Cyble Research and Intelligence Lab (CRIL) uncovered a targeted Malaysia campaign aimed at political figures and government officials, delivering Babylon RAT via malicious ISO files. The operation uses LNK shortcuts, concealed PowerShell scripts, and startup registry persistence to enable data exfiltration and remote control through Babylon RAT.
Keypoints
- Target: Political figures and government officials in Malaysia.
- Active since: July 2023.
- Malicious components: ISO files containing LNK files, hidden PowerShell scripts, executables, and decoy PDFs.
- Final payload: Babylon RAT, enabling remote access and data theft.
- Previous targets: TA previously targeted Malaysian entities using Quasar RAT.
- Delivery method: Users are tricked into executing malicious files disguised as legitimate documents.
- Persistence: Registry modifications to ensure the RAT runs at startup.
- Recommendations: Enhanced email filtering, endpoint and network security, and security awareness training.
MITRE Techniques
- [T1204] User Execution: Malicious File β The ISO file contains an LNK file disguised as a PDF. When executed, it runs a PowerShell script to initiate the attack.
- [T1059.001] Command and Scripting Interpreter: PowerShell β The LNK file triggers a PowerShell script to execute the payload and create persistence.
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder β The PowerShell script creates a startup entry in the registry.
- [T1027.007] Dynamic API Resolution β Cryptographic APIs resolved during runtime to evade IAT based detection.
- [T1027.012] LNK Icon Smuggling β LNK file disguised with a PDF icon.
- [T1027.013] Encrypted/Encoded File β The Babylon is encrypted with AES-256 encryption to evade detection by security tools.
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers β Babylon RAT can extract passwords from web browsers.
- [T1082] System Information Discovery β Babylon RAT collects system information from the victimβs machine.
- [T1115] Clipboard Data β Babylon RAT monitors and logs clipboard data, storing it for later exfiltration.
- [T1056.001] Input Capture: Keylogging β The RAT captures keystrokes using the SetWindowsHookEx win32 API.
- [T1071.001] Application Layer Protocol: Web Protocols β Babylon RAT communicates with the TAβs C2 server over web protocols.
- [T1041] Exfiltration Over C2 Channel β The TA exfiltrates collected data through the established C2 channel.
Indicators of Compromise
- [SHA-256] SalahLaku_MARA.iso β 54a52310ade00eca0abb8ba32f4cacc42deb69b6e1f07309e44df2213bf2569c
- [SHA-256] PANDUAN_PENGGUNA_MyKHAS.iso β d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f
- [SHA-256] LimKitSiang_teks_penuh.iso β 8e6717e88ab6bb4a96e465dc0e9db3cf371e8e75af29e4c3ebc175707702b3b6
- [SHA-256] Salahlaku_Sektor_Keusahawanan_MARA.lnk β cf2b8c735f6acc0310ec76607b5c37ef994c96c74442373686e1f3a141c7a892
- [SHA-256] PANDUAN_PENGGUNA_MyKHAS.lnk β b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0
- [SHA-256] Salahlaku_Sektor_Keusahawanan_MARA.ps1 β 401a524c5a446107547475d27f9acd548182eac06294245dc43313b47ffa0e5c
- [SHA-256] controller.exe β f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982
- [SHA-256] PDFview.exe β 77e22b511cd236cae46f55e50858aea174021a1cd431beaa5e7839a9d062e4c7
- [SHA-256] PANDUAN_PENGGUNA_MyKHAS.ps1 β b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
- [SHA-256] Kit_Siang_Bimbang_Gelombang_Hijau.ps1 β 2a5a1ae773c59f18cceada37c4d78427ff18bd9a8c0ceb584c0cf997f6ac36b0
- [SHA-256] Kit_Siang_Bimbang_Gelombang_Hijau.lnk β f30901bd966b8c4803ffd517347167b4bba2c1b85cc7b5bcbe08791e249eb86b
- [IP] 64.176.65.152 β C&C
- [IP] 149.28.19.207 β C&C
- [Domain] workhub-microsoft-team.com β C&C
- [Domain] fund.sekretariatparti.org β C&C
Read more: https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/