{"id":1678,"date":"2023-03-15T21:10:10","date_gmt":"2023-03-15T20:10:10","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=1678"},"modified":"2023-05-09T12:29:21","modified_gmt":"2023-05-09T10:29:21","slug":"apt-c-36-from-njrat-to-apt-c-36","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/apt-c-36-from-njrat-to-apt-c-36\/","title":{"rendered":"APT-C-36: from NjRAT to LimeRAT"},"content":{"rendered":"\n<p>Last February a <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/02\/blind-eagle-apt-c-36-targets-colombia?utm_medium=social&amp;utm_content=cyber\">Blackberry report<\/a> alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many similarities in terms of tactics, techniques and procedures (TTPs) with the group Hagga \/ Aggah, as we have been able to observe at Lab52. Particularly, this article describes one of the campaigns that has been linked to APT-C-36, where the artefacts used are noticeable Hagga artefacts.&nbsp;<\/p>\n\n\n\n<p>This group\u2019s campaigns during the last quarter are summarised in the following image.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"748\" height=\"116\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/campanas-2.png\" alt=\"\" class=\"wp-image-1791\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/campanas-2.png 748w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/campanas-2-300x47.png 300w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/><figcaption><em>APT-C-36: last campaigns<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>The diagram refers to the malware that is actually executed after the infection phase, i.e., after successful deployment of the first stages of the infection process. In fact, it is a successful deployment which will allow the malware to be executed, and which also allows the identification of TTPs prior to full compromise.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Going back to the previous image, the following should be noted:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>From December 2, 2022 until February 2, 2023, multiple campaigns were observed deploying NjRat in its final stage.<\/li><li>On February 20, a campaign was observed which varied slightly in its deployment, and which purpose was the deployment of <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/02\/blind-eagle-apt-c-36-targets-colombia?utm_medium=social&amp;utm_content=cyber\">AsyncRat<\/a>.&nbsp;<\/li><li>By the end of February was observed the use of <a href=\"https:\/\/github.com\/NYAN-x-CAT\/Lime-RAT\">LimeRAT<\/a>, <strong>but with a very similar operation in the deployment used during the rest of the campaigns, from the first ones whose objective was the execution of NjRAT.<\/strong><\/li><\/ul>\n\n\n\n<p>This last point has caught the attention of the Lab52 team, since, <a href=\"https:\/\/lab52.io\/blog\/literature-lover-targeting-colombia-with-limerat\/\">as analysed in previous articles<\/a>, LimeRat is considered an evolution of NjRAT. Moreover, this takes place in a context in which the previous NjRAT campaigns linked to APT-C-36 are still fresh and, in fact, NjRAT is an active malware through campaigns of various actors.<\/p>\n\n\n\n<p>In this post we are going back to the December 5, 2022 campaign to explain in detail the deployment process of the malware in 5 stages observed until triggering NjRAT, considering this campaign as a case study. The objective is to show, by means of a simplified comparison, <strong>how the deployment for these RATs is very similar. <\/strong>In addition,<strong> <\/strong>It is provided a list of the IOCs of the previous campaigns, a summary of the behaviour in communications and a comparison of the adaptations\/ modifications made in the last campaign that&nbsp; triggers in LimeRAT.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Preparing the path for NjRAT: the beginning<\/strong><\/h2>\n\n\n\n<p>This analysis takes as a starting point <a href=\"https:\/\/twitter.com\/DmitriyMelikov\/status\/1599776513045340161?s=20&amp;t=gxCTU-DXg2mDQ96UR5RSYg\">a post on twitter<\/a> which shows a document with APT-C-36 compatible techniques and appearances. As a part of that&nbsp; post, a .docx file hash is obtained used for doing the phishing, which data is shown below:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>file<\/td><td>Juzgado 09 civil del circuito de Bogot\u00e1 D. C. Col..docx<\/td><\/tr><tr><td>md5<\/td><td>4a69b0a3796dd688d57e11658ac1058c<\/td><\/tr><tr><td>sha1<\/td><td>e707fe51fb330b7aed5db5882b316dde1ef5f5a9<\/td><\/tr><tr><td>sha256<\/td><td>dfc497c7cb4cac21d5b4760dcc9df8c4379e7f4290a8ff06265225704819761c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The following picture shows the file appearance once it is opened using Microsoft word.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"519\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso-1024x519.png\" alt=\"\" class=\"wp-image-1689\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso-1024x519.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso-300x152.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso-768x389.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso-1536x778.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/01-Apariencia-documento-malicioso.png 1684w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Malicious document appearance<\/figcaption><\/figure><\/div>\n\n\n\n<p>This group is characterised by the<strong> impersonation of official entities<\/strong>. As it can be seen, another of their characteristics is to keep a <strong>good level of appearance in the text and fake documents used in spear phishing campaigns<\/strong>.<\/p>\n\n\n\n<p>The document is revised to see which is the trigger of the infection, finding a suspicious&nbsp; OLE object (Object Linking and Embedding) which in turn will lead to a WSF file (Windows Script File).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"634\" height=\"184\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/02-Objeto-OLE-sospechoso.png\" alt=\"\" class=\"wp-image-1690\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/02-Objeto-OLE-sospechoso.png 634w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/02-Objeto-OLE-sospechoso-300x87.png 300w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><figcaption>OLE object<\/figcaption><\/figure><\/div>\n\n\n\n<p>The analysis is structured around the stages of the malware based on the previous resource. The following image shows the summary of the stages identified.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"503\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/03-Flujo-de-actividad-analizado.png\" alt=\"\" class=\"wp-image-1691\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/03-Flujo-de-actividad-analizado.png 793w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/03-Flujo-de-actividad-analizado-300x190.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/03-Flujo-de-actividad-analizado-768x487.png 768w\" sizes=\"(max-width: 793px) 100vw, 793px\" \/><figcaption>Analysed activity flow<\/figcaption><\/figure><\/div>\n\n\n\n<p>The final purpose of the malware in this case is the deployment of the remote access trojan&nbsp;(RAT) NjRAT, but it is the way to such deployment that motivates the analysis which is described below; a set of procedures that are in fact been maintained with little variation through the rest of campaings until the date.<\/p>\n\n\n\n<p>Particularly, it should be noted that<strong> various stages of the malware deployment are produced entirely in memory<\/strong>, making detection by antivirus tools more challenging.<\/p>\n\n\n\n<p>This article will address the deployment chain in five stages, to then make a comparison between this operation and the last campaign in which LimeRat is deployed. In addition,&nbsp; findings regarding the behaviour of the campaigns with respect to the communications model are included. Finally, the indicators of compromise of the different campaigns are summarised for possible consultation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Stage 1: Infection using an OLE object<\/strong><\/h2>\n\n\n\n<p>As anticipated, in the 5th of december campaign, the malicious file contains an OLE object whose properties are investigated, inside a controlled environment.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"384\" height=\"201\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/04-Propiedades-Objeto-OLE.png\" alt=\"\" class=\"wp-image-1695\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/04-Propiedades-Objeto-OLE.png 384w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/04-Propiedades-Objeto-OLE-300x157.png 300w\" sizes=\"(max-width: 384px) 100vw, 384px\" \/><figcaption>OLE object properties<\/figcaption><\/figure><\/div>\n\n\n\n<p>As can be seen, when the object is activated, it will produce the execution of a WSF file&nbsp; (Windows Script File), <strong>Notificaci\u00f3n Jur\u00eddica.wsf<\/strong>, and thus triggering the infection in the machine.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"383\" height=\"323\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/05-Detalle-Objeto-OLE.png\" alt=\"\" class=\"wp-image-1697\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/05-Detalle-Objeto-OLE.png 383w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/05-Detalle-Objeto-OLE-300x253.png 300w\" sizes=\"(max-width: 383px) 100vw, 383px\" \/><figcaption>OLE object detailed<\/figcaption><\/figure><\/div>\n\n\n\n<p>Without further complication at this point, the files script can be extracted to do the analysis:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF-1024x524.png\" alt=\"\" class=\"wp-image-1698\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF-1024x524.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF-300x153.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF-768x393.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF-1536x785.