Upon reaching the link, an alternative post on YouTube will emerge, unveiling the download connection for the counterfeit installer.
Illustratively, this leads to obtaining the document from the Mediafire file sharing platform:
In a different scenario, the hazard was published on a distinct file-sharing service named Mega.nz.
Evidently, the hazard exploits recognized file hosting services as an added stratum to veil its download more and circumvent detection.
In the instances we’ll dissect in this blog, it was perceived that these menaces are often circulated as bogus setup files or cracked applications, which unsuspecting individuals stumble upon while hunting for them through search engines.
In the case outlined below, particular keywords prompt search outcomes for these entries.
The third listing in the search findings (refer to snapshot above) originates from OpenSea (an NFT marketplace), which is abnormal as it hosted a retrievable file. The listing houses a shortened link that directs to the real link. One supposition indicates that they utilize shortened links to thwart scraping websites from getting to the download link.
This connection will elicit requests for the genuine download link and the zip archive’s passcode. Securing files with a password can assist in hindering sandbox scrutiny of the primary file upon arrival, which could be a swift victory for an antagonist.
The fourth and ultimate item in the search outcomes (refer to the search results snapshot above) was tied to SoundCloud, a music exchange platform that harbored the download link along with a corresponding depiction. In this situation, the download link was curtailed through Twitter.
The same user further made available supplemental entries emphasizing methods to procure a distinct file.
Information from another entry produced by the identical user.
Parellel to the initial situation, another website showcases the download link and passkey.
In one of our download links, traces of other entries they are aiming to simulate were identified as displayed in VirusTotal (VT).
Contamination inquiry as viewed by Managed XDR (subsequent to download)
In the ensuing segment, we’ll converse about scenarios where the download bore fruit, and the contents were executed. This illustrative scenario underscores the conducts noted on the host.
Scenario 1Â
An aspect concerning the unzipped file is its bulk size of 900 MB. This expansive file extent aids in evading defense mechanisms and enables it to evade sandbox analysis to seem more authentic as an installer. Additionally, it is exempted from submission in VT.
The contamination sequence sparks upon launching the .exe file ensconced within the zip archive.
A menace has been identified involving the execution of batch files. The substance of the batch file was plucked and, while disparate from the Managed XDR instance, sustains functional likeness.
The batch file embraces obfuscated content.
The opening sanitation procedure encompasses the eradication of extraneous entries.
Following that, there’s the substitution of the variables, producing a more lucid script.
As per the batch file, it assembles the AutoIt script by amalgamating the numerous created files and executes it. Post-execution, we observed that it dispersed several supplementary files.
Operations could be infused with its code, and now and then, a fresh legitimate binary is inserted for process infusion.
Accumulating and priming confidential data from browsing environments for credential access was finalized via a copying file operation.
The procedure initiated by the menace also indicates an establishment of connections to multiple command and control (C&C) addresses.
In addition to tapping into its C&C, our examination perceived the menace carrying out a series of interrogations associated with Domain Generation Algorithm (DGA) domains.
Scenario 2
In this second scenario, the contamination commenced following a user downloading a compressed file from a recognized file sharing platform. Once downloaded, the user unpacks the file, necessitating a password, and initiates the installer. Following execution, it proceeds to undertake an assortment of dubious events, like spawning an authentic process and infusing its code into it. The menace additionally introduces a known scripting utility, AutoIt, to enhance the concealment of its execution, and later on, it connects to its C&C to procure and execute further malware, generally divergent variants of infostealer.
A glance at the content within the zip file manifests it as a standard application installer.
Setup.exe is a iteration of rustdesk.exe, an accessible open-source remote desktop access software recognized on VirusTotal.
The zip archive encompasses a corrupted file for rustdesk.exe, where one of the DLLs is tampered with. For this particular instance, the infected DLL loaded by Setup.exe was flutter_gpu_texture_renderer_plugin.dll.
Upon launching the file, it displays an error message but is covertly functioning in the backdrop.
Predictably, the following operations have already been executed surreptitiously.
Infusing malevolent code into bona fide binaries, such as more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe, to elude detection by security measures.
It disseminates additional files that are information collectors or malware from a distinct lineage.
Establishes autorun registry entry and planned activities to maintain perpetual infection.
The infused operations were subsequently observed, which triggered C&C communication.
Package of Informants/Loaders
This instance isn’t just limited to a singular information stealer but rather an array of recent clamorous ones. This isn’t novel as it was previously documented with raccoon stealers.
