Threat Research

Analyzing the efile.com Malware “efail”

Securonix

Two executables drive the efile.com eFail operation: update.exe acts as a downloader and the PHP-based backdoor communicates with a remote C2 to fetch and run commands. The campaign uses PyInstaller-packed Python code, a PHP backdoor, and persistence via registry entries, with indicators including specific hashes, a main C2 domain, and several download URLs. #efilecom #efail #infomanewonliag.online

Keypoints

  • The attack relies on two main binaries: update.exe (the downloader) and installer.exe as alternates, with update.exe favored for Chrome users.
  • The downloader is written in Python (via PyInstaller) and fetches the next stage, which is a PHP-based backdoor.
  • The PHP backdoor polls a remote server, downloads components, and executes commands issued by the attacker (not a typical webshell).

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The downloader “update.exe” downloads the second part and executes it. “The first one, ‘update.exe,’ is a simple downloader downloading and executing the second part.”
  • [T1059.006] Python – The updater/executable is built from Python code (via PyInstaller) and runs as a Python-based process. “update.exe” is written in Python, making it much easier to analyze.
  • [T1564] Hide Artifacts – The updater moves its window off-screen to hide its presence. “Move the update.exe window off the screen to hide it.”
  • [T1547.001] Boot or Logon Autostart Execution – The backdoor is made persistent via scheduled/on-boot registry entries. “The backdoor is made persistent via scheduled/on-boot registry entries.”
  • [T1132.001] Data Encoding – The code decodes remote payloads using base64 before execution. “base64.b64decode(runcode.read().decode(‘utf-8’))”
  • [T1059.001] Command and Scripting Interpreter – The malware executes decoded code via exec(runcode). “exec(runcode)”.
  • [T1071.001] Web Protocols – The PHP-based C2 uses HTTP(S) to fetch commands and report results. “The code connects to https://www.infoamanewonliag.online/api/query every 10 seconds and executes the command returned.”

Indicators of Compromise

  • [SHA256 Hash] – d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca, installer.exe
  • [SHA256 Hash] – 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb, update.exe
  • [SHA256 Hash] – 8ac52ca0792baf2a4075fe7c68e5cbe2262da604e2fcdfb9b39656430925c168, php.7z (not malicious)
  • [SHA256 Hash] – 3771846f010fcad26d593ea3771bee7cf3dec4d7604a8c719cef500fbf491820, 1.php
  • [SHA256 Hash] – 3033913c51e0bf9a13c7ad2d5a481e174a1a3f19041c339e6ac900824793a1c6, php.vbs
  • [Domain] infomanewonliag.online – main command and control domain
  • [URL] https://channel-platform.s3.ap-east-1.amazonaws.com/package/7z.exe, https://channel-platform.s3.ap-east-1.amazonaws.com/package/php.7z
  • [URL] https://www.infoamanewonliag.online/api/query
  • [File] C:ProgramDataBrowsers
  • [File] C:ProgramDataBrowsersdownloads1.php
  • [File] C:ProgramDataBrowsersphpphp.exe

Read more: https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments