JPCERT/CC documented an attack around February 2023 that targeted a crypto asset exchanger with Parallax RAT delivered via spam emails directing victims to a Google Drive link. The operation used OneNote files with embedded VBS, a PowerShell payload, Windows security bypass tactics, startup persistence, and C2 communication, with additional related samples and tools noted in appendices. #ParallaxRAT #JPCERTCC
Keypoints
- The attack starts with a spam email urging the user to download a file from a Google Drive link, leading to a ZIP in OneNote containing embedded VBS files.
- The embedded VBS files are obfuscated; decoding reveals a PowerShell script that is eventually executed.
- The PowerShell payload downloads multiple files, including a decoy PDF and angle.exe (ParallaxRAT), with dx.txt containing the script to run.
- dx.txt configures Windows Defender exclusions and stops UAC to facilitate execution and persistence.
- Parallax RAT creates startup execution at device startup, injects into a legitimate Windows process, and performs keylogging and clipboard data theft.
- The malware communicates with a C2 server at 144.202.9.245:80, and other related samples/tools were found on the server (e.g., NetSupport Manager, GuLoader, IRC bot).
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – The identified attack starts with a spam email, which urges the user to download a file from a Google Drive link on it. “The identified attack starts with a spam email, which urges the user to download a file from a Google Drive link on it.”
- [T1027.002] Obfuscated/Encrypted Files and Information – The embedded VBS files are obfuscated. By decoding one of them multiple times, the PowerShell script in Figure 3, which will eventually be executed in the attack, can be retrieved. “The embedded VBS files are obfuscated. By decoding one of them multiple times, the PowerShell script in Figure 3, which will eventually be executed in the attack, can be retrieved.”
- [T1059.001] PowerShell – The dx.txt file contains the PowerShell script as shown in Figure 4; it is used in the execution flow. “The dx.txt file contains the PowerShell script as shown in Figure 4. It stops UAC and sets the folders where the script is saved to be excluded from inspections by WindowsDefender.”
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – The dx.txt content includes stopping UAC and configuring Windows Defender exclusions. “It stops UAC and sets the folders where the script is saved to be excluded from inspections by WindowsDefender.”
- [T1547.001] Boot or Logon Autostart: Startup Folder – Parallax RAT creates automatic execution at startup via Milk.exe in the Startup folder. “Create the same file below for automatic execution at device startup %APPDATA%MicrosoftWindowsStart MenuProgramsStartupMilk.exe”
- [T1055] Process Injection – The malware injects malicious code into a legitimate process. “Inject malicious code into the above process.”
- [T1056.001] Keylogging – Parallax RAT includes keylogging functionality. “Below is a part of the code for the keylogging and stealing clipboard information function.”
- [T1115] Clipboard Data – The malware steals clipboard information as part of its data collection. “function to steal clipboard information”
- [T1071.001] Web Protocols – The malware communicates with a C2 server over a web protocol. “Communicate with the below C2 144.202.9.245:80”
Indicators of Compromise
- [IP Address] context – 144.202.9.245:80, 171.22.30.220, and other related IPs on appendices
- [Domain] context – Dcejartints16.com and Dcejartints17.com (and associated ports), drive.google.com
- [URL] context – http://171.22.30.220/3/Latest.pdf, http://171.22.30.220/2/dx.txt, and additional sample URLs in Appendix A
- [File Hash] context – c4ab129da3f8d2d101456bdac19d0b9e8a015a87a4117cb88a606b64b36c0e9a, e5f5c900477a46f5db36ce3bfb67481386fb8576bf9da501a3f380bb6bda5f8f (and 2 more hashes listed in Appendix B)
- [File Name] context – Latest.pdf, angle.exe, Milk.exe, dx.txt, NtG.hta
Read more: https://blogs.jpcert.or.jp/en/2023/04/parallax-rat.html