{"id":19046,"date":"2022-05-16T02:10:09","date_gmt":"2022-05-16T10:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/16\/news-12779\/"},"modified":"2022-05-16T02:10:09","modified_gmt":"2022-05-16T10:10:09","slug":"news-12779","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/16\/news-12779\/","title":{"rendered":"Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Mon, 16 May 2022 10:00:00 +0000<\/strong><\/p>\n

This blog post was authored by Hossein Jazi and J\u00e9r\u00f4me Segura<\/em><\/p>\n

Populations around the world\u2014and in Europe in particular\u2014are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.<\/p>\n

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy<\/a>, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.<\/p>\n

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.<\/p>\n

Decoy site lures victims with Ukraine situation<\/h2>\n

Threat actors registered an expired German domain name at collaboration-bw[.]de that was formally used as a collaboration platform to develop new ideas for the Baden-W\u00fcrttemberg state.<\/p>\n

\n
\"\"<\/a>
Threat actors registered an expired domain associated with Baden-W\u00fcrttemberg<\/figcaption><\/figure>\n<\/div>\n

The threat actors used the domain to host a website that looked like the official Baden-W\u00fcrttemberg website, baden-wuerttemberg.de.<\/p>\n

\n
\"\"<\/a>
A comparison of the real baden-wuerttemberg.de (top) and the malicious fake (bottom)<\/figcaption><\/figure>\n<\/div>\n

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine<\/code> (threat situation in Ukraine for Q2), offered via a prominent blue download button.<\/p>\n

\n
\"\"<\/a>
The website promises important information and tips about the Ukraine crisis<\/figcaption><\/figure>\n<\/div>\n

An English translation of the page reads:<\/p>\n

Important, current threat situation regarding the Ukraine crisis<\/strong>  On this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support.<\/pre>\n
File analysis<\/h2>\n
The archive file called 2022-Q2-Bedrohungslage-Ukraine<\/code> contains a file named 2022-Q2-Bedrohungslage-Ukraine.chm<\/code>. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.<\/p>\n
\n
\"\"<\/a>
The CHM file displays a fake error message<\/figcaption><\/figure>\n<\/div>\n
Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.<\/p>\n
\n
\"\"<\/a>
PowerShell executes a Base64-encoded command<\/figcaption><\/figure>\n<\/div>\n
After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-W\u00fcrttemberg website, using Invoke-Expression (IEX).<\/p>\n
\n
\"\"<\/a>
The PowerShell code fetches and executes a malicious script<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"<\/a>
The malicious script downloaded from the fake Baden-W\u00fcrttemberg website<\/figcaption><\/figure>\n<\/div>\n
The downloaded script creates a folder called SecuriyHealthService<\/code> in the current user directory and drops two files into it: MonitorHealth.cmd<\/code> and a script called Status.txt<\/code>. The .cmd<\/code> file is very simple and just executes Status.txt<\/code> through PowerShell.<\/p>\n
Finally, the downloaded script makes MonitorHealth.cmd<\/code> persistent by creating a scheduled task that will execute it each day at a specific time. <\/p>\n
PowerShell RAT (Status.txt)<\/h2>\n
Status.txt<\/code> is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid<\/code>.<\/p>\n
This data is exfiltrated as a JSON data structure sent to the server via a POST request:<\/p>\n
\n
 $json = '{   "type": "newclient",   "result": "",   "pwd": "' + $pwd_b64 + '",   "cuser": "' + $cuser + '",   "hostname": "' + $hname + '",   "clientid": "' + $clientid + '" }';  $headers = @{'X-Request-ID' = $strhash;} <\/pre>\n<\/div>\n
However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI<\/a>) using an AES-encrypted function called bypass<\/code>. It is decrypted using a generated key and IV before execution.<\/p>\n
\n
\"\"<\/a>
The bypass function that contains the encrypted script to bypass AMSI.<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"<\/a>
The content of the AMSI bypass script after decryption<\/figcaption><\/figure>\n<\/div>\n
This RAT has the following capabilities: <\/p>\n