eSentire’s Threat Response Unit (TRU) detected a July 2024 government-sector infection involving XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT, delivered via a phishing email and hosted on a WebDAV server proxied through TryCloudflare. The operation used obfuscated batch files, encrypted Python payloads, and direct syscalls to evade security tools, with TRU isolating the host and recommending strengthened email filtering and user training. #XWorm #VenomRAT #PureLogsStealer #AsyncRAT #WebDAV #TryCloudflare #eSentire
Keypoints
- eSentire’s 24/7 SOC and Elite Threat Hunters detected a multi-malware campaign targeting a government sector customer.
- threat actors deployed XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT via a WebDAV server hosted on TryCloudflare.
- Initial access occurred through a phishing email containing a malicious ZIP archive with a URL shortcut (.lnk).
- Obfuscated batch files and encrypted Python scripts were used to download and execute payloads from the WebDAV server.
- Direct syscalls were employed to evade EDR and other security monitoring tools; Early Bird APC Queue Code Injection was used for process injection.
- TRU isolated the affected host and recommended stronger email filtering and user education to mitigate phishing risk.
- Indicators of Compromise (IOCs) and detailed technical specifics are available from TRU and linked IOCs.
MITRE Techniques
- [T1566] Phishing – Initial access vector was a phishing email containing a ZIP archive with a malicious URL shortcut. Quote: “Initial access vector was a phishing email containing a ZIP archive with a malicious URL shortcut.”
- [T1059] Command and Scripting Interpreter – Malicious batch files and Python scripts were executed to perform various actions. Quote: “Malicious batch files and Python scripts were executed to perform various actions.”
- [T1105] Remote File Copy – Malicious files were downloaded from a WebDAV server. Quote: “Malicious files were downloaded from a WebDAV server.”
- [T1055] Process Injection – Injected decrypted shellcode into the notepad.exe process using Early Bird APC Queue Code Injection. Quote: “Injected decrypted shellcode into the notepad.exe process using Early Bird APC Queue Code Injection.”
- [T1027] Obfuscated Files or Information – Batch files were obfuscated to evade detection. Quote: “Batch files were obfuscated to evade detection.”
- [T1203] Exploitation for Client Execution – Exploited a vulnerability in user behavior through the execution of malicious files. Quote: “Exploited a vulnerability in user behavior through the execution of malicious files.”
- [T1562.001] Impair Defenses – Direct syscalls were used to bypass Endpoint Detection and Response (EDR) systems. Quote: “Direct syscalls were used to evade detection by Endpoint Detection and Response (EDR) systems.”
Indicators of Compromise
- [MD5] 0d79c56f9198117a98334ead5d033974 – new.bat (downloaded/executed during infection)
- [MD5] 1e5fa94c5be0d6f6d57c181c60622b80 – startuppppp.bat (persistence via Startup Folder)
- [MD5] a84994e9e9de4fd82f721dbf2c8d9c58 – 2.py (example Python payload)
- [MD5] c741fbaeeb14a9a95d6fb201e9e0bd6e – shellcode decrypted by injector
- [URL] https://stickers-ext-payment-print.trycloudflare.com/kbsfaw.pdf – decoy PDF hosted on WebDAV
- [URL] https://stickers-ext-payment-print.trycloudflare.com – WebDAV server base for payloads
- [Domain] stickers-ext-payment-print.trycloudflare.com – host for PDFs and payload delivery
- [Domain] trycloudflare.com – proxy/tracking layer used by TryCloudflare