Secplicity Blog

Cybersecurity Headlines & Trends Explained

Yet Another TA558 Campaign Targets South America’s Hospitality Industry With AsyncRAT

Introduction

This research began with finding a simple malware sample to extract strings for an unrelated topic. In my day-to-day malware analysis workflow, I stumbled upon a JavaScript (JS) file with what I would call trivial obfuscation. I knew it was malware but wanted to understand the infection chain. After some cleanup, I understood it to be a downloader of an additional malicious script. This time, a PowerShell script obscured to look like a PDF hosted on what appeared to be a compromised or hijacked domain. This PDF dropped two files, one being a helper DLL and the other being AsyncRAT. After researching the C2 domains from the threat actor, I stumbled upon several articles from Proofpoint, ASEC, and others (referenced below), displaying strikingly similar behaviors and obfuscation techniques. These analogous campaigns also shared the same C2s and hijacked domains serving the droppers I found. Proofpoint attributed these campaigns to TA558, and I’m confident the analysis discussed in this post is yet another campaign from this threat actor targeting the South American hospitality industry, specifically hotels.

This post will show my research on the infection chain, from the initial JavaScript downloader to the dropper, which I call the ‘kimkarden’ dropper. I’ll show how the dropper operates and then show you some IoCs I found. I didn’t analyze the AsyncRAT sample much because it is, unfortunately, still publicly available on GitHub.

Tools Used

  • dnSpy
  • de4dot
  • Notepad++
  • PowerShell ISE
  • VirusTotal
  • WatchGuard Orion

Analysis

(Usually) The first thing I do before analyzing a sample is get its telemetry in WatchGuard Orion: the who, what, when, where, why, and how.

  • Who – Who’s machine, organization, and location did the sample arrive?
  • What – What is the sample (PE, ELF, JS, PS1, AU3, etc.)?
  • When – When did the sample first arrive on the machine and on any other machines?
  • Where – Where within the operating system is the sample stored and performed actions?
  • Why – This is better phrased as: What is the perceived purpose of this sample?
  • How – How did the sample get onto the machine?

Initial Infection Vector

The “Who” I can’t say for obvious reasons, but we can begin with the “How.” How this sample got onto the machines is via what is almost certainly a phishing email. Unfortunately, I don’t have a copy of an email from this campaign, but my educated guess is that the email contained a hyperlink that downloaded a ZIP from an S3 bucket. Here is the extraction information using 7-Zip.

What’s interesting is that the URL hosting the ZIP file ends with a query to Google. This is likely to redirect users to google after downloading the file, making it appear that nothing happened. It’s also to trick network filters that filter out URLs with trusted domains. Thus, if you explicitly allow a URL containing “google.com,” it would miss this.

Initially, I called this the “Magazord” campaign because of the S3 bucket name, but there is an IT company in Brazil with the same name. It’s possible this bucket was compromised to host the sample, or it could be unrelated to the company altogether. Either way, I decided to omit that name.

JavaScript Analysis

The first thing observed when opening the JS file in Notepad++ is:

This is obviously malicious JS. The first question I thought when seeing this was, “Are the Microsoft variables the same string?” Which they were. Hitting ‘ctrl+h’ brings up the “find and replace” modal in Notepad++, which allows you to easily copy the variable and replace it with nothing (“”). There were 1059 occurrences of this variable.

Here is what remains:

At this point, it’s a somewhat monotonous task of replacing the intermingled variables with the final strings. After converting all of the variables into the resulting strings and a little cleanup, the resulting script looks like this:

The resulting script does the following:

  1. Creates a new ActiveX object that invokes a popup titled “The file cannot be executed,” and the message “Files coming from the internet will have their execution blocked for your security.” This tricks the user into thinking that the file didn’t actually execute, providing a false sense of security.
  2. The second ActiveX object executes a PowerShell command that creates a task named 'MicrosoftEdgeUpdateTaskMachineCoreIE.' It uses this task to execute another PowerShell command that downloads a file from ‘detail-booking[.]com[.]br/top.pdf.’ It tries to download this file every three hours.

The next step is to download the file and inspect it.

