Rapid7 details how the Fake Browser Update lure delivers a new IDAT loader to execute Stealc, Lumma, and Amadey infostealers on compromised machines. The loader employs evasion techniques like Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate, and stores payloads inside PNG IDAT chunks. #IDATLoader #Stealc
Keypoints
- Fake Update lure leads users to download and run malicious binaries, enabling start of the attack flow.
- New IDAT loader is used to drop and execute Stealc, Lumma, Amadey infostealers, and SecTop RAT variants.
- Stage progression includes ClearFake, MSI downloader, decryptor, IDAT injector, and IDAT loader with multiple evasion steps.
- VMwareHostOpen.exe and vmtools.dll are used via DLL Search Order Hijacking to decrypt and load payloads (vmo.log, pz.log).
- Heaven’s Gate and Process Doppelgänging are employed to bypass defenses and inject into legitimate processes like explorer.exe.
- Extensive IOCs include specific MSI/dropped files, DLLs, logs, and numerous C2/download domains and IPs.
MITRE Techniques
- [T1189] Drive-by Compromise – The ClearFake Uses Drive-by Compromise technique to target user’s web browser. [‘The ClearFake Uses Drive-by Compromise technique to target user’s web browser’]
- [T1218.007] System Binary Proxy Execution: Msiexec – The ChromeSetup.exe downloader (C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48) downloads and executes .msi file. [‘downloads and executes .msi file’]
- [T1204.002] User Execution: Malicious File – Update.msi drops and executes VMWareHostOpen.exe. [‘Update.msi drops and executes VMWareHostOpen.exe’]
- [T1574.001] DLL Search Order Hijacking – VMWareHostOpen.exe loads a malicious vmtools.dll. [‘VMWareHostOpen.exe loads a malicious vmtools.dll (931D78C7…)’]
- [T1140] Deobfuscate/Decode Files or Information – vmtools.dll decrypts vmo.log. [‘decrypts vmo.log(51CEE2DE0E…)’]
- [T1036] Masquerading – vmo.log masqueraded to .png file. [‘file masqueraded to .png file’]
- [T1106] Native API – The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection. [‘ Heaven’s Gate technique to evade detection’]
- [T1055] Process Injection – IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection to inject into cmd.exe process. [‘NtCreateSection + NtMapViewOfSection Code Injection… inject into cmd.exe’]
- [T1055.013] Process Doppelgänging – IDAT loader implements Process Doppelgänging technique to load the InfoStealer. [‘Process Doppelgänging technique to load the InfoStealer’]
- [T1497.003] Time Based Evading: Time Based Evasion – Execution delays are performed by several stages throughout the attack flow. [‘Execution delays are performed by several stages throughout the attack flow’]
Indicators of Compromise
- [File] – InstaIIer.exe, ChromeSetup.exe, MlcrоsоftЕdgеSеtuр.exe, update.msi, DirectX12AdvancedSupport.msi, python311.dll, vmtools.dll, MpClient.dll, Virginium.flac, pz.log, vmo.log
- [Hash] – InstaIIer.exe: A0319E612DE3B7E6FBB4B71AA7398266791E50DA0AE373C5870C3DCAA51ABCCF, ChromeSetup.exe: C9094685AE4851FD5A5B886B73C7B07EFD9B47EA0BDAE3F823D035CF1B3B9E48
- [Domain] – ocmtancmi2c5t.xyz, lazagrc3cnk.xyz, omdowqind.site, weomfewnfnu.site, winextrabonus.life, bgobgogimrihehmxerreg.site, pshkjg.db.files.1drv.com, hello-world-broken-dust-1f1c.brewasigfi1978.workers.dev
- [IP] – 94.228.169.55
- [URL] – ocmtancmi2c5t.xyz/downloads/update.msi, ooomdowqind.site/C2
- [Other] – C2 servers and related domains like gapi-node.io, gstatic-node.io