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/06-Script-WSF.png 1803w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Script WSF<\/figcaption><\/figure><\/div>\n\n\n\n<p>The file has numerous repeated lines exactly the same to camouflage inside a piece of malicious code.<\/p>\n\n\n\n<p>Broadly speaking, in the WSF file, we can see the definition of a job in VBS language that, through powershell, will download a VBS file from the domain <strong>cdn.discordapp[.]com<\/strong> and then launch it via Explorer. The VBS script will later be deleted from the system. This file is analysed below.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Stage 2: Camouflaged downloader<\/strong><\/h2>\n\n\n\n<p>To carry on with the infection chain it is revised the VBS file downloaded, to which allusion is made with the <strong>Debug.vbs<\/strong> name, because of its later reference in the code. Indeed, at this point of the execution, this file can take any name, depending also on the campaign. The key issue here is that the script shows the appearance of a legitimate Microsoft WinRM file.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/07-Parte-inicial-script-VBS-1024x520.png\" alt=\"\" class=\"wp-image-1701\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/07-Parte-inicial-script-VBS-1024x520.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/07-Parte-inicial-script-VBS-300x152.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/07-Parte-inicial-script-VBS-768x390.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/07-Parte-inicial-script-VBS.png 1262w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>VBS script: first view<\/figcaption><\/figure><\/div>\n\n\n\n<p>However, after a detailed analysis the section which triggers the malicious logic can be seen.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"828\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/08-Implante-VBS-en-fichero-WinRM.VBS_-1024x828.png\" alt=\"\" class=\"wp-image-1703\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/08-Implante-VBS-en-fichero-WinRM.VBS_-1024x828.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/08-Implante-VBS-en-fichero-WinRM.VBS_-300x243.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/08-Implante-VBS-en-fichero-WinRM.VBS_-768x621.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/08-Implante-VBS-en-fichero-WinRM.VBS_.png 1103w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>VBS implant in WinRM.vbs file<\/figcaption><\/figure><\/div>\n\n\n\n<p>In fact, it can be seen that the code is obfuscated, although after some operations it is possible to extract the original code it executes:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"87\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado-1024x87.png\" alt=\"\" class=\"wp-image-1704\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado-1024x87.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado-300x26.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado-768x65.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado-1536x131.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/09-VBS-malicioso-desofuscado.png 1740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Malicious code deobfuscated<\/figcaption><\/figure><\/div>\n\n\n\n<p>Specifically, an array of bytes in memory is declared to hold a PE file downloaded from the above IP after Base64 decoding. This file corresponds to a DLL (DLL.PPAM) and will be loaded into memory within the application domain of the current powershell process. <\/p>\n\n\n\n<p>Subsequently, the VAI method of the <strong>Fiber.Home<\/strong> class will be invoked by passing it as a parameter the URL written in reverse that can be seen at the end of the image. This will cause it to execute in a fileless way, making it more complicated to detect with antivirus tools.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Stage 3: First DLL injected inside the powershell environment: DLL.PAM (Fiber.dll)<\/strong><\/h2>\n\n\n\n<p>As it has been indicated, the first DLL injected in the powershell environment will be DLL.PPAM (Fiber.dll).<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>md5<\/td><td>2552287b4733078f12b4a831c698cab6<\/td><\/tr><tr><td>sha1<\/td><td>c615919f27daeeab06be9a669bebd547e557bf38<\/td><\/tr><tr><td>sha256<\/td><td>7f0289f08df904da436b8e99605e74518c29f3321a10c7c0b37fced0f1e93202<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Going into further detail,&nbsp; DLL.PPAM is a .NET DLL with Yano protector (1.X).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"775\" height=\"492\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/10-DLL-.NET-Fileless.png\" alt=\"\" class=\"wp-image-1707\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/10-DLL-.NET-Fileless.png 775w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/10-DLL-.NET-Fileless-300x190.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/10-DLL-.NET-Fileless-768x488.png 768w\" sizes=\"(max-width: 775px) 100vw, 775px\" \/><figcaption>Fiber.dll properties<\/figcaption><\/figure><\/div>\n\n\n\n<p>After reviewing the general properties of the DLL it can be observed the original name of the DLL: <strong>Fiber.dll<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"659\" height=\"146\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/11-Nombre-original-del-fichero.png\" alt=\"\" class=\"wp-image-1708\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/11-Nombre-original-del-fichero.png 659w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/11-Nombre-original-del-fichero-300x66.png 300w\" sizes=\"(max-width: 659px) 100vw, 659px\" \/><figcaption>Original file name extracted with PEStudio tool.  (<a rel=\"noreferrer noopener\" href=\"https:\/\/www.winitor.com\/download\" target=\"_blank\">https:\/\/www.winitor.com\/download<\/a>)<\/figcaption><\/figure><\/div>\n\n\n\n<p>No obfuscation or similar action by the protector is appreciated.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"491\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/12-Punto-de-entrada-en-Fiber.dll-Fase-tercera.png\" alt=\"\" class=\"wp-image-1709\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/12-Punto-de-entrada-en-Fiber.dll-Fase-tercera.png 890w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/12-Punto-de-entrada-en-Fiber.dll-Fase-tercera-300x166.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/12-Punto-de-entrada-en-Fiber.dll-Fase-tercera-768x424.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/12-Punto-de-entrada-en-Fiber.dll-Fase-tercera-400x222.png 400w\" sizes=\"(max-width: 890px) 100vw, 890px\" \/><figcaption>Entry Point (EP) in Fiber.dll (third stage)<\/figcaption><\/figure><\/div>\n\n\n\n<p>Fiber.dll checks if the file <strong>C:\\Windows\\Temp\\Debug.vbs<\/strong> exists on the computer. If so, Fiber.dll uses the name it was given in the previous step, to refer to it. If no such file exists, it copies the .vbs from the current path to the location mentioned under the name Debug.vbs. This file is the one that persists on the machine and the one that will be launched when the user session is started as seen in the persistence previously.<\/p>\n\n\n\n<p>It then performs a series of consecutive steps in an infinite loop to prepare and trigger the next stages of infection.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"335\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/13-Descarga-y-preparacion-del-inyector-Cuarta-fase.png\" alt=\"\" class=\"wp-image-1711\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/13-Descarga-y-preparacion-del-inyector-Cuarta-fase.png 601w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/13-Descarga-y-preparacion-del-inyector-Cuarta-fase-300x167.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/13-Descarga-y-preparacion-del-inyector-Cuarta-fase-400x222.png 400w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><figcaption>Download and preparation of the injector (fourth stage)<\/figcaption><\/figure><\/div>\n\n\n\n<p>In particular, it is observed that it downloads resources that will be used in the next phase of the infection. Once the download is done, it prepares the received data by reverting the obfuscated paths.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"503\" height=\"445\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/14-Descarga-y-preparacion-del-RATpayload-final.png\" alt=\"\" class=\"wp-image-1712\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/14-Descarga-y-preparacion-del-RATpayload-final.png 503w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/14-Descarga-y-preparacion-del-RATpayload-final-300x265.png 300w\" sizes=\"(max-width: 503px) 100vw, 503px\" \/><figcaption>Download and preparation of the RAT (final payload)<\/figcaption><\/figure><\/div>\n\n\n\n<p>Similar to the previous block, it also downloads the RAT that will eventually be deployed on the machine. In this case the URL downloaded it is received as a parameter when invoking the DLL with a simple obfuscation (reverse text). It also constructs a path that will be used later to pass the value  as a parameter in the next stage.<\/p>\n\n\n\n<p>The next step is to ensure persistence in a simple but functional way:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"657\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/15-Persistencia-DLL-.NET_-1024x657.png\" alt=\"\" class=\"wp-image-1713\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/15-Persistencia-DLL-.NET_-1024x657.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/15-Persistencia-DLL-.NET_-300x193.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/15-Persistencia-DLL-.NET_-768x493.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/15-Persistencia-DLL-.NET_.png 1237w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Persistence<\/figcaption><\/figure><\/div>\n\n\n\n<p>As can be seen,&nbsp; the persistence is done by creating a link in the user&#8217;s Startup folder, camouflaging itself under the guise of Notepad.