Multistage Delivery of Malware Using Steganography
During our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.
The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique. Additionally, The malware uses steganography to hide its malicious content in a bitmap file.
The below figure shows the infection chain of Xloader malware.
Xloader is a rebranded version of the Formbook stealer. It is designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes from the victim’s machine, and send them to Command and Control (C&C) server. Typically, Xloader spreads via spam emails that trick victims into downloading a malicious attachment file, such as MS Office documents, PDF documents, etc.
This blog showcases the deep-dive analysis of the malware infection, starting with a spam email containing a PDF attachment to deliver the final payload of Xloader malware. The PDF attachment is shown below.
Upon opening a PDF file, it drops the embedded XLSX file named “has been verified. However PDF, JPG, Docx, .xlsx” into the “Temp” location. It then uses multiple extensions of different file formats to trick the user. The below figure shows the embedded file details of the PDF document.
Upon execution of the XLSX file, it downloads the RTF document file from the URL – hxxps[:]//htmlpreview[.]github[.]io@oshi[.]at/Nmtw.
When the RTF document is opened, MS Word’s equation editor (EQNEDT32.exe) will automatically launch and download a .NET malware file from the URL – hxxp[:]//192.227.173[.]33/71/vbc[.]exe.
The below figure shows the opened RTF document.
The .NET executable file named “vbc.exe” isdownloaded from the RTF document via equation editor vulnerability (CVE-2017-11882) and is an obfuscated binary file. The below figure shows the obfuscated and de-obfuscated file details such as methods and functions.
We have taken the sample hash (SHA256), d0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e for our analysis. It is a 32-bit, .NET executable file named as “vbc.exe”.
Upon execution of the vbc.exe file, the method Convert.FromBase64String() in the Main() function decodes the base64 string content and returns a new PE file, as shown below.
After decoding the base64 content, vbc.exe loads the converted PE module named “Bunifu.UI.dll” into memory by using a dynamically invoked function with passing arguments of strings such as “Invoke” and “Bunifu_TextBox.” The below figure shows the concatenated strings used in the malware file.
The module “Bunifu.UI.dll” is also an obfuscated .NET file. The below figure shows the de-obfuscated content of the new assembly file and runs the Bunifu_TextBox() function, which retrieves the embedded bitmap image “QQvruB” present in the resource (“Hospital_Document_Tracker_System.Resources.resources”) of the parent malware vbc.exe file. It then calls the Sleep function to delay the execution before accessing the resource for the bitmap image.
The malware uses the steganography technique to hide malicious content in the compressed bitmap image embedded in the resource of the parent malware file vbc.exe, shown below.
The successful decompression of the bitmap image retrieves another .NET file in memory, as shown in Figure 10. The “Bunifu.UI.dll” module loads the new binary using the Assembly.Load method by passing the decompressed bitmap content as an argument.
The main purpose of “Bunifu.UI.dll” is to decompress the bitmap image from a resource using the “GZipStream” class, as shown in the figure below.
The new file decompressed from the resource is another obfuscated .NET binary titled “MajorRevision.exe.” The figure below shows the newly loaded module in memory with the module name in the Chinese script.
The below figure shows the de-obfuscated “MajorRevision.exe” assembly file.
Upon execution of the “MajorRevision.exe” module, it first creates a mutex named “fBEQVtAy” to ensure that only one instance of malware runs on the victims’ system. The malware exits if the mutex is already present.
Next, it converts the larger array of bytes present in the module into HEX values, as shown in Figure 15. It contains multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled environment.
After that, it retrieves the final payload in memory by converting another larger array of bytes which is also present in the “MajorRevision.exe.” Finally, it injects the payload by creating a new process with the parent file name (“vbc.exe”) using the process hollowing technique shown below.
The below figure shows the file information of the final malware payload, “Xloader.” Based on our static analysis, we concluded that the malware payload is a 32-bit, MASM compiled binary with only the “.text” section.
Xloader malware uses the magic bytes “XLNG,” shown in the figure below.
Upon successful execution, Xloader drops an executable file in the following location and injects it into explorer.exe.
- “C:\Program Files (x86)\L9rql\winmrhl7bm.exe”
To establish persistence, the malware creates the below registry key for autorun to execute the dropped malware file when the user logs in to the system every time.
- HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J8TPYFN8OVE = “C:\\Program Files (x86)\\L9rql\\winmrhl7bm.exe”
Finally, after a successful connection to the Threat Actor’s C&C server, Xloader can be instructed to download and launch additional payloads, terminate and uninstall the malware, etc.
Additionally, Xloader steals user credentials or cookies from browsers, logs keystrokes, steals clipboard content, takes screenshots, and sends them to the TA’s C&C server.
Information stealers are evolving as increasingly sophisticated threats in the cybercrime ecosystem. They can cause severe damage to individuals and organizations in the case of privacy violations, confidential information leakage, etc.
Exploiting the human element is often easier for Threat Actors compared to exploiting complex vulnerabilities. Throughout our analysis, we have observed that Xloader looks like a prominent malware variant that is constantly updated by improving its code which adds new features, more obfuscation, the use of anti-analysis techniques, etc.
Cyble Research Labs will closely monitor Xloader malware and other information stealers and analyze them to understand their TTPs better and update our readers accordingly.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Exploitation for Client Execution
|Persistence||T1547||Registry Run Keys / Startup Folder|
|Defence Evasion||T1497||Virtualization/Sandbox Evasion|
|Credential Access||T1552||Credentials In Files|
|Lateral Movement||T1021||Remote Services|
|CNC||T1071||Application Layer Protocol|
Indicator Of Compromise (IOCs)
|Obfuscated .NET exe Main file|
|De-obfuscated .NET exe Main file|
|Obfuscated .NET exe Stage 1|
|bc31d889dd60360d38796521b452d775 7e52c29418bd13c749da76506251ad3ad291d06c |
|De-obfuscated .NET exe Stage 1|
|Obfuscated .NET exe Stage 2|
|De-obfuscated .NET exe Stage 2|
|Final payload MASM exe|
|hxxps[:]//htmlpreview[.]github[.]io@oshi[.]at/Nmtw||URL||download RTF |
file from C&C
|hxxp[:]//192[.]227[.]173[.]33/71/vbc[.]exe||URL||Download EXE |
file from C&C