Key Takeaways

The blog explores a method of infection for distributing different Remote Access Trojan (RAT) malware, which serves as the final payload in the campaign.
It provides an overview of how the equation editor vulnerability was utilized to download the initial stage payload (VBS) from the Excel document.
It explains the sequence through which a VB script’s execution employs PowerShell content to download a JPG image containing a hidden base64 encoded .NET payload using the steganography technique.
Execution of the .NET assembly retrieves the final payload malware RAT through downloading, subsequently injecting, and initiating its malicious operation within the victim’s system.

Executive Summary

Threat Actors (TAs) have adapted their tactics to utilize malicious PowerShell content driven by compelling motives. This approach allows them to operate stealthily, bypass traditional security defenses, and leverage existing tools on compromised systems. PowerShell’s versatility, ease of use, and scripting nature make it an attractive choice for attackers seeking agility and customization. Our recent blogs discussing AgentTesla and the Exploitation of Microsoft CMSTP delve into campaigns incorporating PowerShell scripts within their attack chains.

During CRIL’s recent threat hunting activity using VirusTotal (VT), We encountered a spam campaign that utilized PowerShell-Backed Steganography. Further investigation uncovered a novel method for disseminating various RAT (Remote Access Trojan) malware such as LimeRAT, AgentTesla, and Remcos. This campaign was initially identified by a researcher, Ankit Anubhav.

This strategy involves the initial step of sending a spam email with an attached Excel file. When the Excel document is accessed, it exploits a vulnerability in the equation editor to kickstart the download of a VB script payload. Following execution of this payload, a PowerShell script is triggered. This PowerShell script retrieves a JPG image, within which concealed data is embedded using steganography.

Upon extracting and decoding the hidden content from the JPG image, a .NET assembly is obtained. This assembly is then loaded and invoked with the final payload URL as a parameter. In the end, the RAT malware payload is downloaded and injected into the legitimate process of the victim system, as illustrated in the figure below.

Infection Chain — Figure 1 – Infection chain

Initial Infection

The initial infection begins with the spam email that contains an Excel attachment bearing the following file names such as:

• entregar_confirmacion_de_direccion.xlsx
• Swift ACC Reference A2300078.xls
• CN_86607433K.xlam
• Vertex_PO3760987.xls
• COTIZACION.xla
• New Order Green Valley .xlam

The figure below shows some of the spam emails we have observed in the wild used in the malware campaign.

Spam, Phishing, Steganography — Figure 2 – Spam email

Spam, email. phishing — Figure 3 –Spam email

Spam, Phishing, email, Steganography — Figure 4 – Spam email

Technical Analysis

The emails come with an Excel file attached (formats such as .xls, .xlsx, .xla, .xlam) containing embedded content. Once the document is opened, users must enable editing to access the content, as shown below.

Excel, attachment, Malicious, malware, phisihing — Figure 5 – Malicious Excel attachment

Excel, malware, attachment — Figure 6 – Malicious Excel attachment

CVE-2017-11882: Equation Editor Exploitation

When the Excel file is opened as a zip archive, it shows numerous files and folders. Among these, the XML file “sheet1.xml.rels” located in the “xl\worksheets\rels” directory contains the path to the specific embedded document named “aU2WuhBz0.j32a9” within the Excel file.

The “aU2WuhBz0.j32a9” document exploits the Equation Editor Vulnerability (CVE-2017-11882) to initiate the download of the subsequent payload in the attack chain, as shown in the figure below.

Embed, Excel, document — Figure 7 – Embedded Doc file inside Excel document

When the option “Enable editing” is clicked, the process involves parsing the XML data from “sheet1.xml.rels.” This step is taken to retrieve the path of the embedded Ole Object data, which is subsequently executed. This execution employs the vulnerable “EQNEDT32.EXE” to trigger the execution of malicious shellcode. This shellcode is utilized to download a VB script file from the following URL:

hxxp://195[.]178[.]120[.]24/uchetuesdayyyyy[.]vbs

Below are the similar URLs used for downloading the VB Script file in the campaign.

hxxp://195[.]178[.]120[.]24/whorefileOnline[.]vbs
hxxp://195[.]178[.]120[.]24/investord2[.]0[.]vbs
hxxp://192[.]210[.]175[.]4/780/hkcmd[.]vbs
hxxp://104[.]168[.]46[.]25/0800/internet[.]vbs
hxxp://195[.]178[.]120[.]24/investor2[.]0[.]vbs
hxxp://192[.]210[.]175[.]4/receipt_232/1/receipt[.]vbs
hxxp://192[.]210[.]175[.]4/lime/Lime[.]vbs
hxxp://192[.]3[.]64[.]143/400/ChromeSetup[.]vbs
hxxp://23[.]94[.]239[.]89/2301/chromium[.]vbs
hxxp://195[.]178[.]120[.]24/investorrrrVbs2[.]0[.]vbs

In the figure provided below, the payload URL that has been extracted is displayed along with the API function utilized for payload download. The data extraction process is facilitated using the tool “scdbg.”

