Keypoints
- Adversaries modify legitimate defender PE files (Sophos and others) by overwriting the original entry-point code and replacing resources with an encrypted payload resource.
- The corrupted files originated from the 2022.4.3 Windows Endpoint package and were deployed via fake installers, MSI, and emailed JavaScript loaders in some cases.
- Deployed payloads included Cobalt Strike (HTTP beacon and 64-bit shellcode), Brute Ratel, Qakbot, Latrodectus, and other loaders; TitanLdr was observed loading some Cobalt Strike payloads.
- Payload retrieval and C2 used numerous domains and IPs (HTTP/HTTPS), with examples embedded in Cobalt Strike configs and hosted binaries (e.g., devs.ambitenergycorporation[.]com, 185.117[.]91.230).
- Technical approach: PE structure partially updated (resource section resized), export table left broken, entry-point overwritten with loader that XOR-decodes and executes shellcode from the resource.
- Investigators published an IoC CSV with 400+ entries and observed at least one abused/revoked code-signing certificate associated with a Qakbot payload.
MITRE Techniques
- [T1036.003] Masquerading – Attackers impersonated legitimate security vendor binaries by modifying PE files to appear as real components (‘impersonating legitimate files to attempt to sneak onto systems.’)
- [T1566] Phishing – Initial access in some incidents used JavaScript loaders delivered by email that installed MSI and fake binaries (‘JavaScript loaders that appear to have been sent to the victim(s) via email.’)
- [T1105] Ingress Tool Transfer – Adversaries used hosted downloaders and fake installers to transfer malicious EXE/DLLs onto targets (‘Hosted on hxxp://185.117[.]91.230/download/guard64.exe’ and ‘bogus “installer” claiming to be for software … loaded the fake EXEs / DLLs.’)
- [T1027] Obfuscated Files or Information – Encrypted payloads were embedded as resources in PE files and required XOR decoding/unwrap steps (‘the encrypted payload was stored as a resource within the resources section.’)
- [T1055] Process Injection – Decoded shellcode was used to decrypt another layer, inject into memory, and execute the final payloads (e.g., Brute Ratel) (‘shellcode that would eventually decrypt another layer to be injected into memory, then executed.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communications used HTTP/HTTPS for Cobalt Strike and other beacons (examples in Cobalt Strike configs) (‘C2Server”: “http://devs.ambitenergycorporation[.]com:443/samlss/media.jpg”’)
- [T1553.001] Subvert Trust Controls: Create Compromised Software – Use of an abused or expired digital signature to sign or appear to sign binaries was observed (‘use of a possibly compromised (and definitely expired) digital signature’).
Indicators of Compromise
- [File Hash] Malicious PE samples – 214540f4440cceffe55424a2c8de1cc43a42e5dcfb52b151ea0a18c339007e37, 25e24385719aede7f4e0359b389a9597cc26df20e1b3a6367bbc04d5d4982fe6, and 400+ other hashes in the published IoC CSV.
- [Domain] C2 and hosting domains – devs.ambitenergycorporation[.]com, businessannually[.]com, and other domains used in Cobalt Strike configs and hosting.
- [IP Address] Hosting/command infrastructure – 185.219.221[.]136 (malware C2), 185.117[.]91.230 (hosted guard64.exe), and other IPs listed in IoC file.
- [File Name] Targeted legitimate filenames – SophosCleanup.exe, HealthApi.dll, SophosFSTelemetry.exe (legitimate-sounding files that were trojanized).
- [URL] Hosted payload/loader URLs – hxxps://du178mamil[.]com/rtl.dll, hxxp://185.117[.]91.230/download/guard64.exe (used to host or serve malicious components).
In the analyzed samples the attacker modified legitimate Windows PE files by partially rebuilding section headers, enlarging the resource section, and replacing original resources with a single encrypted resource containing the attacker payload. The original export/entry-point code was overwritten with loader code; in DLL cases DllRegisterServer was replaced so the loader runs when the DLL is invoked. The loader constructs an XOR key on the stack, uses it to decode the resource, then executes embedded shellcode which unpacks or decrypts a second-stage payload in memory (observed final payloads include 64-bit Cobalt Strike HTTP shellcode, Cobalt Strike beacons, and Brute Ratel binaries lacking DOS headers).
Initial delivery paths included emailed JavaScript loaders that dropped MSI installers or fake installers, hosted download URLs, and standalone malicious installers. Loading techniques varied from simple custom shellcode to the more complex TitanLdr multifunction loader; after in-memory decryption the loaders performed process injection and network beaconing to HTTP/HTTPS C2 servers. Cobalt Strike configurations observed contained explicit C2Server and HttpPostUri values pointing to multiple domains; investigators also found at least one trojanized binary signed with an abused/revoked certificate.
Detection and response recommended by the analysis focus on identifying altered PE resource sizes, broken export tables alongside intact loadable headers, anomalous DllRegisterServer code, and matching file hashes/domains from the IoC list. Monitoring for HTTP/HTTPS beacon patterns tied to known C2 domains and blocking hosting IPs/domains with network controls, combined with detection of in-memory XOR/decryptor shellcode and dynamic shellcode protection, are effective mitigations against these techniques.
Read more: https://news.sophos.com/en-us/2024/04/26/malware-campaign-abuses-legit-defender-binaries/