Monthly Archives: November 2022

Malware with Sandbox Evasion Techniques Observed Stealing Browser Cached Credentials

I. Targeted Entities

  • Opportunistic organizations

II. Introduction

Arechclient2 is a .NET remote access trojan (RAT) that has numerous capabilities. The RAT can profile victim systems, steal information like browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions.

III. Cyber Florida SOC Observations

Update 12/8/2022: 
Cyber Florida identified additional content in analysis that was not previously reported. This information pertains to network connections. Within utilizing the InstallUtil.exe binary to execute code, the InstallUtil.exe process was observed reaching out to a pastebin[.]com page. This page contained the CnC IP address. Additionally, the victim IP address (observed in the UIP parameter) appears to be ascertained from the InstallUtil.exe process from hxxp://eth0[.]me (which appears to be a site that identifies the visiting host’s IP address). 

Original Post: 
Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services (googleusercontent.com). Within the Base64 data, exfiltrated usernames and passwords were observed. Based on observations, the exfiltrated data appears to be from cached browser credentials (Google Chrome profiles, Firefox profiles, Microsoft Edge profiles, etc.) In reviewing logs and network traffic there were parameters of interest within the data payload that would aid in identifying this activity. The following payload parameters were observed the network traffic: ConnectionType, Client, SessionID, BotName, Computer, BuildID, BotOS, URLData, UIP.

Based on observing network traffic for the command control communication, there may be similarities associated to the Redline Stealer malware. See CERT Italy article. https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/

Screenshot samples of log and network traffic have been provided in the appendix of this report.

Some of the interesting evasion tactics Cyber Florida observed were the utilization of “sleep” functions and the usage of .NET Framework’s InstallUtil.exe binary to communicate with the command and control server. The “sleep” functionality appeared to delay the usage of InstallUtil.exe. In testing, the Installutil.exe appeared to run in perpetuity regularly communicating with the command and control server. In reviewing a few of the automated sandboxes, the Installutil.exe activity was not identified. This may be due to the “sleep” activity being utilized.

Another evasion tactic appears to be attempting to modify Windows Defender settings via the second observed PowerShell instance. The cmdlet Set-MpPreference with the options –ExclusionPath ‘C:’ was employed. This command appears to create a malware scan exclusion, which would prevent Windows Defender from scanning the entire C: volume.

The following links provide examples and context of InstallUtil.exe malware usage and abuse.

https://gbhackers.com/hiding-malware-legitimate-tool/ (not directly related to observed activity)

https://www.ired.team/offensive-security/code-execution/t1118-installutil (not directly related to observed activity)

https://attack.mitre.org/techniques/T1218/004/

During initial malicious binary execution, a persistence mechanism was observed via the common HKCUSoftwareMicrosoftWindowsCurrentVersionRun location.

IV. Additional Background Information

Blackpoint Cyber discovered an ISO file that contained a malicious Windows executable that was downloaded to a victim’s computer and was not detected by an antivirus program. A malicious executable, named Setup.exe, was observed using various defense evasion techniques including obfuscation, injection, and uncommon automation tools. These tools were used to drop a RAT named Arechclient2 (Blackpoint Cyber). The size of Setup.exe is over 300 megabytes (Blackpoint Cyber).

The initial attack vector that was used to send Setup.exe to the victim is unknown. This is the execution step. When Setup.iso is double-clicked, the ISO file can be mounted like a CD and, oftentimes, the contents of the file are automatically executed (Blackpoint Cyber). Running Setup.exe will start the extraction of three files and execute multiple child processes (Blackpoint Cyber). A new folder, IXP000.TMP, is made in the victim’s AppDataLocalTemp directory and three files are created into the newly created directory: Funding.mpeg, Mali.mpeg, and Dns.mpeg (Blackpoint Cyber).

The Dns.mpeg script is heavily obfuscated. The script searches for AvastUI.exe and AVGUI.exe running on the victim’s computer. The two executables are found in the Avast antivirus product line (Blackpoint Cyber). If those two executables are not found, Dns.mpeg sets Hole.exe.pif to the name AutoIT3.exe. In the script .au3 (or d.au3) there are over 3,000 references to a function named Xspci(). This function takes a string as its first argument and a number as its second argument. The function is responsible for decoding strings (Blackpoint Cyber).

The .au3 script accomplishes three things through injection: 1. establishing persistence using a URL file in the victim’s startup folder. 2. copying the ntdll.dll file from the C:WindowsSysWOW64 folder to avoid antivirus hooks. 3. injecting the embedded payload into jsc.exe (Blackpoint Cyber). The function that is responsible for the above tasks is KXsObHGILZNaOurxqSUainCYU() which takes a pointer to the binary to be injected, a string argument, and a string argument with the path to the binary that would be executed and injected into as arguments (Blackpoint Cyber). The script establishes persistence by adding a URL file to the victim’s startup folder that will execute a Microsoft Visual Basic Script (VBS) on every login (Blackpoint Cyber).

Arechclient2 has a decompilation phase. Test.exe, a C# binary, can be loaded into tools that statically and dynamically analyze code. One such tool is DnSpy (Blackpoint Cyber). The class names in Test.exe were minimized to single and double characters to add an additional layer of confusion for reverse engineers (Blackpoint Cyber). The actual name of Test.exe is 2qbarx12tqm.exe (Blackpoint Cyber). Arechclient2 also contains a command and control (C2) phase. When Arechclient2 is executed, it connects to https[:]//pastebin.com/raw/nJqnWX3u to collect C2 information (Blackpoint Cyber). The requested file, nJqnWX3u, contains the IP address 34[.]141[.]198[.]105 as a string. It also connects to http[:]//eth0.me to get its public IP address (Blackpoint Cyber). Arechclient2 connects to its C2 server on port 15647 to receive commands. The server responds with information to control the encryption status (“On” or “Off”) in JSON format (Blackpoint Cyber). If the communications are intercepted and the encryption is set to “Off,” further communications will be in plaintext (Blackpoint Cyber).

V. MITRE ATT&CK

  • T1059.001 – Command and Scripting Interpreter: PowerShell
    Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.
  • T1555.003 – Credentials From Web Browsers
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
  • T1547.001 – Registry Run Keys / Startup Folder
    Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
  • T1562.001 – Impair Defenses: Disable or Modify Tools
    Adversaries may modify and/or disable security tools to avoid possible detection of their malware, tools, and activities. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events.
  • T1218.004 – System Binary Proxy Execution: InstallUtil
    Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:WindowsMicrosoft.NETFramework vInstallUtil.exe and C:WindowsMicrosoft.NETFramework64 vInstallUtil.exe.
  • T1095 –Non-Application Layer Protocol
    Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.
  • T1132.001 –Standard Encoding
    Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.

VI. Recommendations

  • Phishing awareness training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set antivirus programs to conduct regular scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong cyber hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on endpoint protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
  • Network Monitoring
    Review network logs, payload, etc. for related IP address and associated network parameters.

VII. Indicators of Compromise (IOCs)

VIII. Additional OSINT Information

IX. Appendix

This screenshot shows the payload sent to a victim, as seen by Cyber Florida. A portion of the Base64 and UIP fields have been redacted.

 The following screenshot is similar from the log above but was acquired via network packet capture. 

X. References

Blackpoint Cyber. “Ratting out arechclient2 – Blackpoint Whitepaper.” Blackpoint Cyber. Accessed November 15, 2022. https://blackpointcyber.com/lp/ratting-out-arechclient2/?utm_campaign=ratting_out_arechclient2_whitepaper&utm_source=resource_library.  

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya. 

2022-12-08T11:52:31-05:00November 30, 2022|
Read More

Work Burnout – How Can We Maintain a Healthy Work-Life Balance In an Industry That’s Constantly Moving?

