CISA’s Malware Analysis Report examines CovalentStealer, a data-exfiltration malware used against a Defense Industrial Base (DIB) organization by suspected APT actors, detailing its file-enumeration, targeting, and upload workflow. The malware leverages embedded resources to locate, compress, encrypt, and upload files to a remote server via OneDrive/Azure, with multiple samples and configurations analyzed. #CovalentStealer #Impacket #OneDriveClient
Keypoints
- CISA analyzed 19 CovalentStealer-related files recovered from a DIB sector organization compromised by an APT.
- The malware identifies and catalogs files, enumerates file shares via SMB, and uploads targeted data to a remote server.
- Embedded resources include AES-based encryption/decryption, an XOR-based key generation, and an OneDriveClient module to push data to Microsoft Azure.
- Components named in the report include onedrv.exe, ntstatus.exe, ntstatus.ini/bin, msexch.ini, AppStorage.exe, mqsvn.exe, mqsvn.ini, and others, forming a multi-module uploader/manager.
- WMI and SMB activity are used to gather system identifiers and access network shares, aiding data collection and exfiltration.
- The report provides IOCs (file names, hashes) and detailed module descriptions, plus recommended defenses for organizations.
- Defense guidance emphasizes patching, limiting SMB sharing, enforcing ACLs, and cautious handling of attachments and removable media.
MITRE Techniques
- [T1021.002] SMB/Windows Admin Shares – Access file shares via SMB and enumerate files/directories. Quote: “[This resource is used to access file shares via Server Message Block (SMB). It is also used to enumerate files and directories and sort them by MD5 hash.]”
- [T1083] File and Directory Discovery – Enumerate files and directories and sort them by MD5 hash. Quote: “[It is also used to enumerate files and directories and sort them by MD5 hash.]”
- [T1047] Windows Management Instrumentation – Use WMI to gather system identifiers. Quote: “[The program reads the Windows Management Instrumentation (WMI) namespace root/cimv2 to locate the volumeserialnumber of the current drive.]”
- [T1567.002] Exfiltration to Cloud Storage – Uploads to a Microsoft Azure server. Quote: “[OneDriveClient uploads files to a Microsoft Azure server on the Internet.]”
- [T1027] Obfuscated/Compressed Files and Information – Uses encryption and obfuscation to protect configuration and data. Quote: “[The AES encryption routine. The routine uses the hard-coded string ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ as the AES key and the first half of the key as the IV.]”
Indicators of Compromise
- [File] context – onedrv.exe, ntstatus.exe, ntstatus.bin, msexch.ini, AppStorage.exe, mqsvn.exe, mqsvn.ini, ntstatus.ini, ntstatus.log, ntstatus_temp.log, etc.
- [Hash] MD5 – 806998079c80f53afae3b0366bac1479, 84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
- [Hash] SHA256 – 84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb, 517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d
- [File] Filenames – onedrv.exe, ntstatus.exe, ntstatus.bin, msexch.ini, AppStorage.exe (and other CovalentStealer artifacts)
Read more: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a