SYNC-SCHEDULER : A DEDICATED DOCUMENT STEALER

Published On : 2024-03-27

SYNC-SCHEDULER : A DEDICATED DOCUMENT STEALER

EXECUTIVE SUMMARY

At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This in-depth examination focuses on Sync-Scheduler stealer, a malware that specifically targets documents, and has been designed with anti-analysis capabilities.

The research explores the evasion tactics employed by threat actors, while also illuminating the procedures involved in crafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics of these threats, emphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate associated risks.

INTRODUCTION

This study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong payload. It highlights how these threats keep changing and the importance of better security and user awareness to stay safe from such harmful attacks.

KEY FINDINGS

  • Syns-Scheduler stealer is being distributed as an embedded component in Office document file.
  • File-nesting is used to hide the malware code within a PowerPoint presentation that is embedded in a Word document.
  • Malware code is hidden under the page title of the first slide of the PowerPoint presentation.
  • The title of the PowerPoint presentation file contains a fraction of the malware code.
  • Malware code is encoded in Base-64 and VBA macros leverage Task Scheduler to decode, generate, and execute the malware.
  • Sync-Scheduler targets documents in the User directories e.g. Documents, Downloads and Desktop.
  • The target file types are Word documents, Excel spreadsheets, PowerPoint presentations, PDFs and ZIP files.
  • It copies the target files in the OneDrive folder under the User’s “AppDataRoaming” directory and replaces the extension of the file with a string, which is specific to the filetype.
  • Exfiltrates the file over the network as form-data.
  • Sync-Scheduler is equipped with anti-analysis capabilities and terminates the process if the analysis environment is detected.
  • The associated threat actor with Sync-Scheduler has been actively operating since at least November 2023.
  • An older version of the malware targets more file types including images, text, and other compressed archive formats.

ETLM ATTRIBUTION

The malware author attempted to conceal the primary malware binary under multiple layers of protection, as the Base-64 encoded string, hidden under the page title text of the first slide of a PowerPoint presentation file, and this presentation file is, in turn, an embedded object in a Word document file which is being used as an initial vector to distribute the malware.

Sync-Scheduler (base-64 string) is in the page title text

Embedded VBA macros in the PowerPoint presentation file are used for decoding and execution of the malware that leverages the Task Scheduler for this purpose. It effectively conceals the malware in plain sight, enabling it to evade detection.

The exfiltrated files sent to the URL “http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php”, resolve to the IP address “146.70.157.120”. This URL has been active since at least November 2023. Although there are changes in the IP address, the URL remains consistent:

We have identified another (older) version of the malware that communicates with the above URL and has similar functionality of being an information stealer:

File name: smsse.exe
MD5: 004101dc501b9de8965e6b45debd07b6
SHA256: 316e01b962bf844c3483fce26ff3b2d188338034b1dbd41f15767b06c6e56041
Time of creation: November 09, 2023

Although there are some differences, such as it queries for more locations and file types:

Target locations for older malware

Target filetypes of older malware

The domain syncscheduler[.]com has only been flagged by one security vendor while the IP address currently has no detection yet:

Interestingly, an attempt to browse the URL “http[:]//syncscheduler.com/r3diRecT/redirector/proxy.php”, using a web browser will redirect to the homepage of the Chinese Government website (www[.]gov[.]cn):

No known threat actor association has been identified with this Domain/IP address.

Threat Landscape: From an external threat landscape standpoint, the presence of a document stealer malware, which has been active for at least five months, and exfiltrating data effectively to a consistent URL (C2) without being noticed indicates a concerning trend. CYFIRMA’s research team highlights the evolving tactics of threat actors, who are leveraging file-nesting in Office document files to hide malware under multiple layers of protection, to avoid detection by the security tools. This shows why it’s important to always stay watchful and use better detection methods to fight against these changing threats.