Kimkarden Dropper

Of course, the PDF is not a PDF but yet another stage in this malware's infection chain. It’s a PowerShell script that contains two binaries, some minor obfuscation, and some algorithmic bit manipulation. At the bottom of the script is some cleanup logic after it executes. Similar to the JS file, simply open it with Notepad++, no script extraction or anything of the sort necessary.

At the bottom exists a cleanup function:

To give you an idea of the size of the binary string variables:

It’s apparent this is a dropper, which I called ‘kimkarden’ because of the function at the top of the script that does bit manipulation. My analysis for this dropper began right after the binary variables, at the $pinch variable declaration.

  • $pinch
    • Split $binaryData1 at first ‘O’(exclusive) and take the right half.
    • Split the remaining strings at ‘I’ (exclusive) and take the left half.

---Example (Click to reveal)---

010100001111!!***010O01100!010001111*000110-010101^0001100011I0100100**0101
O01100!010001111*000110-010101^0001100011l0100100**0101
O01100!010001111*000110-010101^0001100011l

  • $rPinchr
    • Reverses $pinch

---Example (Click to reveal)---

01100!010001111*000110-010101^0001100011
1100011000^101010-011000*111100010!00110

  • $pinchs
    • Takes reversed string ($rPinchr) and replaces all:
      • '*' with (18) 0's
      • '-' with (3) 1's
      • '!' with '1000000'
      • '^' with '100000'

---Example (Click to reveal)---

01100!010001111*000110-010101^0001100011
0110010000000100011110000000000000000000001101110101011000000001100011

The resulting binary is stored in a variable (byte) called $data1 and is passed as an argument for the kimkarden function.

$data2 holds the value for the $CDTMUTHALHAI binary, which is also passed as an argument to kimkarden.

So, how does the kimkarden function work? Here it is:

  • $paddedBinaryData
    • equals the binary data that is passed as an argument and pads the data to the right – the end – with seven (7) 0’s.
    • That padded data is reduced by modulo 8. Thus ensuring $paddedBinaryData is a multiple of 8 – a byte.

---Example (Click to reveal)---

010011010101101010010 (length 21)
Pad 7 to right: 0100110101011010100100000000 (length 28)
Modulo 8: 0100110101011010010010000000 (length 24, remainder 4 (discarded) [24/3 = 8]])
$paddedBinaryData = 010011010101101001001000

  • $decodeData
    • equals the padded binary data from the prior line and splits it into 8-bit chunks (1 byte).
    • For each 8-bit chunk, convert them into an integer.

---Example (Click to reveal)---

01001101 (77) 01011010 (90) 01001000 (144)

At the end, it performs ‘-band 255’, which performs a bitwise AND with 255. This has no effect because the results are already within 255.

To get the binaries, knowing how the algorithm works is unnecessary. I added a few lines of code right after $data1 is loaded into the ${I} variable. Two output file locations and WriteAllBytes() functions. This ensures the two binaries run through the kimkarden function, and then I can just write them to a file. I also commented out the Invoke() functions (you can also just comment out the ${E} call at the end). $data1 is the DLL helper file, and the other payload, denoted by $CDTMUTHALHAI, is the AsyncRAT client.

As for the rest of the script, it’s all contained within the ${E} variable. Here is what each line does:

  • ${T} – Combines the characters ‘A,’ ‘.,’ and ‘B’ (A.B).
  • ${M} – equals the character ‘C’ (C).
  • ${Y} – ‘Binary.GetType(A.B)’
  • ${N} – ‘Binary.GetType(A.B).GetMethod(C)’
  • ${F} – ‘C:\Windows\Microsoft.NET\Framework’
  • ${V4}  – ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe’
  • ${V2}  – ‘C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe’
  • ${V3}  – ‘C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe’
  • ${A} – Empty object
  • ${NARR} –  ${A} (object)

The six Invoke() functions use a method named ‘C’ from $data2 (the DLL helper) to execute ${V4}, ${V2}, and ${V3}. The ‘A.B’ is the namespace object and class, respectively (A: namespace object; B: class; C: method). These variables use Microsoft.NET’s Regsvcs.exe to register the dropped payload (AsyncRAT) as a COM component. Then, it uses Msbuild.exe to build the dropped binary. I wasn’t too interested in this as I already had the dropped payloads.

Final Payloads

Here are the final payloads viewed in DiE:

DnSpy allows you to view the source code of .NET samples. Here is what the C function in the DLL helper looks like in dnSpy:

It’s obviously obfuscated. Another tool, de4dot, allows for the unveiling of the most commonly used .NET code obfuscation mechanisms. This is one such case. The C method is pretty simple. It loops up to five times and has a conditional with smethod2 that takes two arguments: path and data. If you remember, the paths being passed to this function are the Regsvcs.exe and Msbuild.exe commands. Looking at the function shows that it does a bunch of stuff that, at the end of the day, allows the execution of the AsyncRAT client.

Then, I took a quick glance at the AsyncRAT client to see if I could find it interesting. It was mostly the usual AsyncRAT code. However, I did notice that many of the delegates were in Chinese. I’m not sure what to think of this other than TA558 using this to obscure their origin or if they are truly Chinese (unlikely). I vividly remember researching the Yanluowang ransomware, and the threat actors were attributed to Russian threat actors that impersonated a Chinese threat actor. So, anything is possible, but I’m left with only theories.

Here are the C2s extracted from the sample:

Here is the config information:

Ports  1018,2019,2020,2021,2900,3312,3313,5155,5505,6606,6666,7707,8808,9441,9442,9443,9999
Hosts  cdt2023[.]ddns[.]net, cepas2023[.]duckdns[.]org, chromedata[.]accesscam[.]org, chromedata[.]webdirect[.]org
Version  AWS | 3Losh
Mutex  AsyncMutex_6SI8OkPnk
Autorun  FALSE
Group  FALSE

At the end of the analysis, the resulting files were:

Here is the infection chain I quickly sketched up in Draw.io:

Extra Research

After analyzing this malware campaign, I looked into the C2 domains and the domains hosting the droppers. To be frank, I googled the domains to see if there were any other analyses from other researchers. I also looked through the ‘Relations’ tab in VirusTotal to see if I could find any other files communicating with these domains. One of the relations was an HTML file located on the same domain the Kimkarden dropper was on. This contained a script that downloaded a PDF from a different domain, a legitimate domain of a hotel in Chile.

(A better view of said script)

Kimkarden-Hex

I went ahead and downloaded this PDF and opened it to find a very similar PowerShell script. It was almost a mirror of the Kimkarden dropper, but it used a Hex-to-binary algorithm instead of bytes-to-binary. I referred to this as ‘Kimkarden-Hex.’

HTML Downloaders

Curiously, I went back to the ‘detail-booking’ site and put “cdt.pdf” to see if a file existed there, and alas (after downloading):

This “PDF” contained three new HTML files, one from an additional unknown domain: ‘skynetx[.]com[.]br.’ I thought this was going to be another dropper, but instead, each HTML file began with a ‘Start-Process’ invocation. So, what’s in those HTML files?

The first two HTML files were exact replicas that downloaded the Kimkarden-Hex dropper. The third, ‘tarefab.html,’ called a JavaScript file (location.js) from a Chrome extension. I came to find out that this was the Urban VPN extension, and it was using its location service to figure out the location of the victim machine.

Kimkarden-Base64

I found another dropper that communicated with the C2s on VirusTotal – ‘cpa.pdf.’ The first two strings contain the hex characters “4D, 5D, and 90,” indicating these were portable executables (PEs). This dropped another AsyncRAT client. I tracked this as ‘Kimkarden-Byte64.’

Final Thoughts

After performing my own research and then looking at others’ research from TA558, I’m very confident this is the same threat actor. Metabase Q attributes this threat actor to Brazil and has been active since 2018, which coincides with other research from the same group. I can’t attest to their location in Brazil, but it seems likely they speak Spanish or Portuguese as a first language. So, Brazil wouldn’t be a bad guess. The Chinese-lettered delegates in the AsyncRAT client made me think twice, however.

They have a history of hijacking domains and using trusted CDNs to distribute loaders and droppers, and phishing email seems to be their favorite attack vector, which is no surprise. It may even be their only avenue of breaching users. Their history also indicates prior use of a myriad of different RATs, but it seems that, as of recently, AsyncRAT has been favored.