- LUMMASTEALER
- PRIVATELOADER
- MARSSTEALER
- SHAZER
- FLIPEND
- GALDRAN
Summarization of varied methodologies for dodging defense mechanisms observed in the incident:
- Usage of hefty file size – a tactic to evade sandbox capabilities
- A zip file secured with a password obstructs content inspection and may convolute inquiries if the password is unknown.
- Uploading files to recognized media-sharing platforms, which most antivirus programs would solely detect if locating the exact link before downloading.
- Shortening download links in certain scenarios to hinder scraping from websites.
- The operation entails authentic files and utilizes DLL sideloading or process injection to trigger its payload.
The role of Managed XDR in combating an info-stealer incursion via counterfeit setup programs
Employing a comprehensive defense strategy is crucial for organizations to safeguard their environments. Managed XDR can promptly pinpoint incidents that may have slipped past some defense layers. It provides the essential analysis and measures to effectively contain the threat.
- Proactive threat investigation and human analyst-enhanced alerts – Some operations might elude detection by alerts or generate minor alerts that Trend Vision One users could ignore. Proactive threat investigation actively seeks out recognized tactics, techniques, and procedures (TTPs) or emerging threats to guarantee alerts are raised. Additionally, Managed Detection and Response (MDR) analysts can ascertain if certain detections necessitate additional attention from the client, thus alleviating the responsibility on Trend Vision One users to scrutinize every alert.
- Comprehending the context of the alert – After a threat activity triggers a detection, further correlation is essential for contextualizing and capturing the complete sequence of events. Linking our discoveries to the initial alert reveals that most findings in the draft do not feature in a single alert or detection. Moreover, some instances lack any associated detection and were solely linked through additional investigation using the search application. As depicted in the preceding case findings, these insights are gleaned from the MXDR analyst’s in-depth examination of the initial triggers, which could include threat hunting or alerts generated from a workbench.
- Execution of responsive measures – As the counterfeit installer incursion advances, MXDR analysts can activate response measures to confine the threat on the customer’s behalf. In the scenario at hand, we have isolated the impacted machines to prevent further proliferation. Indicators of Compromise (IOCs) have been appended to the Suspicions Objects (SO) list to obstruct any additional executions, and the dubious files have been forwarded to the analysis team for precise identification.
Closure
Threat perpetrators persist in employing social manipulation tactics to target their victims and applying diverse techniques to circumvent security measures, such as: DLL sideloading, utilizing large installation files, password-protected archive files, process injection into legitimate procedures, links to reputable websites, and duplicating and renaming files to seem harmless.
Remaining informed about contemporary threats and vigilant concerning detection and alert systems are imperative. Relying solely on detection can lead to numerous malicious actions going undetected. Entities should contemplate the following to thwart these threats:
- Deploy a multi-tiered defense strategy for comprehensive protection.
- Educate users about potential risks.
- Formulate an incident response blueprint.
- Engage in proactive threat pursuit.
- Utilize a Managed Security Service Provider (MSSP).
Organizations can leverage Trend Vision One™ – Endpoint Security for pre-emptive measures, identification, and reaction regarding user endpoints, servers, cloud workloads, and data centers.
Managed XDR furnishes round-the-clock managed detection and response (MDR) for email, endpoint, server, cloud workloads, and networks from our adept MDR team
Trend Vision One Threat Intelligence
To stay abreast of evolving threats, Trend Micro clients can also explore a selection of Intelligence Reports and Threat Insights within Trend Vision One. Threat Insights empowers clients to anticipate cyber threats, enhance their readiness for looming threats, and gain valuable insights. It furnishes in-depth data on threat actors, their malevolent activities, and strategies employed. By leveraging this intelligence, clients can proactively fortify their environments, diminish risks, and respond effectively to threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Exploiting Cracks and Installers to Introduce Malicious Software to Your Device
Trend Vision One Threat Insights App
Scouring Queries
Trend Vision One Search App
Trend Vision One clients can utilize the Search App to match or hunt down the suspicious indicators mentioned in this article within their dataset.
Potential autoit script construction
parentCmd:(“*.exe”) AND processCmd:(“*/c move*.cmd*&*.cmd”) AND objectCmd:(“*/c copy /b ..*+ ..*”)
Additional scouring queries are accessible for Trend Vision One clients with Threat Insights Entitlement enabled.
Signs of Compromise (SoC)
Access the complete roster of SoCs here.
About Author