Payload, Malware, Steganography — Figure 8 – Payload URL extracted from Doc file

The downloaded VBS file is saved in the root of the %appdata% folder and is named “uchewed.vbs”. The path for this file is as follows:

C:\Users\<Admin>\AppData\Roaming\uchewed.vbs

Steganography Technique

The VBS file that was dropped in the %appdata% is heavily obfuscated. When executed, it undergoes a process of de-obfuscation in memory, running the enclosed PowerShell code within the VBS. Subsequently, the PowerShell code within the VBS retrieves yet another set of PowerShell content, which remains in memory, as shown in the figure below.

VBS, Steganography, Powershell — Figure 9 – VBS launching PowerShell script

The new PowerShell script now involves downloading a JPG file content from the following URL:

hxxp://uploaddeimagens[.]com[.]br/images/004/559/510/original/rump_private[.]jpg ?1690504129

This JPG file content includes Base64 encoded malware data placed between the markers <<BASE64_START>> and <<BASE64_END>>, as shown in the figure below.

Jpeg, Malware, base64, payload — Figure 10 – JPEG image with hidden Base64 payload

Upon successfully obtaining the JPG content, the PowerShell script proceeds to parse the JPEG file and decode the hidden base64 content present within the image between the specified markers.

Subsequently, the PowerShell script loads the decoded binary payload, which is a .NET assembly. The script attempts to get a particular type named “Fiber.Home” within the loaded assembly. Following that, the script aims to fetch a method named “VAI” from the “Fiber.Home” type. Following that, the PowerShell script invokes the “VAI” method with the provided arguments, a URL presented in reverse string format.

The below figure shows the de-obfuscated second-stage PowerShell script present in the memory.

Powershell, JPEG, Payload, Steganography — Figure 11 – PowerShell script downloading JPEG image & final payload

Once the “VAI” method of the “Fiber.Home” type is called with the reversed URL parameter, the method itself reverses the URL and proceeds to download it using the DownloadString() function. The actual URL, which is reversed from the passed parameter of the invoked method, is:

hxxp://195[.]178[.]120[.]24/noblefileeeeeeeebase64[.]txt

Listed below are a series of similar URLs that download the final payload binary in the malware campaign.

hxxp://192[.]210[.]175[.]4/780/777/conhost[.]txt
hxxp://195[.]178[.]120[.]24/apama2base64[.]txt
hxxp://23[.]94[.]239[.]89/2301/uac/updation[.]txt
hxxp://104[.]168[.]46[.]25/FNF/BINtwo[.]txt
hxxp://195[.]178[.]120[.]24/investorbase64[.]txt
hxxp://192[.]210[.]175[.]4/lime/IE_Cache[.]txt

The downloaded data is a base64 encoded string in reversed order. Then, the “VAI” method reverses the content received from the final payload URL and decodes it using the Convert.FromBase64String() function.

The image below depicts a code snippet of the “VAI” method within the “Fiber.Home” type of the Fiber DLL .NET assembly.

Extracted DLL, Payload, JPEG, Steganography — Figure 12 – Extracted DLL payload from JPEG image

The base64 content that has been decoded is subsequently injected into “RegAsm.exe” through the utilization of the process hollowing technique, employing APIs as indicated in the figure below.

API, Process Hollowing — Figure 13 – APIs used for Process Hollowing

In the decoded final content from the base64 format, we have identified malware payload binaries that have been injected into “RegAsm.exe.” Specifically, these malware variants are Remcos, AgentTesla, and LimeRAT.

Final Payload

Remcos

Remcos is a type of RAT; it is a tool for TAs to remotely control compromised systems. This RAT is equipped with a range of capabilities, including remote control over victim computers, data theft, keylogging, screen capturing, file manipulation, and the ability to execute commands. Remcos emerged as a commercially available malware and has been misused by TAs for unauthorized access, data exfiltration, and other malicious activities. Its functions encompass a suite of tactics aimed at stealthy infiltration, evasion of security software, and persistent control over compromised machines.

AgentTesla

Agent Tesla functions as a RAT and data theft tool based on .NET. It is commonly employed to secure initial access and is frequently utilized as part of Malware-As-A-Service (MaaS) operations. Its functionality involves surreptitiously recording keystrokes, capturing screenshots, and harvesting sensitive information from compromised systems. Agent Tesla is designed to covertly monitor victim activity, extracting confidential data such as login credentials, personal details, and financial information. The malware’s extensive capabilities make it a preferred tool for TAs engaged in data theft, fraud, and other malicious activities. It can send collected data to its command and control (C&C) server through various channels, including HTTP(S), SMTP, FTP, or even to a designated Telegram channel.