Their methods to obfuscate their downloaders and droppers are nothing revolutionary and isn’t novel. They use file manipulation that bypasses basic filters, but once they execute, they tend to be “loud.” Their use of ‘google.com’ queries in the stage 1 download, leveraging compromised domains, and masking PDFs as droppers are attempts to keep the noise down.

The most effective way to prevent attacks like this is to quit opening unsolicited email attachments from external entities unless you are absolutely certain of the sender and its contents.

IoCs

Files

File Name Hashes (SHA256)
127.0.0.1.html 13273ce139101b0e478297166a819c098ffc9ddb3b290a4b19ac421996410766
2.4.dll d03126f20a7d9f936b41692610e59a79988ca8fdfea45bbd95e93bb4d4bab830
AsyncClient.exe 2d8e15b4181df056adf6dd9401aa9aa140b36ce107b9e1c2fdeeda9a550311e3
booking.htm 13273ce139101b0e478297166a819c098ffc9ddb3b290a4b19ac421996410766
booking.pdf 5e0c3e1af7e806e0021ad183546cd9adba7b79893244da648bc483640fc4d62b
cdt.html 13273ce139101b0e478297166a819c098ffc9ddb3b290a4b19ac421996410766
cdt.pdf 0ec16a3ebae4418b91fced40029d999f9cb688eb7a0a6c0218c523f72a06d513
cdt.pdf bfdbec83e38d5b72b5fa9c8f04188474f0c3095d17e192691ef5e3f434c03061
cdt.pdf f67987f3d6a2bab421ee57a608abf190ee1c5ff4e890d39bdf5ad4ad25ff0164
cpa.pdf fd9622ed633c5af6db87d7609cc96a9384f7bd1a9f04c3eca5f4eb7a32783411
RoomingList Equipo Miguel y Chino Joseph Santiago js.js a7d66996766f77003618bcd786611e68d19e41a4777a7854b5936fcc02e9f349
tarefab.html 2e8ecbdcf19f4b44e1aae6cfe6b6a0b4292c0582ce6939cd23229f5f65090fab
top.pdf 09fb60295f58c6c0f1c3e8dce402c4334893b03bef8cc04d718f4e26a4012cfb

Domains

Domain Description
cdt2023[.]ddns[.]net C2
cepas2023[.]duckdns[.]org C2
chromedata[.]accesscam[.]org C2
chromedata[.]webdirect[.]org C2
detail-booking[.]com[.]br Hosting droppers
hotellatitud33sur[.]cl Hosting droppers
magazord-public[.]s3[.]sa-east-1[.]amazonaws[.]com Hosting phishing ZIP file
paradisoprovisor1.hospedagemdesites[.]ws Hosting droppers
skynetx[.]com[.]br Hosting downloader

URLs

URL Description
detail-booking[.]com[.]br/127.0.0.1.htm Downloads Kimkarden dropper
detail-booking[.]com[.]br/cdt.html Downloads Kimkarden dropper
detail-booking[.]com[.]br/cdt.pdf Downloads Kimkarden dropper
detail-booking[.]com[.]br/top.pdf Kimkarden
hotellatitud33sur[.]cl/booking.pdf Kimkarden
hotellatitud33sur[.]cl/cdt.pdf Kimkarden-Hex
hotellatitud33sur[.]cl/tarefab.html Multi-stage downloader
magazord-public[.]s3[.]sa-east-1[.]amazonaws[.]com/meumoveldebanheiro/resources/RoomingList%20Equipo%20Migeul%20%20Chino%20Joseph%20Santiago%20js.zip?_gl=1*1owxb08*_ga*NTk2NDU5ODA5LjE3MTYyMTU0NDQ.*_ga_4JXK3QVJ6X*MTcxNjQ3ODc3MS44LjEuMTcxNjQ3ODg4Mi4wLjAuMA..?https://www.google.com/ Phishing email ZIP file download location
skynetx[.]com[.]br/booking.htm Downloads Kimkarden dropper      

IPs (C2s)

45[.].40[.]96[.]97

Ports

1018,2019,2020,2021,2900,3312,3313,5155,5505,6606,6666,7707,8808,9441,9442,9443,9999

References

Filed under: Research