Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) came across a ZIP archive file that could be downloaded from a URL and possibly disseminated through spam emails. Within the ZIP file lies a shortcut LNK file, cleverly masked as a PDF document.
- Upon execution of the shortcut file, it initiates the VPN application, which utilizes DLL sideloading to load a concealed malicious DLL. Both the VPN application and the DLL are concealed within a ZIP archive.
- The loaded DLL file drops an MSI installer, which proceeds to download a deceptive PDF lure and presents it to the victim.
- Additionally, it drops a CAB file housing a malware stealer identified as “MetaStealer,” which establishes a connection with the Command-and-Control (C&C) server during the post-infection process, facilitating the exfiltration of data.
Overview
On January 11th, CRIL discovered a ZIP archive file named “case2.09-cv-03795.zip”. Upon investigation, it was determined that the ZIP file had been obtained from a URL (hxxps://courtnation[.]shop/case2.09-cv-03795[.]zip). There is a suspicion that this link could be distributed via spam emails.
After analyzing the file, it was noted that the ZIP archive contains a deceptive PDF file intended to entice users into opening it. Contrary to its appearance, the file is a shortcut LNK file masquerading as a PDF document.
If the user views it as a PDF document and opens it with a double-click, this action initiates the execution of the shortcut LNK file. Subsequently, the LNK file proceeds to execute the VPN application executable, loading a concealed malicious DLL—both of which were hidden in the ZIP. Subsequently, it drops an installer file and initiates its execution, leading to the download and display of a PDF file in the browser.
This PDF file portrays an “I-589, Application for Asylum and for Withholding of Removal” document, creating an illusion for users, making them think they have merely opened a PDF document within the ZIP. Concurrently, the installer file drops a Cabinet archive file that decompresses and drops a malware stealer identified as “MetaStealer,” as shown in the below infection chain diagram.
Earlier, MetaStealer malware was disseminated through malvertising campaigns in the preceding December. Clicking on the ads redirected victims to malicious landing pages, posing as download portals for AnyDesk or Notepad++ software.
Technical Details
After unzipping the archive file named “case2.09-cv-03795.zip,” users will find a PDF file named “case2.09-cv-03795.pdf.” It is important to note that this file is actually a deceptive shortcut LNK file, masquerading as a genuine PDF document, as shown below.
Within the unzipped archive, three hidden files named “vpn.exe,” “vcruntime140.dll,” and “libcrypto-1_1-x64.dll” are present, in addition to the deceptive shortcut file named “case2.09-cv-03795.pdf.lnk,” as shown in the below figure.
When users attempt to open the camouflaged PDF file by double-clicking, the shortcut file executes, running the following PowerShell command:
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Expand-Archive -Path “%USERPROFILE%\Downloads\case2.09-cv-03795.zip” -DestinationPath “%USERPROFILE%\Downloads\case”; cmd.exe /c start ‘%USERPROFILE%\Downloads\case\vpn.exe’
The PowerShell command initially extracts the contents of the designated ZIP archive (“case2.09-cv-03795.zip”) located in the Downloads folder (“%USERPROFILE%\Downloads”) and drops them to a destination directory (“%USERPROFILE%\Downloads\case”), as shown below.
Following the extraction, it proceeds to launch a VPN application executable (“vpn.exe”) from the recently created directory, utilizing Command Prompt, as shown in the below figure.
DLL Sideloading
When the “vpn.exe” file is executed, it employs the DLL sideloading method to load the malicious DLL (Dynamic Link Library) named “libcrypto-1_1-x64.dll” from the same directory, as shown in the figure below.
The loaded DLL module functions as a malware dropper, dropping an MSI installer file named “windrv.msi” in the directory “%localappdata%\Microsoft\Windows\” and subsequently initiating its execution, as depicted in the below process tree.
Upon execution of the MSI installer, it drops a cabinet archive file named “files.cab” into a newly created directory named “MW-b0a3d6f7-f518-4d00-b237-9d984f39c119” within the %temp% directory. Subsequently, it uses the “expand.exe” executable to extract and save the contents into the same folder. Within the extracted folder, an executable named “install.exe” is present, as shown below.
