Trustwave SpiderLabs details a threat campaign that uses password-protected archives with nested self-extracting RARsfx to deliver malware, predominantly via Emotet botnet spam. The payloads include CoinMiner and QuasarRAT, with adversaries employing obfuscation, startup persistence, and dynamic DNS for C2. #Emotet #RARsfx #SFX #CoinMiner #QuasarRAT #DynamicDNS #TrustwaveSpiderLabs #PasswordProtectedArchive
Keypoints
- The spam campaign increasingly uses password-protected ZIP/ISO archives, with Emotet responsible for about 96% of such spam in H1 2022.
- Attachments masquerade as invoices and contain a nested self-extracting (SFX) archive that pwns a second RARsfx inside itself.
- The in-archive SFX can execute commands and is designed to unpack without user interaction, sometimes nesting further archives.
- The inner payloads are .NET executables obfuscated with ConfuserEX, specifically CoinMiner and QuasarRAT.
- Persistence is achieved via a startup mechanism using a dropped VBScript (.vbs) and batch files that launch payloads in %AppData% after extraction.
- C2 is reached via domain-based and dynamic DNS-based infrastructure, with CoinMiner using WMI for system discovery and Quasar RAT being a known open-source tool used by actors.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The email recipient is persuaded to open a password-protected archive. “The user must be persuaded to open the archive using the password enclosed in the email.”
- [T1059.003] Windows Command Shell – The batch file is launched first and commands are executed to unpack and run components. “The batch file is launched first followed by an image or PDF file.”
- [T1059.005] Windows Script – VBScript is dropped at startup as a persistence mechanism. “a VBS script is dropped at the startup location as a persistence mechanism.”
- [T1547.001] Boot or Logon Autostart Execution – Persistence via startup location (startup folder) for the VBScript.
- [T1047] Windows Management Instrumentation – CoinMiner uses WMI to gather hardware info and installed antivirus. “CoinMiner used Windows Management Instrumentation (WMI) to gather information from the system such as hardware information and antivirus software installed.”
- [T1071.004] DNS – C2 communication uses dynamic DNS domains for access. “utilized free dynamic DNS domains for accessing its C2 server.”
- [T1555.003] Credentials from Web Browsers – CoinMiner can read user data in web browsers and Outlook. “can read user data in web browsers and access Microsoft Outlook profiles.”
- [T1027.005] Obfuscated/Compressed Files and Information – Payloads are .NET executables obfuscated with ConfuserEX. “All the executables in this campaign are .NET compiled and obfuscated with ConfuserEX.”
Indicators of Compromise
- [SHA1 Hash] context – FF86161334B70BCC2A5D638AD2AB2BF3980DC457, and 3 more hashes
- [SHA1 Hash] context – DB7A08AB199F7F341F90D05A6B09846C6D43F8CB, and 2 more hashes
- [File/Archive Names] context – Payment.gz, Confirmacion Mensaje.zip, Confirmacion Mensaje.img, and 2 more files
- [File/Archive Names] context – Balance_Payment.exe, Muestras.exe, and 2 more payloads
- [Batch Files] context – jhyuonsdjhj.bat, uvjjjukvijhyujhj.bat, and 2 more
- [Decoy Files] context – 556yu67.PNG, samples.jpeg, and 0 more
- [Password-protected RARsfx] context – yrqs.sfx.exe, dtccnppbk.sfx.exe, and 1 more
- [Payload Files] context – yrqs.exe, server1.exe, and 1 more