Work Burnout - How Can We Maintain a Healthy Work-Life Balance In an Industry That’s Constantly Moving?

Work burnout is an issue in every industry, but in the cybersecurity industry where there are constantly new problems to solve and fires to put out, it can be almost impossible to turn off your thoughts when the day is done. In this episode, Tashya and Pam discuss their experiences with work burnout and the methods they use to hold themselves accountable when working to maintain a healthy work-life balance.

We also get to hear some feedback that we’ve received about the show, including some very important feedback from one of Pam’s biggest fans (hi Pam’s mom, we hope you enjoy the show!)

2022-11-30T07:52:35-05:00November 29, 2022|
Read More

Cybersecurity Internships for USF Students

USF students: are you looking for a hands-on cybersecurity internship opportunity that will provide valuable, real-world experience at a state government agency?

We’re proud to announce that, in partnership with Florida Digital Service, we have created several internship opportunities for USF students in cybersecurity-related programs to help you build your skills while building your professional network! These positions are onsite in Tallahassee and include a stipend in addition to hourly pay to cover living expenses.

learn more and apply
2022-11-21T07:58:41-05:00November 21, 2022|
Read More

Hannah Sutor – a Senior Product Manager at GitLab with an Instagram alter ego that puts her in privacy superhero territory

Hannah Sutor - a Senior Product Manager at GitLab with an Instagram alter ego that puts her in privacy superhero territory

Hannah Sutor is the Senior Product Manager at GitLab and Digital Privacy Advocate at The Privacy Chick. Hannah joins the No Password Required team to talk about how she discovered privacy and cybersecurity in college, what she expects for the future of usernames and passwords, and her adventures while traveling in an RV with her family for a year. Bonus: she also reveals her recipe for the best pumpkin spice latte. Ernie and Jack discuss the proposed U.S. labeling program for IoT consumer devices and some potential cyber and privacy implications.

2022-11-15T09:36:09-05:00November 15, 2022|
Read More

Webinar: The Path to a Federal Cybersecurity Job

Hear what recruiters look for on a resume, learn about the variety of cybersecurity jobs available, find out how security clearances work, and get answers to all of your questions in this free, interactive webinar for students and job seekers. Special Agent Melissa Fair, Applicant Coordinator/Recruiter for the Federal Bureau of Investigation (FBI) in Tampa; Tim May, Engagement and Policy Budget Manager at the National Security Agency (NSA); and Amanda Martens, Recruiting Manager for the Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security will be joined by moderator Steve “Scuba” Gary, PhD, Associate Professor in the School of Information at the University of South Florida, to review best practices for applying for positions with the FBI, CISA, and federal government agencies in general. This event is a live webinar and cannot be recorded for security reasons, so don’t miss out!

2022-12-09T07:58:22-05:00November 14, 2022|
Read More

The Top Red Flags of a Veterans Day Scam

As Veterans Day approaches, many Americans may be searching for opportunities to give back to those who have served our country by donating to charity. Unfortunately, malicious scammers on the internet are notorious for taking advantage of the honorary day by using communication techniques similar to trusted military nonprofits to mislead prospective donors.

FightCybercrime.org recently released an article discussing the top red flags of a veteran charity scam. According to the article, “Through targeted communications, scammers use names similar to well-known charities and flood their communications with words like “hero,” “sacrifice” and “disabled” to pull on the heartstrings of compassionate Americans. Oftentimes, these fake charities will create targeted lists by searching social media for people who support the military. Other times, these scammers will imitate existing fundraisers or charities around military observances—such as Veterans Day—when the military is top of mind.” 

read the full article
2022-11-10T11:02:12-05:00November 10, 2022|
Read More

The Top Red Flags of a Veterans Day Scam

As Veterans Day approaches, many Americans may be searching for opportunities to give back to those who have served our country by donating to charity. Unfortunately, malicious scammers on the internet are notorious for taking advantage of the honorary day by using communication techniques similar to trusted military nonprofits to mislead prospective donors.