LimeRAT

LimeRAT operates RAT with a focus on unauthorized control over compromised systems. This malware exhibits a multifaceted arsenal of malicious actions. It engages in encrypting files, coercing victims to pay ransoms for decryption. Additionally, it delves into cryptocurrency mining, harnessing compromised systems’ resources for its gain. The malware’s insidious reach extends to pilfering sensitive information and credentials, thus compromising data security. Its tactics include logging keystrokes enabling cybercriminals to access confidential data. Furthermore, it propagates itself to other devices, enhancing its sphere of influence. With a penchant for orchestrating distributed denial-of-service (DDoS) attacks, the malware transforms infected devices into a potent botnet.

Conclusion

The utilization of spam emails as a preferred method by TAs stands out due to its widespread impact, cost-effectiveness, and exploitation of human behaviors. The effectiveness of this strategy hinges on social engineering tactics, the ability to remain anonymous, and the global reach for targeting. In the ongoing campaign, TAs have adopted spam emails containing malicious Excel attachments to initiate their operations. The initial VBS payload, executed through these attachments, leverages PowerShell to retrieve a seemingly harmless JPEG image, which, in reality, conceals the subsequent payload. This payload employs steganography techniques to remain hidden. This intricate approach serves to elude detection, minimize suspicion, and establish secure communication with command-and-control servers. Additionally, the final stage involves the deployment of a RAT malware payload, downloadable through the previously established channels. This allows the attackers to gain unauthorized access to the victim’s system, enabling them to engage in a range of malicious activities.

The combination of these techniques underscores the sophistication of modern cyber threats, emphasizing the need for robust cybersecurity measures, user education, and proactive defense strategies to safeguard against evolving attack vectors. CRIL will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

The initial compromise takes place through spam emails. As a result, it’s recommended to implement robust email filtering solutions to detect and thwart the distribution of malicious attachments.
The campaign capitalizes on an outdated vulnerability (CVE-2017-11882) present in the equation editor. To prevent the risk of infection, it is recommended that users should apply a patch specifically designed to address this vulnerability.
As part of this campaign, a reversed HTTP string (//:ptth) is utilized in the PowerShell command to fetch the final payload. Consequently, it’s recommended to block the PowerShell processes when the command line includes the reversed HTTP (//:ptth) string.

Initial Access	T1566.001	Spearphishing Attachment
Execution	T1203 T1047 T1059.005 T1059.001	Exploitation for Client Execution Windows Management InstrumentationVisual Basic PowerShell
Privilege Escalation	T1055	Process Injection
Defense Evasion	T1497 T1027 T1562	Virtualization/Sandbox Evasion Obfuscated Files or Information Disable or Modify Tools
Credential Access	T1003 T1056	OS Credential Dumping Input Capture
Discovery	T1057 T1012 T1082 T1083 T1518.001	Process Discovery Query Registry System Information Discovery File and Directory DiscoverySecurity Software Discovery
Collection	T1005	Data from Local System
C&C	T1071 T1573 T1105	Application Layer Protocol Encrypted Channel Ingress Tool Transfer

