Keypoints
- Initial compromise via a malicious website impersonating a government page that delivers a ZIP archive (AvisodePrivacidadVirtual.zip).
- The ZIP contains an Internet Shortcut (.url) that retrieves a staged JSE script (rfc.jse) from a remote URL, which then downloads additional payloads.
- A .NET loader (7i1.xls) injects shellcode into AuthHost.exe using QueueUserAPC to execute payloads covertly.
- Shellcode fetches either NarniaRAT (narnia.xls) — an infostealer/banker with file exfiltration, screen capture, keylogging, and browser monitoring — or BotnetFenix (Rust) which supports reflective code loading and remote task execution.
- BotnetFenix decrypts payloads using a simple XOR with a hardcoded key and registers infected hosts with C2 via HTTP POST to app.quantumservice.lat.
- Notable IOCs include multiple MD5 hashes for artifacts, hardcoded C2 hosts/IPs (e.g., app.quantumservice.lat, 45.77.71.28), and specific filenames like rfc.jse, 7i1.xls, narnia.xls, and steal.crypt.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial user interaction with a malicious webpage that delivers a ZIP archive (‘Victims are deceived into downloading a malicious zip archive under the guise of a legitimate tool from a website masquerading as the Government of Mexico.’)
- [T1204.002] User Execution: Malicious File – User is instructed to run an Internet Shortcut that retrieves remote content (‘Internet Shortcuts can be crafted to retrieve malicious files from the Internet network share.’)
- [T1105] Ingress Tool Transfer – Multiple staged files are downloaded from remote servers (‘.url shortcut file contains an embedded URL … the shortcut eventually retrieves the “rfc.jse” file’ and ‘shellcode retrieves either “narnia.xls” … or BotnetFenix payload’)
- [T1055.012] Process Injection: Thread Execution Hijacking – Loader injects shellcode into AuthHost.exe via QueueUserAPC (‘injects the shellcode into AuthHost.exe via QueueUserAPC process injection’)
- [T1620] Reflective Code Loading – Stealer payloads use reflective loading to execute modules in memory (‘steal.crypt … seems to contain only a reflective DLL loader component’ and ‘reflective code loading’)
- [T1027.006] Obfuscated Files or Information: XOR – BotnetFenix decrypts retrieved payloads using XOR with a hardcoded key (‘ability to decrypt the retrieved payloads from C2 servers using a simple XOR algorithm and the hardcoded key.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and host registration use HTTP POST requests to app.quantumservice.lat (example POST: ‘POST /2XpbhUdaA4/post.php … action=add_register&uuid={uuid_value}…’)
- [T1113] Screen Capture – NarniaRAT captures screenshots from the infected host (‘NarniaRAT contains the exfiltration, screen capture, keylogging, and banking stealing functionalities.’)
- [T1056.001] Input Capture: Keylogging – NarniaRAT records keystrokes to harvest credentials (‘NarniaRAT contains the exfiltration, screen capture, keylogging, and banking stealing functionalities.’)
Indicators of Compromise
- [MD5 hash] artifact hashes – 95260c9385dbb1f52004e7ab5aceda96 (AvisodePrivacidadVirtual.zip), a7fadf0050d4d0b2cefd808e16dfde69 (rfc.jse), and 4 more hashes.
- [MD5 hash] payload hashes – 7f739c189c96d42bff65e8b7b7c42237 (7i1.xls loader), 43f6c3f92a025d12de4c4f14afa5d098 (narnia.xls), cfb7d71a73585052041f8c9a057c83c6 (BotnetFenix), 594804aa21887ee9d7b1b888f482d60c (steal.crypt).
- [Domain/IP] C2 hosts and download hosts – app.quantumservice.lat (example paths: /2XpbhUdaA4/narnia.xls, /2XpbhUdaA4/vc67j2.xls), 45.77.71.28 (C2 for watchlist), and 172.86.75[.]130 as a referenced URL.
- [Filenames] staged filenames – rfc.jse (staged script), 7i1.xls (NET loader), narnia.xls (NarniaRAT), steal.crypt (reflective loader).
- [HTTP path] C2 registration endpoint – POST /2XpbhUdaA4/post.php (used to register infected hosts with parameters like uuid, os, is_admin, av, desktopname).
- [Archive name] distribution file – AvisodePrivacidadVirtual.zip – consistent hash on download (MD5: 95260c9385dbb1f52004e7ab5aceda96).
In this campaign, attackers host a spoofed government page that convinces users to download AvisodePrivacidadVirtual.zip, which contains an Internet Shortcut (.url) pointing to a remote JSE script (rfc.jse). When executed, the JSE fetches a staged .xls loader (7i1.xls) which in turn launches a .NET loader that injects shellcode into AuthHost.exe using QueueUserAPC; the injection enables stealthy in-memory execution of subsequent payloads.
The injected shellcode downloads either NarniaRAT (narnia.xls, MD5 43f6c3f9…) or BotnetFenix (cfb7d71a…), both hosted under app.quantumservice.lat and related URLs. NarniaRAT performs file exfiltration (Desktop, Documents, Windows, %USERPROFILE%), screen capture, keylogging, and actively monitors browser processes (Chrome, Firefox, Edge, IE, Opera, Brave, Safari); it requests a banking “watchlist” from C2 (example IP 45.77.71.28) to target specific LATAM financial institutions. BotnetFenix (written in Rust) supports remote tasking, reflective code loading (steal.crypt is a reflective DLL loader, MD5 594804aa…), and decrypts retrieved payloads using a simple XOR with a hardcoded key.
Network behavior includes HTTP(S) C2 registration and tasking (example POST to /2XpbhUdaA4/post.php with parameters action=add_register, uuid, os, is_admin, av, desktopname), and ingress tool transfer of staged files. Detection and mitigation should focus on blocking known download hosts, monitoring for QueueUserAPC/process-injection behaviors, reflective DLL loading, XOR-based decryption patterns, and anomalous HTTP POST registrations to the listed C2 endpoints.
Read more: https://www.esentire.com/blog/fenix-botnet-targeting-latam-users