Rare Earth Material Lure Delivering Shellcode Loader

MITRE Techniques

• [T1204 ] User Execution – The campaign relies on tricking the victim into running SecurityKey.exe to retrieve the PDF password (‘…the victim tries to open the PDF, and, when prompted for a password, they are led to running the executable to get the key to unprotect it.’)
• [T1105 ] Ingress Tool Transfer – The shellcode downloads additional shellcode/payload from a remote host using wininet functions (‘…use wininet.dll functions to download additional shellcode from the www.global-reia[.]com/image-directory/da.mp3.’)
• [T1055 ] Process Injection (Local code execution) – The loader allocates PAGE_EXECUTE_READWRITE memory, copies embedded shellcode into it and executes by dereferencing a function pointer (‘…allocates memory with PAGE_EXECUTE_READWRITE permissions…shellcode embedded in the .rdata section…is then copied to the newly allocated buffer and is executed by dereferencing a function pointer to it.’)
• [T1027 ] Obfuscated Files or Information – The malware resolves APIs by hashing with a modified FNV-1a algorithm to hide API names and behavior (‘…API hashing algorithm used by this shellcode seems to be a modified version of the Fowler–Noll–Vo (FNV) algorithm…Modified offset…Modified prime…’)
• [T1106 ] Native API (or Use of Native APIs for stealthy execution) – The shellcode walks the PEB and uses low-level native approaches to locate module bases and resolve functions (‘…walks the Process Environment Block (PEB) to get the base address of ntdll.dll:Once the base address of ntdll.dll is located, it is used to retrieve additional functions using API hashing.’)
• [T1053 ] Scheduled Execution (Fibers as manual scheduling) – The final stage uses fibers and SwitchToFiber to schedule and execute shellcode within the process context (‘…created a fiber and switching to it via the SwitchToFiber API. A fiber is a unit of execution that must be manually scheduled by the application…’)