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
d90c997f6899b20862c149449f4e16c14e6db035ee59ec572f5109fff3916f5a 4ed283abdb36bd1bf82c770662f4f1cc76092e1daf99b5f8b439afe158937df0 15aaf58654f08c5023fd288def65315eb2460a921dffb6fa9944fe902e207bc7 27405ebfde0f6e22857abadf46dad3a715ebe8f41dee76f6b2e9b66be012a1f7 319fb258123ced8c5112bb469fff6d21834af6673230b6c26fc0fa9cf3b1d964 3450f83dc70e660ac060d6a6adde9843b388f21b6c802080f913b55df9569add	Sha256	Spam email
6f0702bd1067a59dc036e671bc71f3ace69ed18c1e765baf515ec71c024fce7f fcb40d2b3219f9108a3a13934070f1792d1dad59e2806061b078a4f9900e2860 bc3d1929cf265b340227fb675434b8a822488581c435062cf04be1577f283361 b082c40d46fd7f4b6b2c67e7a85900a4ef664cbde82d339aad167d6604a83283 952c1e65df62554d795b37ee4c213ce2dc465921e25127433bb9588218a58fd3 89b872366486882d0add3f52b59a244ccb38c30becf7c7fc238b2aa9a674ad93 b082c40d46fd7f4b6b2c67e7a85900a4ef664cbde82d339aad167d6604a83283 6f0702bd1067a59dc036e671bc71f3ace69ed18c1e765baf515ec71c024fce7f 24edc0c28acc0625f0ffc312a8038362a9edf3f055a6c06b50cbd5ee39d124fa 1b48e7513cdc33036bc7172bcefbc8b197bb698ca51066d28f15c8478c9592fd 0fed6930b6259f4b073f008ab91ed8f801743b4ff2fee4a84274a85835e38e2b 6f0702bd1067a59dc036e671bc71f3ace69ed18c1e765baf515ec71c024fce7f	Sha256	Excel attachment
hxxp://195[.]178[.]120[.]24/uchetuesdayyyyy[.]vbs hxxp://195[.]178[.]120[.]24/whorefileOnline[.]vbs hxxp://195[.]178[.]120[.]24/investord2[.]0[.]vbs hxxp://192[.]210[.]175[.]4/780/hkcmd[.]vbs hxxp://104[.]168[.]46[.]25/0800/internet[.]vbs hxxp://195[.]178[.]120[.]24/investor2[.]0[.]vbs hxxp://192[.]210[.]175[.]4/receipt_232/1/receipt[.]vbs hxxp://192[.]210[.]175[.]4/lime/Lime[.]vbs hxxp://192[.]3[.]64[.]143/400/ChromeSetup[.]vbs hxxp://23[.]94[.]239[.]89/2301/chromium[.]vbs hxxp://195[.]178[.]120[.]24/investorrrrVbs2[.]0[.]vbs	URL	URLs to download VB Script
b2964365bf3534ad4dcb5c965f57cc74568a08b394d10283fc77f473432a8207 f8ca42cef277eb858839ab822b613c2e018f9ca40cd914ccb289243413403aef d451c0b5934e7b4ec8890b01dd33bf0f4502ebb0d2d1baaf7fc4f22194d3f592 6788d5a37d90579a7aa3366f41b75dd54cb1d76ca7518b7d48979c9a93b571b4 33e740ac4e794013a4a6be58a10f8a7041d24fd69469c0628dbcef861c8f34d4	Sha256	VB Script
hxxp://uploaddeimagens[.]com[.]br/images/004/559/510/original/rump_private[.]jpg ?1690504129 hxxp://uploaddeimagens[.]com[.]br/images/004/563/621/original/universo_vbs[.]jpeg?1690931855	URL	URL to download JPEG
21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f b0c79c0f087b28e30cf4126ad4766ac21723ef5c41cb3aba8e04eb4c68e88558	Sha256	JPEG image with hidden Base64 encoded data
hxxp://195[.]178[.]120[.]24/noblefileeeeeeeebase64[.]txt hxxp://192[.]210[.]175[.]4/780/777/conhost[.]txt hxxp://195[.]178[.]120[.]24/apama2base64[.]txt hxxp://23[.]94[.]239[.]89/2301/uac/updation[.]txt hxxp://104[.]168[.]46[.]25/FNF/BINtwo[.]txt hxxp://195[.]178[.]120[.]24/investorbase64[.]txt hxxp://192[.]210[.]175[.]4/lime/IE_Cache[.]txt	URL	Final payload URL
b765dc89e4c26090cda45c7b50f2e6367bf33a4ea9aaabb6360908603632b3af d6c3759f772560df24c556d83978f7ee6054d8b3b2fb509547d21bbf70a619ef 71c6ea4ee992728c3a198defa833ebd285f19f8623cb493199976e7166ba4a10 c0bae9beb13ab90ff8e8fbc244c643f1c4eab1925246fd9c4a80fc9943057808 54434d9bb4a2ef2e4198c82131d1e12d5d7cdc0c610c9f6eae657ee31f55791f 453864da0004d5541e43217b9e87a1794d3ca2d5beaaff01646b6574bdfddfe0	Sha256	Decoded Final payload (AgentTesla, Remcos & LimeRAT)

YARA Rule

rule mal_PS_downloader

{

meta:

author = “Cyble”

description = “Detects Powershell downloader Files”

date = “2023-08-25”

os = “Windows”

threat_name = “Powershell downloader”

scan_type = “Memory”

severity = 90

reference_sample = “6f8e8ab842590c2c1d7b873ee0cea9940a99de6f9de5b5df7a46fa76c002e396”

strings:

$a = “$imageUrl” ascii wide

$b = “.jpg?” ascii wide

$c = “.DownloadData(” ascii wide

$d = “<<BASE64_START>>” ascii wide

$e = “[System.Reflection.Assembly]::Load” ascii wide

$f = “//:ptth” ascii wide

condition:

all of them

}