Similar malware:
All rights to this website belong to Ravin Academy.
- Taking a screenshot of the page with the https://github.com/kbinani/screenshot library :
\\209.19.37[.]184\driverpack\aact.exe
- Reverse proxy for tunneling with https://github.com/kost/revsocks library :
\\209.19.37[.]184\driverpack\officetelemetry.exe
Analysis of malware from this attack and previous similar attacks
- Example (SHA-1: 0DAEA89F91A55F46D33C294CFE84EF06CE22E393):
Take a look at your %USERPROFILE%\Recent path. The Windows operating system prepares a shortcut in that path from the files that have already been executed. Another malware that is downloaded and executed takes the path of all the shortcut files from the path of the downloaders and sends it to the address \\24.9.51[.].94\EDGEUPDATE\update\.
- Example (SHA-1: 5B55250CC0DA407201B5F042322CFDBF56041632):
Another old example that behaves similarly and was active as a backdoor from 2014 to 2019 and includes an LNK Parser to extract file paths; But it only supported doc, xls, xslx, pdf and docx file formats.
- An example related to maintaining access (Persistence), using service creation with svchost.exe:
In addition to the complexity of the attack, errors can also occur, such as the PDB path being left behind when compiling the malware, which we can see in the threads in the program. In fact, the malware programmers forgot to remove it, which allows us to follow their newer and more creative work.
- This old instance of the SMTP protocol was communicating with its C&C through the email service, according to the malware analysis of the following library and functions,
Used. https://github.com/korisk/csmtp/blob/master/CSmtp.cpp
- Example (SHA-1:11CF38D971534D9B619581CEDC19319962F3B996):
The following malware takes the list of drives, even USB drives. By using the following API and putting it in a loop, like the following pseudocode and writing the volume of each, it stores them in the c:\Users\public path:
- Example (SHA-1: D14D9118335C9BF6633CB2A41023486DACBEB052):
It is the latest example of this attack that has been active since 2020. The strings in the program are encrypted with the value of 0x1, so that each letter becomes its hex value and is added with the hex value of 0x1, and then they return to their original value with RSA decryption and 2048-bit private key.
It uses the DNS protocol to communicate with its C&C:
It reads its commands through (query) TXT of the DNS protocol.
Conclusion
By chaining techniques, it is clear that we are dealing with an experienced and skilled team. As you can see, the way of communicating with hacker servers or other techniques may change; But by following the programming style of malwares, their intended goals, connecting and analyzing previous attacks to the new example and other artifacts, such as the PDB path, we can follow the new work of this group and take measures to prevent and detect it in our network or organization. . Another noteworthy point is the possibility of using this attack against diplomatic centers or other centers of Iran in other countries.