ANALYSIS OF SYNC-SCHEDULER STEALER

File Analysis
File Name China Navy First Training 2024(CN).docx
File Size 1.81 MB (1895387 bytes)
Signed Not signed
MD5 c1ab783d60cf05636eb4f72d17c6cf1d
SHA-256 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3
Date Modified March 18, 2024

A Word document file serves as the initial vector and a PPT (PowerPoint presentation) file is embedded in this Word document. The PPT file can be opened by double-clicking the image within the Word document:

The Word document with embedded PPT file

Embedded PPT file

Embedded PowerPoint Presentation File
File Name Microsoft_PowerPoint_97-2003_Presentation.ppt
File Size 5.26 MB (5519360 bytes)
Signed Not signed
MD5 39122a2bcf6c360271e8edb503bc2761
SHA-256 203d60fe1ebbfafc835e082774ee56088273d9455fb12ac1de2c1be410cceeec

The PPT file contains 3 slides and the VBS macros:

VBA macros contain 5 functions that are password-protected:

Protected VBA macros

The PPT file has an unusual File Modification Date, and the title of the file is a long base-64 encoded string which is suspicious:

BEHAVIORAL & CODE ANALYSIS

The VBA Macros:
The first function is used to execute the following two functions:

1st function

The following VBA macro code checks for a file at location “C:~Microsoft365support.txt”. If the file is not found, which is the case at the first instance of execution, it calls the function ‘Textbox¬reader’:

If the file exists (in the case of repeated execution), then it shows the following pop-up message:

The first slide of the PPT file has a hidden base-64 encoded string as a Page Title, and the title of the file contains a fraction of this string:

The Textbox_reader function calls the ‘Test’ function that creates a folder at “C:~Microsoft365” as a hidden system directory:

Test function

Then it creates a file support.txt and writes this base-64 string into this file:

Textbox_reader function

Finally, the ScheduleTask function creates a scheduled task windows_updates that will run only once, and the start time will be 11:11. This task will decode the support.txt as wword.exe and execute it using the shell function in a hidden command prompt window:

ScheduleTask function

The Execution:
The VB macro drops the executable wword.exe in the C:~Microsoft365 directory:

Sync-Scheduler
File Name wword.exe
File Size 152.88 KB (156544 bytes)
Signed Not signed
MD5 df6b768247a9cdb5607819c79f02099d
SHA-256 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613
Creation Time January 08, 2024

The Task Scheduler executes the wword.exe in a hidden Windows command shell:

Task Scheduler log

The malware creates a directory “C:UsersuserAppDataRoamingOneDrive”:

Then it attempts to establish a connection with the domain “syncscheduler.com” and sends the systems UID to C2:

Connection to syncscheduler.com

At next stage of execution, the malware first enumerates the users/accounts on the system:

And then starts querying for the files/folders in the User’s Downloads, Desktop and Documents directories:

Searching for files/folders in User’s space

The Target is Document:
After querying the files/folder in the User’s directory, the malware selects the files by comparing the extension of the file. These include .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf and .zip files:

Comparing ‘zip’ file extension to identify its filetype

When the target file is identified, it immediately copies the file to the OneDrive folder (C:UsersuserAppDataRoamingOneDrive) for exfiltration, and after transferring the file to the C2 server, it is then deleted from the OneDrive folder, and continues the search for documents. The process of searching for, copying, and transmitting document files is conducted in a manner of one file at a time.

While copying these files, it changes the file names and replaces the file extensions including the period character (‘.’) with the string specific for the particular filetype:

File Extension Replacement String
.doc X367
.docx X946
.xls X142
.xlsx X375
.ppt X593
.pptx X842
.pdf X567
.zip X052

Replacing files’ extension while coping them in the OneDrive folder

Assembly instructions: Replacing file extension

The Exfiltration:
After copying the files in the OneDrive folder (C:UsersuserAppDataRoamingOneDrive), it starts exfiltration:

Exfiltrating copied .xls file using ‘HttpSendRequestw’

The network packets are sent in the POST request in the form of ‘form-data’ to the URL “http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php” (IP address “146.70.157.120”):

Sending .doc file over network

Defense Capabilities:
The malware looks for the presence of various analysis tools, including debuggers and virtual machine environments at the initial stage of execution:

Analysis tools string in process memory

Additionally, it verifies if the specified DLLs are hooked to hide the analysis environment:

verifying hooked DLLs in memory

If the malware identifies any analysis-elements within the execution environment, it triggers ‘FatalExit’ command, leading to the termination of the execution process.

SYNC-SCHEDULER CAPABILITIES

The examination of the Sync-Scheduler yields valuable insights and unveils its operational characteristics. Drawing from this analysis and the data extracted, the subsequent points outline the capabilities of this document stealer:

  • Exfiltrates documents, including Word, Excel spreadsheet, PowerPoint and PDF.
  • Avoids detection using the File-Nesting and Embedded object in the Office document.
  • Anti-analysis capabilities.
  • Uses obfuscation in the code.
  • Scans for analysis tools and debuggers.
  • Communicates with C2 and exfiltrates files over the network.
  • Terminates if being debugged or analyzed.

CONCLUSION

In summary, Sync-Scheduler is a dedicated document stealer that targets Word documents, Excel Spreadsheets, PowerPoint presentations, PDFs and ZIP compress files. The malware is written in C++ and equipped with anti-analysis and defense evasion techniques. It uses obfuscation in its code and terminates itself if it detects an analysis environment.

To reduce the risks associated with Sync-Scheduler stealer malware, users should exercise caution when opening files from untrustworthy sources or clicking on unfamiliar links, particularly those offering questionable software or content. Furthermore, deploying robust cybersecurity measures, including utilizing reputable antivirus software, ensuring software is regularly updated, and staying vigilant against social engineering tactics, can significantly bolster protection against such threats. Education and awareness campaigns are also vital in equipping individuals with the knowledge to recognize and evade such malware, ultimately fostering a more resilient and secure online ecosystem.

INDICATORS OF COMPROMISE

S/N Indicators Type Context
1 c1ab783d60cf05636eb4f72d17c6cf1d MD5 China Navy First Training 2024(CN).docx
2 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3 SHA-256 China Navy First Training 2024(CN).docx
3 39122a2bcf6c360271e8edb503bc2761 MD5 microsoft_powerpoint_97-2003_presentation.ppt
4 203d60fe1ebbfafc835e082774ee56088273d9455fb12ac1de2c1be410cceeec SHA-256 microsoft_powerpoint_97-2003_presentation.ppt
5 df6b768247a9cdb5607819c79f02099d MD5 wword.exe
6 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613 SHA-256 wword.exe
7 004101dc501b9de8965e6b45debd07b6 MD5 smsse.exe
8 316e01b962bf844c3483fce26ff3b2d188338034b1dbd41f15767b06c6e56041 SHA-256 smsse.exe
9 146[.]70[.]157[.]120 IP address C2
10 http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy[.]php URL C2

MITRE ATT&CK TACTICS AND TECHNIQUES

No. Tactic Technique
1 Reconnaissance (TA0043) T1592:  Gather Victim Host Information
2 Execution (TA0002) T1059.003: Windows Command Shell
    T1053.005: Scheduled Task
    T1024.002:  Malicious File
3 Defense Evasion (TA0005) T1622:  Debugger Evasion
    T1497: Virtualization/Sandbox Evasion
    T1140:  Deobfuscate/Decode Files or Information
    T1564.001:  Hidden Files and Directories
    T1070.004: File Deletion
    T1027.009:  Embedded Payloads
4 Discovery (TA0007) T1622: Debugger Evasion
    T1497: Virtualization/Sandbox Evasion
    T1083: File and Directory Discovery
5 Command and Control (TA0011) T1071.001: Web Protocols
6 Exfiltration (TA0010) T1041:  Exfiltration Over C2 Channel

Recommendations

  • Implement threat intelligence to proactively counter the threats associated with Sync-Scheduler stealer malware.
  • To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection such as Antimalware security suit and host-based intrusion prevention system.
  • Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block the suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
  • Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Sync-Scheduler stealer command and control servers.
  • Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
  • Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
  • Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes, followed by remediation process.
  • The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
  • Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
  • Security awareness and training programs help to protect from security incidents, such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by Sync-Scheduler stealer malware.
  • Update security patches which can reduce the risk of potential compromise.

Source: Original Post