Following the extraction of the cabinet file, the installer initiates the launch of the below URL to download and display a PDF document to the user via the command prompt, as specified in the “msiwrapper.ini” file that was created by the installer, as shown below.
- hxxps://www.uscis[.]gov/sites/default/files/document/forms/i-589instr.pdf
The display of the PDF document gives the impression that the user has merely opened a PDF file within the “case2.09-cv-03795.zip” at the beginning.
Threat Actors employ a deceptive tactic by leveraging the “I-589, Application for Asylum and for Withholding of Removal” PDF document to target individuals with a significant interest in immigrating to the United States, as shown in the image below. The use of a seemingly genuine document increases the likelihood of users opening the file without suspicion. This strategy relies on social engineering tactics to enhance the success of malware infiltration, as individuals may lower their guard due to the perceived relevance and sensitivity of the content.
However, In the background, the installer initiates the silent execution of “install.exe” using the “/VERYSILENT” parameter, as depicted in the image below. Upon investigation, the executable named “install.exe” has been identified as “MetaStealer.”
MetaStealer
MetaStealer, categorized as info-stealer malware, is created to extract sensitive information from compromised systems. These campaigns utilize a code base inherited from RedLine and are disseminated through diverse channels such as malicious spam and malvertising. The creators of MetaStealer have unveiled an upgraded version of the malware, signaling continuous development and the possibility of future threats.
Upon execution of “install.exe,” the stealer retrieves details about the Windows version using “winver.exe.” Subsequently, it duplicates itself, naming the copy “hyper-v.exe,” and drops it in the directory (%localappdata%\Microsoft\windows) and runs it, as shown below.
To implement the Defender Bypass technique, threat actors utilize the following command to manipulate Windows Defender settings. This enables specific files or file types to evade detection by the antivirus software, potentially enabling the execution of malicious code without being detected.
- powershell -inputformat none -outputformat none –NonInteractive -Command Add-MpPreference -ExclusionExtension “exe”
The stealer also collects system details by launching the executable named “systeminfo.exe.”
Upon gathering system details, the stealer focuses on the installed browser application within the system, initiating the stealing of information such as Autofill data, Cookies, Login Data, and other sensitive details.
Command-and-Control (C&C)
Afterward, the stealer establishes a connection with the command and control (C&C) server at “ykqmwgsuummieaug[.]xyz” on port 443. It encrypts the data during communication. The interaction with the C&C infrastructure occurs over HTTP, utilizing the ‘cpp-httplib’ library, and the user agent cpp-httplib/0.12.1 is employed.
The initial connection is made to the following URL path:
- hxxp://ykqmwgsuummieaug[.]xyz:443/api/client_hello
This connection involves a simple GET request without additional information, as shown below.
The subsequent communication with the C&C server involves a POST request to retrieve tasks assigned for execution on the victim’s system:
- hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/get_worker
During the analysis, the server responds to this command with an HTTP 400 error code (HTTP/1.1 400 Bad Request).
After the completion of assigned tasks, the next communication with the C&C server occurs through the following URL path:
- hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/collect
In this case, a POST request is utilized to send information regarding the success or failure of the task, along with additional data such as stolen or command output.
The commands from the C&C server encompass various functions, including the collection of system information, cookie theft, password retrieval, execution of commands, and more.
For a detailed analysis of MetaStealer, refer to the blog authored by Russian Panda.
Conclusion
Threat Actors opt for sensitive or official documents as bait because they can exploit emotions, establish an appearance of legitimacy, and attract a diverse audience. This strategic application of social engineering tactics boosts the effectiveness of malware campaigns, aiding attackers in avoiding detection by presenting themselves as genuine and non-malicious.
In this malware campaign, TAs employ a lure—a PDF document titled “I-589, Application for Asylum and for Withholding of Removal.” The successful exploitation of the lure results in the infection of the user’s system by the MetaStealer malware. The implementation of a multi-layered attack in this campaign enables TAs to successfully evade detection and discreetly exfiltrate sensitive information. These tactics collectively enhance the campaign’s effectiveness by leveraging user trust, employing camouflage techniques, and utilizing social engineering strategies.