FightCybercrime.org recently released an article discussing the top red flags of a veteran charity scam. According to the article, “Through targeted communications, scammers use names similar to well-known charities and flood their communications with words like “hero,” “sacrifice” and “disabled” to pull on the heartstrings of compassionate Americans. Oftentimes, these fake charities will create targeted lists by searching social media for people who support the military. Other times, these scammers will imitate existing fundraisers or charities around military observances—such as Veterans Day—when the military is top of mind.” The top red flags of a veteran charity scam may include:

1. Receiving a thank you for a donation you don’t remember making

Fake charities will thank you for a donation that you never made in hopes that you will give “again” without questioning the legitimacy of their organization. If you receive communication that praises you for a donation you don’t remember making, proceed with caution.

2. Refusal to provide charity information

If a charity refuses to provide basic information about the organization itself or how your donation will be used, be wary. Legitimate organizations are happy to provide you with answers to all your questions before you donate. Prior to donating to any charity, we recommend doing some research. Search the charity’s name on sites like GuideStar, Charity Navigator or the BBB Wise Giving Alliance, which provide donors with free access to data, tools, and resources to make informative giving decisions.

3. Use of high-pressure tactics

Real charities appreciate donations whenever you are ready to give, so be wary of anyone who pressures you to donate right away. They are trying to get your money before you have time to do research or question their legitimacy. If someone is using high-pressure tactics to try to get you to donate, hang up or don’t respond until you’ve had time to do some investigating. We recommend running an internet search of the charity’s name followed by the word “scam” or “complaint”.

4. Requests for unusual payment method

If the charity asks you to donate using an unusual payment method like gift cards, cryptocurrency, cash or money transfer, it’s a scam. Scammers like these types of payment methods because they are untraceable. Credit cards or checks are much safer payment methods that can be tracked down if something goes wrong—and a legitimate charity will gladly accept these types of payment methods.

5. Demand for personal information

If a charity asks you to provide personal information—such as your Social Security Number or bank account number—it’s a scam. Real charities don’t need this type of information to process a donation. If you are required to provide personal information you aren’t comfortable sharing, look for another charity to donate to. To find a reputable charity, search for well-known organizations that support the cause you’re interested in.

Veterans Day is a day for honoring those who have sacrificed their lives for our freedom. Sadly, veteran charity scams look to take advantage of Americans who wish to give back. Remember, when in doubt, do your research! Reputable charities will not pressure you into making a donation without answering your questions, and they will never ask for sensitive information. If you are targeted by a scammer, report it to the Federal Trade Commission at ReportFraud.FTC.gov.

Information retrieved from FightCybercrime.org. To view the full article and learn more about Veterans Day scams, visit:
https://fightcybercrime.org/blog/how-to-spot-veteran-charity-scams/
2022-11-10T10:58:20-05:00November 9, 2022|
Read More

U.S. Cyber Command Hack the Hiring Process

Want to learn about U.S. Cyber Command civilian hiring opportunities and requirements? The U.S. Command Hack the Hiring Process webinar on November 9 aims to shape the future workforce by providing information on how to start a career in the U.S. Cyber Command.

See the flyer for more details. Once you are registered, you will receive a link via email within 48 hours of the event.

2022-11-14T15:53:08-05:00November 3, 2022|
Read More

Cyber Symposium on Integrated Deterrence

U.S. Cyber Command and the National Defense University (NDU) College of Information and Cyberspace (CIC) are co-hosting a day of academic presentations and panel discussions to consider the role of cyberspace operations in integrated deterrence during competition, crisis and conflict to create tactical, operational, and strategic effects to enable Joint Force success.  The attendees of this event will include DoD leaders, policy makers, and academic experts.

2023-01-19T12:31:23-05:00November 3, 2022|
Read More

Hosted by the University of South Florida
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620
outreach@cyberflorida.org
813-974-2604

Office meetings by appointment only

CONTACT US

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.