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"697\" height=\"551\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/16-Persistencia-Startup.png\" alt=\"\" class=\"wp-image-1715\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/16-Persistencia-Startup.png 697w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/16-Persistencia-Startup-300x237.png 300w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><figcaption>Startup persistence<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"818\" height=\"225\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/17-Invocacion-de-la-fase-4-Inyector.png\" alt=\"\" class=\"wp-image-1716\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/17-Invocacion-de-la-fase-4-Inyector.png 818w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/17-Invocacion-de-la-fase-4-Inyector-300x83.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/17-Invocacion-de-la-fase-4-Inyector-768x211.png 768w\" sizes=\"(max-width: 818px) 100vw, 818px\" \/><figcaption>Invocation of stage 4 (injector)<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, it loads a payload (injector) obtained in the first download into the current application domain. Once the base64 encoding has been decoded, it invokes the &#8220;Ande&#8221; method of the &#8220;Tools&#8221; class of the &#8220;FSociety&#8221; module, passing as arguments the path previously constructed from the .NET path and the payload received from the second download, after decoding the base64 encoding as well.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Stage 4: Second DLL injected inside the powershell environment: RUMP.DLL (Fsociety.dll)<\/strong><\/h2>\n\n\n\n<p>At this stage the malware is already operating with fileless files in memory. In this case, we focus on the second DLL that will be injected into powershell space, rump.dll (fsociety.dll).&nbsp; The hashes that define this artefact are listed below:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>md5<\/td><td>a703c90e7ed1b0eb8ab552ec112f46c1<\/td><\/tr><tr><td>sha1<\/td><td>b7e6a0a39e50383823f0d48db77347a3dc2fdbbc<\/td><\/tr><tr><td>sha256<\/td><td>5d910ee5697116faa3f4efe230a9d06f6e3f80a7ad2cf8e122546b10e34a0088<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>This is another unpacked .NET DLL with the same protector: Yano (1.X).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"493\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/18-Propiedades-inyector-.NET_.png\" alt=\"\" class=\"wp-image-1720\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/18-Propiedades-inyector-.NET_.png 773w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/18-Propiedades-inyector-.NET_-300x191.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/18-Propiedades-inyector-.NET_-768x490.png 768w\" sizes=\"(max-width: 773px) 100vw, 773px\" \/><figcaption>Fsociety.dll properties<\/figcaption><\/figure><\/div>\n\n\n\n<p>After a static review of the binary, it shows that the import of functions clearly associated with process injection:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"903\" height=\"224\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/19-Importacion-de-funciones-inyeccion.png\" alt=\"\" class=\"wp-image-1721\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/19-Importacion-de-funciones-inyeccion.png 903w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/19-Importacion-de-funciones-inyeccion-300x74.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/19-Importacion-de-funciones-inyeccion-768x191.png 768w\" sizes=\"(max-width: 903px) 100vw, 903px\" \/><figcaption>Import of the injection functions extracted with PEStudio tool. (<a rel=\"noreferrer noopener\" href=\"https:\/\/www.winitor.com\/download\" target=\"_blank\">https:\/\/www.winitor.com\/download<\/a>)<\/figcaption><\/figure><\/div>\n\n\n\n<p>The original name of this DLL is Fsociety.dll.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"542\" height=\"144\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/20-Nombre-original-Inyector-DLL.png\" alt=\"\" class=\"wp-image-1723\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/20-Nombre-original-Inyector-DLL.png 542w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/20-Nombre-original-Inyector-DLL-300x80.png 300w\" sizes=\"(max-width: 542px) 100vw, 542px\" \/><figcaption>Original name of the DLL injector extracted with PEStudio tool. (<a rel=\"noreferrer noopener\" href=\"https:\/\/www.winitor.com\/download\" target=\"_blank\">https:\/\/www.winitor.com\/download<\/a>)<\/figcaption><\/figure><\/div>\n\n\n\n<p>The method used during the execution of the third phase will expect two parameters: <\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Route of the binary where the final payload will be injected: C:\\windows\\Microsoft.Net\\Framework\\4.0.30319\\RegAsm.exe<\/li><li>Final payload (NjRAT).<\/li><\/ol>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"467\" height=\"528\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/21-Funcion-de-entrada-del-inyector.png\" alt=\"\" class=\"wp-image-1725\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/21-Funcion-de-entrada-del-inyector.png 467w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/21-Funcion-de-entrada-del-inyector-265x300.png 265w\" sizes=\"(max-width: 467px) 100vw, 467px\" \/><figcaption>&#8220;Ande&#8221; method in the &#8220;Tool&#8221; Class (Fsociety.dll)<\/figcaption><\/figure><\/div>\n\n\n\n<p>This function will be used to trigger the whole process of launching and injecting the final payload (NjRAT).<\/p>\n\n\n\n<p>This binary, as we have seen above, imports functions associated with the injection\/management of processes\/sections\/threads, etc. Therefore, since they are not implemented within the C# code, the malware must import them from external libraries (kernel32.dll). So, as a result, the following API functions are declared by the malware.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"887\" height=\"675\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/22-Declaracion-de-extern-de-funciones-de-API.png\" alt=\"\" class=\"wp-image-1726\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/22-Declaracion-de-extern-de-funciones-de-API.png 887w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/22-Declaracion-de-extern-de-funciones-de-API-300x228.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/22-Declaracion-de-extern-de-funciones-de-API-768x584.png 768w\" sizes=\"(max-width: 887px) 100vw, 887px\" \/><figcaption>Declaration of API functions<\/figcaption><\/figure><\/div>\n\n\n\n<p>The main functionality of this binary is to inject NjRAT using the Process Hollowing technique, as will be shown later.<\/p>\n\n\n\n<p>To describe and clarify the behavior of the malicious dll, the detailed steps performed by the malware until the injection becomes effective are shown below:<\/p>\n\n\n\n<p>1.- A legitimate suspended RegAsm.exe process is created by calling to CreateProcess:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"500\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/23-ProcessHollowing-\u2013-Creacion-del-proceso-victima-1024x500.png\" alt=\"\" class=\"wp-image-1728\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/23-ProcessHollowing-\u2013-Creacion-del-proceso-victima-1024x500.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/23-ProcessHollowing-\u2013-Creacion-del-proceso-victima-300x147.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/23-ProcessHollowing-\u2013-Creacion-del-proceso-victima-768x375.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/23-ProcessHollowing-\u2013-Creacion-del-proceso-victima.png 1068w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Creation of the victim process<\/figcaption><\/figure><\/div>\n\n\n\n<p>2.- The GetThreadContext is obtained from the Regasm.exe process previously created.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"593\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316003119-1024x593.png\" alt=\"\" class=\"wp-image-1762\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316003119-1024x593.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316003119-300x174.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316003119-768x445.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316003119.png 1084w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>ProcessHollowing: GetThreatContext<\/figcaption><\/figure><\/div>\n\n\n\n<p>3.- A call to ReadProcessMemory is made on RegAsm:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"476\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/25-ProcessHollowing-Obtencion-del-ImageBaseAddress-del-proceso-victima-1024x476.png\" alt=\"\" class=\"wp-image-1731\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/25-ProcessHollowing-Obtencion-del-ImageBaseAddress-del-proceso-victima-1024x476.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/25-ProcessHollowing-Obtencion-del-ImageBaseAddress-del-proceso-victima-300x140.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/25-ProcessHollowing-Obtencion-del-ImageBaseAddress-del-proceso-victima-768x357.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/25-ProcessHollowing-Obtencion-del-ImageBaseAddress-del-proceso-victima.png 1081w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Proces Hollowing: Obtaining the ImageBaseAddress of the victim process<\/figcaption><\/figure><\/div>\n\n\n\n<p>This call reads 4 bytes from the PEB, specifically the IBA (Image Base Address) of the RegAsm process.<\/p>\n\n\n\n<p>Then, it compares the IBA of the binary to be injected, which has been previously obtained, with the IBA of the victim process extracted from the call to ReadProcessMemory. In case they are the same, it makes a call to NTUnMapViewOfSection to unlink the section of the process memory.<\/p>\n\n\n\n<p>4.- A new memory section is reserved with VirtualAllocEx to hold the final NjRAT payload.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final-1024x567.png\" alt=\"\" class=\"wp-image-1732\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final-1024x567.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final-300x166.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final-768x425.