CRIL diligently tracks the most recent phishing or malware strains in circulation, providing timely analyses containing actionable intelligence. This information assists users in safeguarding themselves against potential threats and attacks.
Our Recommendations
- The initial breach occurs via spam emails. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments.
- When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.
- Consider disabling or limiting the execution of scripting languages, such as PowerShell, on user workstations and servers if they are not essential for legitimate purposes.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) | cmd.exe is used to run commands such as start, expand, and run the malware executable. |
| Execution (TA0002) | Command and Scripting Interpreter: JavaScript (T1059.001) | PowerShell script used for expanding archive file, start cmd.exe, and add Windows Defender exclusion. |
| Defense Evasion (TA0005) | Masquerading (T1036) | LNK file masqueraded as a PDF document. |
| Defense Evasion (TA0005) | Hijack Execution Flow: DLL Side-Loading (T1574.002) | Using the DLL sideloading method to load malware DLL. |
| Defense Evasion (TA0005) | Impair Defenses: Disable or Modify Tools (T1562.001) | Add exe to Windows Defender exclusion. |
| C&C(TA0011) | Application Layer Protocol (T1071) | Malware exe communicate to C&C server. |
Indicators of Compromise (IOCs)
| Indicators  | Indicator Type | Description |
| hxxps://courtnation[.]shop/case2.09-cv-03795[.]zip | URL | Download link |
| 01b235b68ee7ef451a75ca5f9e6fa3ee 4ed11c9b0703df4bb316ea00c6407e47572e6315 1ed0b21cba44b2511d574d81bc328e7bd6f498c552ff0f0beaa7aad2d98e522d | MD5 SHA1 SHA256 | case2.09-cv- 03795.zip |
| 7d38a27ea6b6c1d43babf6e98ee94371 30b561205d004b766082b56424f6c1fd8f4d3a31 8588f0df2bb2a24692d6711ef32c228b6691aa361f705d67cfc50c7dc6249bb6 | MD5 SHA1 SHA256 | case2.09-cv- 03795.zip |
| 6634482b3f6ff39dad5ea15cf59cecdc 133ef8385e3058171a6b5232d36ad5934dfbc0d3 697315a58badadd4822f2801e36a4d4ee5ec57f144f7b10526fced23fc841bfb | MD5 SHA1 SHA256 | case2.09-cv-03795.pdf.lnk |
| addafc2e5d5de4dd041971b5ac02c279 41abb5275eaa0f8ba03f6b20f6f9740e92fbe87e 5d754c467e27aa34a2a9d96c2fbb9c845396fa52248cc186b4a8d85b67c1a7f7 | MD5 SHA1 SHA256 | libcrypto-1_1- x64.dll |
| 991c062935d4d88b38d9a31829a96bed bf9953805a8be558e72ada27397bcddb4cee94bd 41ff09caf13b53792ac9aeec66f2264e36419eaccea7a7364312f0204dcc93a2 | MD5 SHA1 SHA256 | windrv.msi |
| 846899d5e1402224a50df6aad9269e65 2a3214ac7d2ecf70cc49cc39c8cdbf6d78caacc5 cf798995d5df706b09fe48a29423470ce0d60fddf2d71a25b73f77b0fa368277 | MD5 SHA1 SHA256 | files.cab |
| f72393ac04be06e2b9a5e9129a4f07cc 438747cac8e9a90c7e6dc42cfb085a4fe76a5107 6db9e55c7b05db03f3d8f49a942702bb23859cb680f3cd9405317e70cb2c6b40 | MD5 SHA1 SHA256 | hyper-v.exe (MetaStealer) |
| ykqmwgsuummieaug[.]xyz:443 kiyaqoimsiieeyqa[.]xyz:443 | Domain: Port | C&C server |
| hxxp://ykqmwgsuummieaug[.]xyz:443/api/client_hello hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/get_worker hxxp://ykqmwgsuummieaug[.]xyz:443/tasks/collect | URL | C&C server |
