
0d16de10ce708b990d1b0ae26ac12792c91864426c88a8c73a475f7f33db014b	Sha256	XWorm
dea780f228acbd536b5cbb35efe1a41d18771f6ed987c9d19b175de44f1d566c 7860a6e7264839c59506d5d69e40311e0c1e6af11b2351ccffe8d9b09acde9a3 d815e32b7998d3927792e579d4ad8430792ca1043b3570f0ee73855529516d21	Sha256	ZIP files
98fcabe279d4001b29949d980aa9ae8396b352ef7c4a90b9dbe07650a7d4b797	Sha256	Відомості про кредитора.dvs. lnk
hxxp://81.19.139[.]62/f8d79yuhjhlgdjlsjkf83da0pkg.zip hxxp://81.19.139[.]14/987yuhgzsd234dfwhjkaqppkg.zip hxxp://81.19.139[.]62/f8d79yuhjhlgdjlsjkf83da0sud/sud.exe hxxp://45.95.232[.]82/dfghujfdkg3fmsud/sud.exe	URL	Malware download URL
444986ba74685fde34afbbf6a6963c5f35f12a1a65a705e5184c545a18c080c6	Sha256	Pkg.zip
7382cf09d04de58beeba4d71fec9777815924fe66849c89e4230b8f26bff2650	Sha256	VCL120.dll
b1355a4eef0c265a9d918cec16f7299f4acc51daf8e3d59ef445cb46914f48ff	Sha256	sud.exe
dd8377e9c3620d0732bedecd0d219f77f7bcffbc49470a9b7ff22db33fe4a185	Sha256	XWorm
hxxp://185.216.68[.]142:9000/hooks/xxx?id=%computername%	URL	C&C
d938cb8accbc51046158350155f1af9248fc8459ef2b92be752b93dae77504a6 17dc38bd4e01496a91d82e6de763df6fd94c00eb1e90e0cccd7f07f84b549f43 e314b233b41a5688a4e43f876ccb10718351d3f396b4df623b4ebb0a093be7e0	Sha256	LNK shortcut files