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final-400x222.png 400w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/26-ProcessHollowing-Reserva-de-memoria-para-el-payload-final.png 1088w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Memory reservation for the final payload<\/figcaption><\/figure><\/div>\n\n\n\n<p>As can be seen, 64KB of memory has been reserved under address 0x400000 with read, write and execute (RWX) permissions.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"434\" height=\"412\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/27-ProcessHollowing-Nueva-seccion-reservada.png\" alt=\"\" class=\"wp-image-1733\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/27-ProcessHollowing-Nueva-seccion-reservada.png 434w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/27-ProcessHollowing-Nueva-seccion-reservada-300x285.png 300w\" sizes=\"(max-width: 434px) 100vw, 434px\" \/><figcaption>Process Hollowing: New section<\/figcaption><\/figure><\/div>\n\n\n\n<p>At this point of the execution, the content of this memory section remains empty.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"143\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/28-Contenido-vacio-de-la-seccion.png\" alt=\"\" class=\"wp-image-1734\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/28-Contenido-vacio-de-la-seccion.png 580w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/28-Contenido-vacio-de-la-seccion-300x74.png 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><figcaption>Empty content <\/figcaption><\/figure><\/div>\n\n\n\n<p>5.- A call is made to WriteProcessMemory on that section, to proceed to complete that memory area.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/29-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1-1024x546.png\" alt=\"\" class=\"wp-image-1736\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/29-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1-1024x546.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/29-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1-300x160.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/29-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1-768x409.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/29-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1.png 1049w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Process Hollowing &#8211; WriteProcessMemory<\/figcaption><\/figure><\/div>\n\n\n\n<p>Through this call, only the first 512B of the PE header have been written.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"663\" height=\"631\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/30-Cabecera-parcial-en-memoria-de-NjRAT.png\" alt=\"\" class=\"wp-image-1738\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/30-Cabecera-parcial-en-memoria-de-NjRAT.png 663w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/30-Cabecera-parcial-en-memoria-de-NjRAT-300x286.png 300w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><figcaption>Partial header in memory of NjRAT<\/figcaption><\/figure><\/div>\n\n\n\n<p>Then, using the BlockCopy method of the C# Buffer class, another part of the PE is copied to another byte array that will be used later.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"632\" height=\"297\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/31-Copia-parcial-NjRAT.png\" alt=\"\" class=\"wp-image-1742\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/31-Copia-parcial-NjRAT.png 632w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/31-Copia-parcial-NjRAT-300x141.png 300w\" sizes=\"(max-width: 632px) 100vw, 632px\" \/><figcaption>Process Hollowing &#8211; BlockCopy<\/figcaption><\/figure><\/div>\n\n\n\n<p>And finally the content of this new intermediate array is copied to the reserved section in RegAsm.exe to complete the PE in memory.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"515\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/32-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1024x515.png\" alt=\"\" class=\"wp-image-1743\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/32-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-1024x515.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/32-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-300x151.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/32-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT-768x387.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/32-ProcessHollowing-Escritura-parcial-en-memoria-de-NjRAT.png 1049w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Process Hollowing &#8211; Write process memory<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"664\" height=\"345\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/33-Contenido-parcial-NjRAT.png\" alt=\"\" class=\"wp-image-1745\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/33-Contenido-parcial-NjRAT.png 664w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/33-Contenido-parcial-NjRAT-300x156.png 300w\" sizes=\"(max-width: 664px) 100vw, 664px\" \/><figcaption>Partial content of NjRAT<\/figcaption><\/figure><\/div>\n\n\n\n<p>Analogously to the previous one (blockCopy + WriteProcessMemory) another part of the binary (1024Bytes) is copied to the memory of the RegAsm process.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/34-Copia-bloque-parcial-NjRAT-1024x520.png\" alt=\"\" class=\"wp-image-1746\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/34-Copia-bloque-parcial-NjRAT-1024x520.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/34-Copia-bloque-parcial-NjRAT-300x152.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/34-Copia-bloque-parcial-NjRAT-768x390.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/34-Copia-bloque-parcial-NjRAT.png 1060w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Partial block copy of NjRAT<\/figcaption><\/figure><\/div>\n\n\n\n<p>This set of BlockCopy + WriteProcessMemory calls will be carried out three more times until the total writing of the binary into memory is completed. In total, five BlockCopy + WriteProcessMemory interactions were necessary to write the file completely into memory. Possibly this is a measure to protect against AV detection in memory.<\/p>\n\n\n\n<p>6.- A call is made to SetThreadContext to set the new entry point to the thread.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"410\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/35-ProcessHollowing-Escritura-del-nuevo-contexto-de-ejecucion-1024x410.png\" alt=\"\" class=\"wp-image-1747\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/35-ProcessHollowing-Escritura-del-nuevo-contexto-de-ejecucion-1024x410.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/35-ProcessHollowing-Escritura-del-nuevo-contexto-de-ejecucion-300x120.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/35-ProcessHollowing-Escritura-del-nuevo-contexto-de-ejecucion-768x308.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/35-ProcessHollowing-Escritura-del-nuevo-contexto-de-ejecucion.png 1086w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Process Hollowing &#8211; SetThreatContext<\/figcaption><\/figure><\/div>\n\n\n\n<p>7. And finally a call to ResumeThread is made to restart the execution of the new thread.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"365\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/36-ProcessHollowing-Reinicio-de-la-ejecucion-del-hilo-1024x365.png\" alt=\"\" class=\"wp-image-1748\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/36-ProcessHollowing-Reinicio-de-la-ejecucion-del-hilo-1024x365.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/36-ProcessHollowing-Reinicio-de-la-ejecucion-del-hilo-300x107.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/36-ProcessHollowing-Reinicio-de-la-ejecucion-del-hilo-768x274.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/36-ProcessHollowing-Reinicio-de-la-ejecucion-del-hilo.png 1067w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Process Hollowing &#8211; ResumeThread<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1002\" height=\"84\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/37-NjRAT-en-ejecucion.png\" alt=\"\" class=\"wp-image-1749\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/37-NjRAT-en-ejecucion.png 1002w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/37-NjRAT-en-ejecucion-300x25.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/37-NjRAT-en-ejecucion-768x64.png 768w\" sizes=\"(max-width: 1002px) 100vw, 1002px\" \/><figcaption>NjRAT ready for execution<\/figcaption><\/figure><\/div>\n\n\n\n<p>At this point of the execution, the RegAsm process stands out for its CPU consumption and observing the analysis of the generated traffic, the connection attempt against the C2 of NjRAT every 2 seconds stands out.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"304\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/38-Trafico-de-NjRAT-1024x304.png\" alt=\"\" class=\"wp-image-1750\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/38-Trafico-de-NjRAT-1024x304.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/38-Trafico-de-NjRAT-300x89.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/38-Trafico-de-NjRAT-768x228.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/38-Trafico-de-NjRAT.png 1350w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>NjRAT traffic<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"80\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/39-Comunicacion-NjRAT-1024x80.png\" alt=\"\" class=\"wp-image-1752\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/39-Comunicacion-NjRAT-1024x80.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/39-Comunicacion-NjRAT-300x23.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/39-Comunicacion-NjRAT-768x60.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/39-Comunicacion-NjRAT.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>NjRAT communication<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Note: The IP 192.0.2.123 is a simulated IP and does not correspond to the real IP to which prueba30novok.duckdns.org would resolve.<\/strong><\/p>\n\n\n\n<p>In case any of the previous calls (e.g. VirtualAllocEx)  fails to reserve memory in the victim process, the victim process will be terminated and the whole injection chain will be started again from step 1 (CreateProcess).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"331\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/40-Errores-algoritmo-de-inyeccion.png\" alt=\"\" class=\"wp-image-1751\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/40-Errores-algoritmo-de-inyeccion.png 591w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/40-Errores-algoritmo-de-inyeccion-300x168.png 300w\" sizes=\"(max-width: 591px) 100vw, 591px\" \/><figcaption>Instruction for killing RegAsm<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Stage 5: NjRAT<\/strong><\/h2>\n\n\n\n<p>A closer look on the RegAsm process shows that NjRAT is indeed loaded in its memory and it is possible to find its configuration parameters:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/41-Configuracion-NjRAT-1024x551.png\" alt=\"\" class=\"wp-image-1754\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/41-Configuracion-NjRAT-1024x551.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/41-Configuracion-NjRAT-300x161.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/41-Configuracion-NjRAT-768x413.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/41-Configuracion-NjRAT.png 1277w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>NjRAT configuration<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, once the debugging of the process is finished, it is observed that it does not depend on explorer, and the powershell process that was in charge of launching the dll injector finished its execution being correctly injected NjRAT in the RegAsm.exe process.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"413\" height=\"192\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/42-Arbol-de-procesos.png\" alt=\"\" class=\"wp-image-1755\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/42-Arbol-de-procesos.png 413w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/42-Arbol-de-procesos-300x139.png 300w\" sizes=\"(max-width: 413px) 100vw, 413px\" \/><figcaption>Process tree<\/figcaption><\/figure><\/div>\n\n\n\n<p>As already mentioned, the objective of this publication was to get to this point, perhaps in the future we will delve into the analysis of NjRAT, something that is not addressed on this occasion so as not to detract from the publication.<\/p>\n\n\n\n<p>It should be noted that NjRAT has been triggered at this point, but the operation could be maintained to trigger other malware, and it is precisely in this operation where we wanted to keep the focus.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Comparison between APT-C-36 campaigns<\/strong><\/h2>\n\n\n\n<p>In summary, all APT-C-36 campaigns detected during the last quarter are collected here in table form. The objective is to highlight the representative artifact type in each phase for the campaigns.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"222\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Captura-de-pantalla-2023-03-16-003358.png\" alt=\"\" class=\"wp-image-1763\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Captura-de-pantalla-2023-03-16-003358.png 722w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Captura-de-pantalla-2023-03-16-003358-300x92.png 300w\" sizes=\"(max-width: 722px) 100vw, 722px\" \/><figcaption>Artifacts used during the infection<\/figcaption><\/figure><\/div>\n\n\n\n<p>Taking into account that the first stage deals with the hook of the attack (usually a file used for phishing with the camouflaged triggering device), we can simplify the comparison by referring to the most representative files of the rest of the stages. <\/p>\n\n\n\n<p>Althought for the different campaigns the .vbs file of the second phase has a different name, so far we have always identified a file with this extension that would be the protagonist in this stage, which would load fiber.dll and would be used for persistence. <\/p>\n\n\n\n<p>On the other hand, the DLLs of the third and fourth stage are kept as fiber.dll and fsociety.dll. The name of these DLLs changes for the deployment of LimeRAT, in which it should be noted that more obfuscation features are observed.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Dealing with the chain of infection for LimeRAT:<\/strong><\/h2>\n\n\n\n<p>This campaing starts with the file execution &#8216;DOCUMENTO (FGE).vbs&#8217;.<\/p>\n\n\n\n<p>md5 : 4cb86eadbadba68752d539597e6ab5ad<br>sha1 : 3e1682855ad4035134f6ebd68d56824535b4ca03<br>sha256: b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"504\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado-1024x504.png\" alt=\"\" class=\"wp-image-1768\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado-1024x504.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado-300x148.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado-768x378.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado-1536x756.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/43-LR_VBS-ofuscado.png 1744w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>LimeRAT campaign: .vbs<\/figcaption><\/figure><\/div>\n\n\n\n<p>The image shows an obfuscation of the code to finally launch a powershell command:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"192\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1-1024x192.png\" alt=\"\" class=\"wp-image-1769\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1-1024x192.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1-300x56.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1-768x144.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1-1536x289.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/44_LR_Powershell-ofuscado-1.png 1740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Obfuscated powershell<\/figcaption><\/figure><\/div>\n\n\n\n<p>After some deofuscation operations, the code that will be executed is obtained:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"149\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado-1024x149.png\" alt=\"\" class=\"wp-image-1770\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado-1024x149.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado-300x44.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado-768x112.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado-1536x224.png 1536w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/45_LR_Powershell-desofuscado.png 1649w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Deobfuscated powershell<\/figcaption><\/figure><\/div>\n\n\n\n<p>And after removing the other layer of obfuscation, you get to the code that powershell will finally run.<\/p>\n\n\n\n<p>The input method GzeUpA of the .NET module KZUTPv.WUGabK to be loaded into powershell memory is parsed.<\/p>\n\n\n\n<p>The same type of infinite loop is observed with a switch-case structure in which the program flow executes each and every one of the &#8220;cases&#8221; of the switch-case.<\/p>\n\n\n\n<p>In this case the persistence in the machine will be done by copying the VBS file to the startup folder.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"150\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/46_LR_Persistencia.png\" alt=\"\" class=\"wp-image-1771\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/46_LR_Persistencia.png 900w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/46_LR_Persistencia-300x50.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/46_LR_Persistencia-768x128.png 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><figcaption>Persistence<\/figcaption><\/figure><\/div>\n\n\n\n<p>Additionally, a scheduled task will be created that will execute the previously created persistence file every minute.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/47_LR_Persistencia-tarea-programada-1024x213.png\" alt=\"\" class=\"wp-image-1772\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/47_LR_Persistencia-tarea-programada-1024x213.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/47_LR_Persistencia-tarea-programada-300x62.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/47_LR_Persistencia-tarea-programada-768x160.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/47_LR_Persistencia-tarea-programada.png 1179w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Scheduled task<\/figcaption><\/figure><\/div>\n\n\n\n<p>It has been disabled in order to continue with the analysis.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"999\" height=\"366\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/48_LR_Visor-tarea-programada.png\" alt=\"\" class=\"wp-image-1773\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/48_LR_Visor-tarea-programada.png 999w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/48_LR_Visor-tarea-programada-300x110.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/48_LR_Visor-tarea-programada-768x281.png 768w\" sizes=\"(max-width: 999px) 100vw, 999px\" \/><figcaption>Scheduled task created<\/figcaption><\/figure><\/div>\n\n\n\n<p>Next, both the DLL injector and the final payload, in this case LimeRAT, are downloaded. The downloads and obfuscations are carried out in a similar way to the case study.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"529\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/49_LR_Descarga-de-artefactos.png\" alt=\"\" class=\"wp-image-1774\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/49_LR_Descarga-de-artefactos.png 908w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/49_LR_Descarga-de-artefactos-300x175.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/49_LR_Descarga-de-artefactos-768x447.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><figcaption>Artifacts downloads<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, it will load in the memory of the powershell process the injector DLL and will invoke the PQHWQG method of the AGWNqj.ThUQsn class, passing it as arguments the path of the binary where it will inject the final payload and the LimeRAT payload downloaded previously.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1014\" height=\"148\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/50_LR_Carga-inyector.png\" alt=\"\" class=\"wp-image-1776\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/50_LR_Carga-inyector.png 1014w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/50_LR_Carga-inyector-300x44.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/50_LR_Carga-inyector-768x112.png 768w\" sizes=\"(max-width: 1014px) 100vw, 1014px\" \/><figcaption>Injector DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p>In this case, an obfuscation of the methods and variables of the loaded DLL is observed.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/51_LR_Ofuscacion-metodos-inyector-1024x530.png\" alt=\"\" class=\"wp-image-1777\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/51_LR_Ofuscacion-metodos-inyector-1024x530.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/51_LR_Ofuscacion-metodos-inyector-300x155.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/51_LR_Ofuscacion-metodos-inyector-768x397.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/51_LR_Ofuscacion-metodos-inyector.png 1069w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Obfuscation of methods<\/figcaption><\/figure><\/div>\n\n\n\n<p>Similarly, the same structure of infinite loops is observed with switch-case structures.<\/p>\n\n\n\n<p>It is noted that the defined extern are also obfuscated, although the logic is similar to the detailed NjRAT case study.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/52_LR_Extern-definidos-inyector-1024x577.png\" alt=\"\" class=\"wp-image-1778\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/52_LR_Extern-definidos-inyector-1024x577.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/52_LR_Extern-definidos-inyector-300x169.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/52_LR_Extern-definidos-inyector-768x433.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/52_LR_Extern-definidos-inyector.png 1108w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Defined externs<\/figcaption><\/figure><\/div>\n\n\n\n<p>Subsequently, as in the case study, the execution flow will be started, which will use the process hollowing technique to inject the LimeRAT payload into the RegAsm.exe process.<\/p>\n\n\n\n<p>As can be seen, a new RegAsm process has been created in a suspended state.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/53_LR_CreateProcess-inyector-1024x530.png\" alt=\"\" class=\"wp-image-1779\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/53_LR_CreateProcess-inyector-1024x530.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/53_LR_CreateProcess-inyector-300x155.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/53_LR_CreateProcess-inyector-768x397.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/53_LR_CreateProcess-inyector.png 1179w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>CreateProcess in suspended state<\/figcaption><\/figure><\/div>\n\n\n\n<p>In the following, in order not to extend the article too much, API calls have been omitted as they are similar to the case study detailed above. The only difference is that they have an obfuscation layer.<\/p>\n\n\n\n<p>A review of the memory of the RegAsm process shows that it has successfully injected the final payload.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"661\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/54_LR_Seccion-memoria-LimeRAT-1024x661.png\" alt=\"\" class=\"wp-image-1780\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/54_LR_Seccion-memoria-LimeRAT-1024x661.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/54_LR_Seccion-memoria-LimeRAT-300x194.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/54_LR_Seccion-memoria-LimeRAT-768x496.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/54_LR_Seccion-memoria-LimeRAT.png 1210w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Payload injection<\/figcaption><\/figure><\/div>\n\n\n\n<p>And as we can see, once the call to ResumeThread happens, the process has been correctly injected and some CPU consumption is observed.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"895\" height=\"564\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/55_LR_ResumeThread-LimeRAT.png\" alt=\"\" class=\"wp-image-1814\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/55_LR_ResumeThread-LimeRAT.png 895w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/55_LR_ResumeThread-LimeRAT-300x189.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/55_LR_ResumeThread-LimeRAT-768x484.png 768w\" sizes=\"(max-width: 895px) 100vw, 895px\" \/><figcaption>Resume Thread<\/figcaption><\/figure><\/div>\n\n\n\n<p>A review of the generated traffic shows connection attempts to LimeRAT&#8217;s C2 approximately every 2 sec.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"180\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/56_LR_Trafico-de-red-LimeRAT-1024x180.png\" alt=\"\" class=\"wp-image-1782\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/56_LR_Trafico-de-red-LimeRAT-1024x180.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/56_LR_Trafico-de-red-LimeRAT-300x53.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/56_LR_Trafico-de-red-LimeRAT-768x135.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/56_LR_Trafico-de-red-LimeRAT.png 1476w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>LimeRAT traffic<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"993\" height=\"452\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/57_LR_Trafico-de-red-contenido-LimeRAT.png\" alt=\"\" class=\"wp-image-1784\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/57_LR_Trafico-de-red-contenido-LimeRAT.png 993w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/57_LR_Trafico-de-red-contenido-LimeRAT-300x137.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/57_LR_Trafico-de-red-contenido-LimeRAT-768x350.png 768w\" sizes=\"(max-width: 993px) 100vw, 993px\" \/><figcaption>LimeRAT traffic encoded<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Note: The IP 192.0.2.123 is a simulated IP and does not correspond to the real IP to which prueba30novok.duckdns.org would resolve.<\/strong>&nbsp;<\/p>\n\n\n\n<p>In addition, the creation of a mutex is observed in the processes.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"462\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/58_LR_Creacion-de-mutex-LimeRAT-1024x462.png\" alt=\"\" class=\"wp-image-1783\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/58_LR_Creacion-de-mutex-LimeRAT-1024x462.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/58_LR_Creacion-de-mutex-LimeRAT-300x135.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/58_LR_Creacion-de-mutex-LimeRAT-768x347.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/58_LR_Creacion-de-mutex-LimeRAT.png 1201w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Mutex<\/figcaption><\/figure><\/div>\n\n\n\n<p>The LimeRAT config is extracted in memory from the RegAsm process.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"601\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/59_LR_Configuracion-LimeRAT-1024x601.png\" alt=\"\" class=\"wp-image-1785\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/59_LR_Configuracion-LimeRAT-1024x601.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/59_LR_Configuracion-LimeRAT-300x176.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/59_LR_Configuracion-LimeRAT-768x450.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/59_LR_Configuracion-LimeRAT.png 1103w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>LimeRAT config extracted from memory<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, once the injector has finished running, you can see that LimeRAT has been successfully injected and that the RegAsm process no longer depends on powershell.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"443\" height=\"324\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/60_LR_LimeRAT-en-ejecucion.png\" alt=\"\" class=\"wp-image-1786\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/60_LR_LimeRAT-en-ejecucion.png 443w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/60_LR_LimeRAT-en-ejecucion-300x219.png 300w\" sizes=\"(max-width: 443px) 100vw, 443px\" \/><figcaption>LimeRAT injected in RegAsm.exe<\/figcaption><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>C2 Infrastructures used by APT-C-36<\/strong><\/h2>\n\n\n\n<p>The analysis on the C2 infraestructures used by APT-C-36 until february 2023 are described in this section. <\/p>\n\n\n\n<p>In summary, it can be seen that in all six campaigns that all the C2 domains used have first resolved to an IP, either from a VPN service or a Hosting service:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td><strong>Service<\/strong><\/td><\/tr><tr><td>Webair Internet Development Company Inc. (webair.com) Hosting<\/td><\/tr><tr><td>privacyfirst.sh<\/td><\/tr><tr><td>FDCservers.net<\/td><\/tr><tr><td>frootvpn.com<\/td><\/tr><tr><td>M247 Miami Infrastructure (ProtonVPN)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Subsequently, it is observed that in four of the six campaings resolves to an IP associated to an ISP, so as a hypothesis, it is likely that the router is used as a &#8220;reverse proxy&#8221; to hide the real C2. (See ref [1])<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td><strong>Service<\/strong><\/td><\/tr><tr><td>EPM-Telecomunicaciones-S.A.-E.S.P. (epm.net.co)<\/td><\/tr><tr><td>Colombia-M\u00f3vil (tigo.com.co)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The data collected to reach the above conclusions are listed below, in descending chronological order.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>LimeRAT (23 Feb 2023)<\/strong><\/h3>\n\n\n\n<p>C2: fortuna777.duckdns[.]org:1994<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Resolve<\/td><td>Location<\/td><td>First Seen<\/td><td>Last Seen<\/td><td>Info<\/td><\/tr><tr><td>46.246.12.12<\/td><td>SE<\/td><td>2023-02-23 02:04:00<\/td><td>2023-03-15 17:02:38<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.6.24<\/td><td>SE<\/td><td>2023-03-04 08:43:36<\/td><td>2023-03-04 08:43:36<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.80.10<\/td><td>SE<\/td><td>2022-12-26 18:41:27<\/td><td>2023-02-14 06:07:12<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.12.10<\/td><td>SE<\/td><td>2023-02-02 02:47:49<\/td><td>2023-02-02 02:47:49<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.6.3<\/td><td>SE<\/td><td>2023-01-29 16:17:41<\/td><td>2023-01-31 01:31:22<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.26.12<\/td><td>SE<\/td><td>2023-01-14 06:23:17<\/td><td>2023-01-14 06:23:17<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.14.10<\/td><td>SE<\/td><td>2023-01-07 05:21:02<\/td><td>2023-01-08 06:20:28<\/td><td>frootvpn.com<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AsyncRAT (20 Feb 2023)<\/strong><\/h3>\n\n\n\n<p>C2: asy1543.duckdns[.]org:1543<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Resolve<\/td><td>Location<\/td><td>First Seen<\/td><td>Last Seen<\/td><td>Info<\/td><\/tr><tr><td>46.246.80.20<\/td><td>SE<\/td><td>2023-03-13 19:57:05<\/td><td>2023-03-15 16:46:22<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.84.5<\/td><td>SE<\/td><td>2023-03-10 19:40:45<\/td><td>2023-03-12 21:13:29<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.4.11<\/td><td>SE<\/td><td>2023-03-03 13:44:11<\/td><td>2023-03-08 19:14:03<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.12.20<\/td><td>SE<\/td><td>2023-03-02 12:18:57<\/td><td>2023-03-03 00:37:27<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.4.12<\/td><td>SE<\/td><td>2023-03-02 07:56:45<\/td><td>2023-03-02 11:21:21<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.4.14<\/td><td>SE<\/td><td>2023-03-01 18:50:08<\/td><td>2023-03-02 02:18:26<\/td><td>frootvpn.com<\/td><\/tr><tr><td>188.126.90.17<\/td><td>SE<\/td><td>2023-02-28 10:13:49<\/td><td>2023-03-01 03:33:10<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.84.13<\/td><td>SE<\/td><td>2023-02-27 14:00:37<\/td><td>2023-02-27 19:23:28<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.14.13<\/td><td>SE<\/td><td>2023-02-24 18:53:01<\/td><td>2023-02-25 19:07:26<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.82.15<\/td><td>SE<\/td><td>2023-02-15 18:36:30<\/td><td>2023-02-23 19:05:40<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.80.19<\/td><td>SE<\/td><td>2023-02-22 15:40:29<\/td><td>2023-02-23 00:44:24<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.84.6<\/td><td>SE<\/td><td>2023-02-21 19:16:46<\/td><td>2023-02-21 19:16:46<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.84.10<\/td><td>SE<\/td><td>2023-02-20 19:28:57<\/td><td>2023-02-21 08:23:17<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.14.9<\/td><td>SE<\/td><td>2023-02-17 18:36:11<\/td><td>2023-02-19 18:29:42<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.82.9<\/td><td>SE<\/td><td>2023-02-14 18:02:09<\/td><td>2023-02-14 18:02:09<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.80.15<\/td><td>SE<\/td><td>2023-02-09 18:42:44<\/td><td>2023-02-13 19:21:14<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.86.9<\/td><td>SE<\/td><td>2023-02-08 19:05:39<\/td><td>2023-02-08 19:05:39<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.4.2<\/td><td>SE<\/td><td>2023-02-06 19:04:03<\/td><td>2023-02-07 19:15:42<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.86.3<\/td><td>SE<\/td><td>2023-02-02 20:47:52<\/td><td>2023-02-06 03:22:54<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.14.5<\/td><td>SE<\/td><td>2023-02-02 17:22:34<\/td><td>2023-02-02 17:22:34<\/td><td>frootvpn.com<\/td><\/tr><tr><td>46.246.80.9<\/td><td>SE<\/td><td>2023-02-02 03:10:11<\/td><td>2023-02-02 13:08:58<\/td><td>frootvpn.com<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NjRAT (2 Feb 2023)<\/strong><\/h3>\n\n\n\n<p>C2: env2023nue.duckdns[.]org:1986&nbsp; \u2192 190.28.222.216<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Resolve<\/strong><\/td><td><strong>Location<\/strong><\/td><td><strong>First Seen<\/strong><\/td><td><strong>Last Seen<\/strong><\/td><td><strong>Info<\/strong><\/td><\/tr><tr><td>190.28.222.216<\/td><td>CO<\/td><td>2023-02-24 01:59:31<\/td><td>2023-02-24 01:59:31<\/td><td>EPM-Telecomunicaciones-S.A.-E.S.P.<br>adsl190-28-222-216.epm.net.co<\/td><\/tr><tr><td>190.28.229.116<\/td><td>CO<\/td><td>2023-02-22 17:44:45<\/td><td>2023-02-22 17:44:45<\/td><td>EPM-Telecomunicaciones-S.A.-E.S.P.<br>adsl190-28-229-116.epm.net.co<\/td><\/tr><tr><td>190.28.238.31<\/td><td>CO<\/td><td>2023-02-21 18:59:14<\/td><td>2023-02-22 13:50:13<\/td><td>EPM-Telecomunicaciones-S.A.-E.S.P.<br>adsl190-28-238-31.epm.net.co<\/td><\/tr><tr><td>91.192.100.4<\/td><td>CH<\/td><td>2023-02-15 18:03:24<\/td><td>2023-02-20 18:39:18<\/td><td>Datasource-AG<br>91-192-100-4.gerber.non-logging.vpn<br>privacyfirst.sh<\/td><\/tr><tr><td>91.192.100.6<\/td><td>CH<\/td><td>2023-01-31 07:53:10<\/td><td>2023-02-14 02:19:30<\/td><td>Datasource-AG<br>91-192-100-6.gerber.non-logging.vpn<br>privacyfirst.sh<br><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NjRAT (23 Jan 2023)<\/strong><\/h3>\n\n\n\n<p>C2: enero2023.duckdns[.]org:1986&nbsp; \u2192 190.28.222.216<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Resolve<\/strong><\/td><td><strong>Location<\/strong><\/td><td><strong>First Seen<\/strong><\/td><td><strong>Last Seen<\/strong><\/td><td><strong>Info<\/strong><\/td><\/tr><tr><td>190.28.222.216<\/td><td>CO<\/td><td>2023-02-24 01:57:10<\/td><td>2023-02-24 01:57:10<\/td><td>EPM-Telecomunicaciones-S.A.-E.S.P.<br>adsl190-28-222-216.epm.net.co<\/td><\/tr><tr><td>23.237.25.190<\/td><td>US<\/td><td>2023-01-18 21:48:21<\/td><td>2023-01-18 21:48:21<\/td><td>Cogent-Communications<br>FDCservers.net<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NjRAT (5 Dec 2022)<\/strong><\/h3>\n\n\n\n<p>C2: prueba30novok.duckdns[.]org:8002&nbsp; \u2192 NXDOMAIN&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Resolve<\/strong><\/td><td><strong>Location<\/strong><\/td><td><strong>First Seen<\/strong><\/td><td><strong>Last Seen<\/strong><\/td><\/tr><tr><td>173.225.115.229<\/td><td>US<\/td><td>2022-12-06 18:54:46<\/td><td>2022-12-16 18:43:54<\/td><\/tr><tr><td>23.237.25.120<\/td><td>US<\/td><td>2022-12-02 04:03:15<\/td><td>2022-12-05 16:43:30<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>23.237.25.12<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/bW_JhfXA6R2pUiScduBeuVDi60qomKcgO8bqS56w5U2Hl_GKK2wPv5P2eCCjc_A1sX6N70ViDrgNQRwNaz3MuNXF7xO81hExIklLeyJccIP76LMKO7-ickV3Y5BClPQe9yDxqXwV7fX9jy6cUsFNTw\" width=\"327\" height=\"285\"><\/p>\n\n\n\n<p>As can be seen, this IP has been resolved by multiple dynamic domains all associated with duckdns. A reuse of C2 (wins23novok.duckdns[.]org) already used in the December 2 campaign can be observed.<\/p>\n\n\n\n<p><strong>173.225.115.229<\/strong><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/KdxcZWWQ_WTBzGnbILZymqeQCq2mQKo2YG0jCvcAmC8r7QefYjvr2tBoMcl02S98Kx20BBLBOZhfI_JqRvYj2BlGjJOIyt3D9HYaX12oRjtJR0tBSugcqhZfd1k1ivv7bBIW6JJU6XdZ2uBVBpo0pw\" width=\"316\" height=\"26\"><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NjRAT (2 Dec 2022)<\/strong><\/h3>\n\n\n\n<p>C2: wins23novok.duckdns[.]org:8000 \u2192 191.89.244.1<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Resolve<\/strong><\/td><td><strong>Location<\/strong><\/td><td><strong>First Seen<\/strong><\/td><td><strong>Last Seen<\/strong><\/td><td><strong>Info<\/strong><\/td><\/tr><tr><td>191.89.244.1<\/td><td>CO<\/td><td>2023-02-07 18:35:36<\/td><td>2023-02-24 01:31:54<\/td><td>Colombia-Mvil<br>Dinamic-Tigo-191-89-244-1.tigo.com.co<\/td><\/tr><tr><td>91.192.100.7<\/td><td>CH<\/td><td>2023-01-31 18:32:23<\/td><td>2023-02-04 18:27:34<\/td><td>Datasource-AG<br>91-192-100-7.gerber.non-logging.vpn<br>privacyfirst.sh<\/td><\/tr><tr><td>191.92.97.65<\/td><td>CO<\/td><td>2023-01-28 18:23:51<\/td><td>2023-01-30 18:34:00<\/td><td>Colombia-Mvil<br>Dinamic-Tigo-191-92-97-65.tigo.com.co<\/td><\/tr><tr><td>37.120.215.248<\/td><td>US<\/td><td>2023-01-24 18:08:14<\/td><td>2023-01-28 01:18:20<\/td><td>M247-Europe-SRL<br>M247 Miami Infrastructure<\/td><\/tr><tr><td>178.73.192.162<\/td><td>SE<\/td><td>2023-01-23 18:36:41<\/td><td>2023-01-23 18:36:41<\/td><td>apdl-asadministracao_dos_portos_do_douro_e_leixoes<br>c-178-73-192-162.ip4.frootvpn.com<br>frootvpn.com<\/td><\/tr><tr><td>23.237.25.161<\/td><td>US<\/td><td>2023-01-20 18:00:21<\/td><td>2023-01-21 18:45:23<\/td><td>Cogent-Communications<br>FDCservers.net<\/td><\/tr><tr><td>23.237.25.129<\/td><td>US<\/td><td>2023-01-17 18:30:25<\/td><td>2023-01-19 18:30:12<\/td><td>Cogent-Communications<br>FDCservers.net<\/td><\/tr><tr><td>23.237.25.168<\/td><td>US<\/td><td>2023-01-08 17:55:26<\/td><td>2023-01-17 11:50:32<\/td><td>Cogent-Communications<br>FDCservers.net<\/td><\/tr><tr><td>23.237.25.120<\/td><td>US<\/td><td>2022-12-02 10:20:22<\/td><td>2023-01-05 18:11:50<\/td><td>Cogent-Communications<br>FDCservers.net<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Indicators of Compromise (IOCs)<\/strong><\/h2>\n\n\n\n<p>The compromise indicators observed in the different campaigns seen during the course of this analysis are listed below.