Elastic Security Labs uncovers LOBSHOT, a stealthy hVNC-capable malware tied to TA505, spread via malvertising campaigns that impersonate legitimate software. The analysis provides a YARA signature and a configuration extractor, detailing infection, persistence, and a browser-wallet stealer component along with C2 communications. #LOBSHOT #hVNC #TA505 #AnyDesk #Get2
Keypoints
- LOBSHOT is a newly observed malware family associated with TA505 and linked to historic campaigns (e.g., Get2 loader and TA505 domains).
- Its hallmark is an hVNC (Hidden Virtual Network Computing) module that enables direct, unobserved remote control of infected machines.
- The malware uses dynamic API resolution to evade security tools by loading Windows APIs at runtime.
- A Defender emulation check halts execution if the host appears to be running Defender (HAL9TH/JohnDoe checks).
- Initial enumeration gathers machine and environment data (GUID, OS, user, VM check, processes, desktop details) before contacting C2.
- Persistence relies on Registry Run Keys, with additional registry checks to deter re-infection and track infection state.
MITRE Techniques
- [T1106] Native API – The malware resolves Windows APIs at runtime via dynamic imports. “In our LOBSHOT sample, like most malware we see today, it employs dynamic import resolution to evade security products and slow down the rapid identification of its capabilities.”
- [T1497] Virtualization/Sandbox Evasion – Defender emulation checks that halt execution when specific values are detected. “verifying if the computer name matches the string HAL9TH and if the username matches JohnDoe.”
- [T1027] Obfuscated/Compressed Files and Information – String obfuscation uses a straightforward encryption function with a seed from WTS_SESSION_INFO. “This malware hides its primary strings through a straightforward encryption function using different bitwise operators.”
- [T1082] System Information Discovery – Initial enumeration collects machine and environment data before network calls. “Before sending any outbound network requests, LOBSHOT builds a custom structure containing enumerated data from the machine including: GUID, Windows edition, username, computer name, VM check, … and DPI.”
- [T1547.001] Registry Run Keys / Startup Folder – Persistence via HKCU Run key pointing to C:ProgramData. “For persistence, LOBSHOT leverages the Registry run key persistence method.”
- [T1555.003] Credentials in Web Browsers – Stealer functionality targets cryptocurrency wallet extensions and stores results in the registry. “targeting specific Google Chrome extensions that deal with cryptocurrency wallets.”
- [T1218] Signed Binary Proxy Execution: Rundll32 – Uses rundll32.exe to execute a data file, enabling loader behavior. “rundll32.exe “C:ProgramDatahmr_1.dat”, #1 hmod”
- [T1059.003] Windows Command Shell – CMD execution inside the hVNC module to run commands. “CMD execution inside the hVNC module.”
- [T1021] Remote Services – hVNC provides hidden desktop and remote control capabilities. “hVNC acts in the opposite way designed to stay stealthy… direct and unobserved access to the machine.”
- [T1071] Application Layer Protocol – C2 communications use hardcoded IP/port over sockets with periodic beaconing. “The malware beacons every 5 seconds communicating by using… ws2_32.socket/connect/send/…”
Indicators of Compromise
- [IP Address] – 95.217.125.200 – LOBSHOT C2
- [SHA-256] – e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6 – LOBSHOT sample
Read more: https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware