Threat Research

Transforming a Complex Batch File into XWorm and Redline

Securonix

The article analyzes obfuscation techniques used by the crypted.bat malware to hinder analysis, including the use of a Byte Order Mark, empty environment variables, and on-the-fly code generation. It also explains how a Python environment is deployed, persistence is achieved via a scheduled task, and payloads are downloaded and injected into processes. #crypted.bat #XWorm #RedLine #LoneNone1807 #martin

Keypoints

  • The malware sample “crypted.bat” uses obfuscation to evade detection.
  • Byte order mark (UTF-16 LE) is used as an initial obfuscation method.
  • Empty environment variables (%xxx%) are utilized to complicate the script’s readability.
  • The script dynamically generates labels and uses “goto” commands for flow control.
  • A static Python environment is deployed via a PowerShell command.
  • Persistence is achieved through a scheduled task that runs a malicious shortcut at logon.
  • The Python script performs code injection using the process hollowing technique and downloads payloads from obfuscated URLs to inject into random processes.

MITRE Techniques

  • [T1055.012] Process Hollowing – Malicious code is injected into a legitimate process to execute the payload. “The Python script will use all the API calls required to perform a classic code injection using the process hollowing technique!”
  • [T1053.005] Scheduled Task – Persistence is established by creating a scheduled task to run at logon. “Persistence will be implemented via a scheduled task:”
  • [T1027] Obfuscated Files or Information – The script uses various obfuscation techniques to hide its true nature. “Various obfuscation techniques are used to hide the true nature of the script.”
  • [T1059.003] Command and Scripting Interpreter – Batch scripts are used to execute commands and control the flow of the malware. “Batch scripts are used to execute commands and control the flow of the malware.”
  • [T1105] Ingress Tool Transfer – Malicious payloads are downloaded from obfuscated URLs and injected into randomly selected processes. “Malicious payloads are downloaded from obfuscated URLs and injected into randomly selected processes.”

Indicators of Compromise

  • [Hash] crypted.bat (SHA-256) – 453c017e02e6ce747d605081ad78bf210b3d0004a056d1f65dd1f21c9bf13a9a
  • [URL] Python310.zip – https://github.com/LoneNone1807/RedAV/raw/main/Python310.zip
  • [URL] xclient-enc – https://raw.githubusercontent.com/LoneNone1807/martin/main/xclient-enc
  • [URL] redline-enc – https://raw.githubusercontent.com/LoneNone1807/martin/main/redline-enc
  • [IP/Domain] 15.235.176.64:7000 – C2 server referenced in the XWorm configuration

Read more: https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint