Figure 1: Infection Flow
But in this case, since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception. The code snippet in Figure 3 shows this trick.
During its first communication to the server, the malware sends the tid value and the current date of the system in encoded format, and waits for the response from the server. It decodes the server response and executes the response as a function, as shown in Figure 4.
Figure 4: Initial Server Communication and Response
Architecture, ComputerName, UserName, Processors, OS, Domain, Manufacturer, Model, BIOS_Version, AntiSpywareProduct, AntiVirusProduct, MACAddress, Keyboard, PointingDevice, DisplayControllerConfiguration, ProcessList;
After sending the system information to the server, the response from the server contains two parts: content2 and content3.
The script (step2 function) decodes both parts. The decoded content3 part contains the function named as step3, as shown in Figure 5.
Figure 5: Decrypting and Executing Response step3
The step3 function contains code that writes decoded content2 into a %temp% directory as Update.js. Update.js contains code to download and execute the final payload. The step3 function also sends the resulting data, such as runFileResult and _tempFilePath, to the server, as shown in Figure 6.
Figure 6: Script to Drop and Execute Update.js
Components of the Attack
Figure 7 shows the index of the malicious server where we have observed the malware author updating the script content.
Figure 7: Index of Malicious Server
- 7za.exe: 7zip standalone executable
- LogList.rtf: Password-protected archive file
- Upd.cmd: Batch script to install the NetSupport Client
- Downloads.txt: List of IPs (possibly the infected systems)
- Get.php: Downloads LogList.rtf
This file is a batch script that extracts the archive file and installs the remote control tool on the system. The script is obfuscated with the variable substitution method. This file was regularly updated by the malware during our analysis.
After de-obfuscating the script, we can see the batch commands in the script (Figure 8).
Figure 8: De-Obfuscated Upd.cmd Script
The script performs the following tasks:
- Extract the archive using the 7zip executable with the password mentioned in the script.
- After extraction, delete the downloaded archive file (loglist.rtf).
- Disable Windows Error Reporting and App Compatibility.
- Add the remote control client executable to the firewall’s allowed program list.
- Run remote control tool (client32.exe).
- Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
- Hide the files using attributes.
- Delete all the artifacts (7zip executable, script, archive file).
Note: While analyzing the script, we found some typos in the script (Figure 9). Yes, malware authors make mistakes too. This script might be in beta phase. In the later version of script, the author has removed these typos.
Figure 9: Registry Entry Bloopers
As mentioned, the script contains code to remove the artifacts used in the attack from the victim’s system. While monitoring the server, we also observed some change in the script related to this code, as shown in Figure 10.
Figure 10: Artifact Cleaning Commands
The highlighted command in one of the variants indicates that it might drop or use this file in the attack. The file could be a decoy document.
During our analysis, we observed two variants of this attack with different persistence mechanisms.
In the first variant, the malware author uses a RUN registry entry to remain persistent in the system.
In the second variant, the malware author uses the shortcut file (named desktop.ini.lnk), which is hosted on the server. It downloads the shortcut file and places it into the Startup folder, as shown in Figure 11.
Figure 11: Downloading Shortcut File
The target command for the shortcut file points to the remote application “client32.exe,” which was dropped in %AppData%, to start the application on startup.
Although the file extension is .rtf, the file is actually a 7zipped archive. This archive file is password-protected and contains the NetSupport Manager RAT. The script upd.cmd contains the password to extract the archive.
The major features provided by the NetSupport tool include:
- Remote desktop
- File transfer
- Remote inventory and system information
- Launching applications in client’s machine
This file contains a list of IP addresses, which could be compromised systems. It has IPs along with User-agent. The IP addresses in the file belong to various regions, mostly the U.S., Germany, and the Netherlands.
RATs are widely used for legitimate purposes, often by system administrators. However, since they are legitimate applications and readily available, malware authors can easily abuse them and sometimes can avoid user suspicion as well.
The FireEye HX Endpoint platform successfully detects this attack at the initial phase of the attack cycle.
Thanks to my colleagues Dileep Kumar Jallepalli, Rakesh Sharma and Kimberly Goody for their help in the analysis.
Indicators of Compromise
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : ManifestStore
Firewall program entry allowing the following application
Running process named “client32.exe” from the path “%AppData%\ManifestStore\client32.exe”