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign February 23, 2023 (LimeRAT)<\/strong><\/h3>\n\n\n\n<p>3e1682855ad4035134f6ebd68d56824535b4ca03&nbsp; DOCUMENTO (FGE).vbs<\/p>\n\n\n\n<p>59170d9b05fa7f3e33d0deaa940798a0bdf4f831&nbsp; KZUTPv.dll<\/p>\n\n\n\n<p>a2a209d0c24c6218ae4b0d445a47b3f5ec04918e&nbsp; AGWNqj.dll<\/p>\n\n\n\n<p>f043812a9f333d57967d132f31ce43eb33e0e78d&nbsp; LimeRAT.exe<\/p>\n\n\n\n<p>hxxps:\/\/firebasestorage.googleapis[.]com\/v0\/b\/lengua-y-literatura-1422e.appspot.com\/o\/dll.txt?alt=media&amp;token=1c5d4ddd-8eda-411b-9af8-dcb5ccb40c0f<\/p>\n\n\n\n<p>hxxps:\/\/firebasestorage.googleapis[.]com\/v0\/b\/proyecto-x-7373e.appspot.com\/o\/tridimensional.txt?alt=media&amp;token=3ee335b7-99d6-47c9-b7f5-80030d225cc9<\/p>\n\n\n\n<p>hxxps:\/\/firebasestorage.googleapis[.]com\/v0\/b\/lengua-y-literatura-1422e.appspot.com\/o\/Pe.txt?alt=media&amp;token=f89c2bab-01ee-4522-a904-b1664f32d06f<\/p>\n\n\n\n<p>C2: fortuna777.duckdns[.]org:1994<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign February 20, 2023 (AsyncRAT)<\/strong><\/h3>\n\n\n\n<p>6d9d0eb5e8e69ffe9914c63676d293da1b7d3b7b9f3d2c8035abe0a3de8b9fca  Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf.uue<\/p>\n\n\n\n<p>430be2a37bac2173cf47ca1376126a3e78a94904dbc5f304576d87f5a17ed366  Asuntos_DIAN_N\u00b06440005403992837L2088970004-01-02-2023-pdf.vbs<\/p>\n\n\n\n<p>5399bf1f18afcc125007d127493082005421c5ddebc34697313d62d8bc88daec Dll.ppam<\/p>\n\n\n\n<p>03b7d19202f596fe4dc556b7da818f0f76195912e29d728b14863dda7b91d9b5\u00a0 Rump.xls<\/p>\n\n\n\n<p>64a08714bd5d04da6e2476a46ea620e3f7d2c8a438eda8110c3f1917d63dfcfc\u00a0 AsyncRAT<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1066009888083431506\/1070342535702130759\/Asuntos_DIAN_N6440005403992837L2088970004-01-02-2023-pdf[.]uue<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/dll\/Dll.ppam<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/rump\/Rump.xls<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1057665255750246403\/1070100736463093833\/asy.txt<\/p>\n\n\n\n<p>C2: asy1543.duckdns[.]org:1543<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign February 2, 2023<\/strong><\/h3>\n\n\n\n<p>fb2c7ccd15fe935524f82ef93d092a4a75049549&nbsp; Juzgado_11_Civil_Circuito_De_Bogota_-_Notificacio_de_ejecucion_coactiva.docx<\/p>\n\n\n\n<p>42c5a00d9394ee5e1f1481e56a9c6adcc36dd5b9&nbsp; Juzgado_11_Civil_Circuito_De_Bogota_-_Notificacio_de_ejecucion_coactiva.vbs<\/p>\n\n\n\n<p>882d8bd980285e219d307e4a6db6bc784019c219&nbsp; Dll.ppam<\/p>\n\n\n\n<p>2c2972950a98b670b1d52d32f7433a1c364384f1&nbsp; Rump.xls<\/p>\n\n\n\n<p>3d75a0819f035af1b2d5e8e6c7a18a528bd6a91a&nbsp; 2023env.txt<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1042444027016003677\/1062824763413762109\/Juzgado_11_Civil_Circuito_De_Bogota_-_Notificacio_de_ejecucion_coactiva.vbs<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/dll\/Dll.ppam<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/rump\/Rump.xls<\/p>\n\n\n\n<p>hxxp:\/\/cdn.discordapp[.]com\/attachments\/1042444027016003677\/1062794021182898277\/2023env.txt<\/p>\n\n\n\n<p>C2: env2023nue.duckdns.org:1986<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign January 23, 2023<\/strong><\/h3>\n\n\n\n<p>dc1ac3d9109496765c8155d1c906fa04c47d1a25&nbsp; Comprobante de pago.vbs<\/p>\n\n\n\n<p>97f20536e6ab3c6dc75859e05e17527366a3f129&nbsp; hiden.ppa<\/p>\n\n\n\n<p>2c2972950a98b670b1d52d32f7433a1c364384f1&nbsp; Rump.xls<\/p>\n\n\n\n<p>fdc7dcf2f41888a4b060cebf5c20159f2993b0c6&nbsp; 23enero.txt<\/p>\n\n\n\n<p>hxxps:\/\/drive.google[.]com\/file\/d\/1_lpMXe_flv-KQeQfR33uRqDzN4_whSWz\/view?usp=drive_web<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/dll\/hiden.ppa<\/p>\n\n\n\n<p>hxxp:\/\/172.174.176[.]153\/rump\/Rump.xls<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1042444027016003677\/1067142291736764426\/23enero.txt<\/p>\n\n\n\n<p>C2: enero2023.duckdns[.]org:1986<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign December 5, 2022<\/strong><\/h3>\n\n\n\n<p>e707fe51fb330b7aed5db5882b316dde1ef5f5a9&nbsp; Juzgado 09 civil del circuito de Bogot\u00e1 D.C..docx<\/p>\n\n\n\n<p>54f1d83bd2ad338b51dd7f5ab2d2ce70340ff029&nbsp; Notificacion Juridica.wsf<\/p>\n\n\n\n<p>f53e9afdd5ba3302186b6be1ac446c9f081c362f&nbsp; 2dode8002.vbs<\/p>\n\n\n\n<p>ec3bc2150f6a915c61432e8bccdf15b58f290d06&nbsp; Dll.ppam<\/p>\n\n\n\n<p>1773c756220b81e0203f0e6e8342c7b0826531d8&nbsp; Rump.xls<\/p>\n\n\n\n<p>7000261ab060e877a15aef936cb70db0349a02c8&nbsp; 2dode8002.txt<\/p>\n\n\n\n<p>14d354df391e447f023ddcb7f84ca2fa8e582501&nbsp; njrat<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1047544891632259145\/1047971566543179936\/2dode8002.vbs<\/p>\n\n\n\n<p>hxxp:\/\/4.204.233[.]44\/Dll\/Dll.ppam<\/p>\n\n\n\n<p>hxxp:\/\/20.238.8[.]87\/Online\/Rump[.]xls<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1047543449777344516\/1047971253056708729\/2dode8002.txt<\/p>\n\n\n\n<p>C2: prueba30novok.duckdns[.]org:8002<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Campaign December 2, 2022<\/strong><\/h3>\n\n\n\n<p>a5cd7f6bf2a036e52a9df856c16369f5adc8d4a4&nbsp; NOTAR\u00cdA \u00daNICA DE LURUACO ATL\u00c1NTICO.docx<\/p>\n\n\n\n<p>6d39c01dcdde807f4cb6f05fd54384fc01c23d4e&nbsp; NOTA MARGINAL.wsf<\/p>\n\n\n\n<p>301fed92d48e2477e6bb070b6854e853&nbsp; Vbs_Startup_LNK.vbs&nbsp;<\/p>\n\n\n\n<p>2552287b4733078f12b4a831c698cab6&nbsp; Dll.ppam<\/p>\n\n\n\n<p>b7e6a0a39e50383823f0d48db77347a3dc2fdbbc&nbsp; Rump.xls<\/p>\n\n\n\n<p>9fa72138c12985058af66b328e2adf3a 23nov.txt<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1047544891632259145\/1047586477921538178\/Vbs_Startup_LNK.vbs<\/p>\n\n\n\n<p>hxxp:\/\/4.204.233[.]44\/Dll\/Dll.ppam<\/p>\n\n\n\n<p>hxxp:\/\/20.238.8[.]87\/Online\/Rump.xls<\/p>\n\n\n\n<p>hxxps:\/\/cdn.discordapp[.]com\/attachments\/1047543449777344516\/1047543574381723648\/23nov.txt<\/p>\n\n\n\n<p>C2: wins23novok.duckdns[.]org:8000&nbsp;<\/p>\n\n\n\n<p>23.237.25[.]120<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Additional information: APT-C-36 and Hagga \/ Aggah<\/strong><\/h2>\n\n\n\n<p>The Hagga\/Aggah group has typically focused on information stealing, having been detected in March 2019 by researchers at PaloAlto-Unit42. Initially it was supposed that the main target of this group were entities within a Middle Eastern country, although subsequent research clarified that the group was active globally, affecting targets in the United States, Europe and Asia. In 2020 Hagga performed a campaign against the Italian manufacturing sector and later that year it was observed selling or renting its malware devices to other actors.<\/p>\n\n\n\n<p>Whether it is because APT-C-36 uses Hagga artefacts or for some other reason that brings them closer together, there are similarities shared by both groups:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Use of a high level of Spanish language in the creation of Spear Phishings.<\/li><li>Downloading payloads from public storage (gdrive, discord).<\/li><li>Use of dynamic domains for C2 (duckdns.org).<\/li><li>Use of possibly compromised Colombian ISP router infrastructure to hide the real C2, using it as a &#8216;reverse proxy&#8217;.<\/li><li>Use of public malware not created by them (NjRAT\/AsyncRAT\/LimeRAT).<\/li><li>Use of high ports for communication with the C2 (&gt;1024).<\/li><li>Both share the goal of information stealing.&nbsp;<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<p>[1] &#8211; <a href=\"https:\/\/lab52.io\/blog\/apt-c-36-recent-activity-analysis\/\">https:\/\/lab52.io\/blog\/apt-c-36-recent-activity-analysis\/<\/a><\/p>\n\n\n\n<p>[2] &#8211; <a href=\"https:\/\/marcoramilli.com\/2022\/11\/21\/is-hagga-threat-actor-abusing-fsociety-framework\/\">https:\/\/marcoramilli.com\/2022\/11\/21\/is-hagga-threat-actor-abusing-fsociety-framework\/<\/a><\/p>\n\n\n\n<p>[3] &#8211; <a href=\"https:\/\/www.team-cymru.com\/post\/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\">https:\/\/www.team-cymru.com\/post\/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor<\/a><\/p>\n\n\n\n<p>[4] &#8211; <a href=\"https:\/\/lab52.io\/blog\/apt-c-36-new-anti-detection-tricks\/\">https:\/\/lab52.io\/blog\/apt-c-36-new-anti-detection-tricks\/<\/a><\/p>\n\n\n\n<p>[5] &#8211; <a href=\"https:\/\/web.archive.org\/web\/20191207233315\/https:\/\/ti.360.net\/blog\/articles\/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en\/\">https:\/\/web.archive.org\/web\/20191207233315\/https:\/\/ti.360.net\/blog\/articles\/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en\/<\/a><\/p>\n\n\n\n<p>[6] &#8211; <a href=\"https:\/\/unit42.paloaltonetworks.com\/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign\/\">https:\/\/unit42.paloaltonetworks.com\/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign\/<\/a><\/p>\n\n\n\n<p>[7] &#8211; <a href=\"https:\/\/lab52.io\/blog\/literature-lover-targeting-colombia-with-limerat\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/lab52.io\/blog\/literature-lover-targeting-colombia-with-limerat\/<\/a><\/p>\n\n\n\n<p>[8] &#8211; <a rel=\"noreferrer noopener\" href=\"https:\/\/blogs.blackberry.com\/en\/2023\/02\/blind-eagle-apt-c-36-targets-colombia?utm_medium=social&amp;utm_content=cyber\" target=\"_blank\">https:\/\/blogs.blackberry.com\/en\/2023\/02\/blind-eagle-apt-c-36-targets-colombia?utm_medium=social&amp;utm_content=cyber<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last February a Blackberry report alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many similarities in terms of tactics, techniques and procedures (TTPs) with the group Hagga \/ Aggah, as we have been able to observe at Lab52. Particularly, this article describes one of the campaigns that has been linked to [&hellip;]<\/p>\n","protected":false},"author":24,"featured_media":1813,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,3],"tags":[],"class_list":{"0":"post-1678","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-apts","9":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316030016-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/03\/Image20230316030016-600x600.png","author_info":{"display_name":"dgsecnet","author_link":"https:\/\/lab52.io\/blog\/author\/dgsecnet\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1678"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=1678"}],"version-history":[{"count":73,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1678\/revisions"}],"predecessor-version":[{"id":1838,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1678\/revisions\/1838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/1813"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=1678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=1678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=1678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}