Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis
,

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and JƩrƓme Segura

Populations around the worldā€”and in Europe in particularā€”are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

Decoy site lures victims with Ukraine situation

Threat actors registered an expired German domain name at collaboration-bw[.]de that was formally used as a collaboration platform to develop new ideas for the Baden-WĆ¼rttemberg state.

The threat actors used the domain to host a website that looked like the official Baden-WĆ¼rttemberg website, baden-wuerttemberg.de.

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine(threat situation in Ukraine for Q2), offered via a prominent blue download button.

An English translation of the page reads:

Important, current threat situation regarding the Ukraine crisisOn this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support.

File analysis

The archive file called 2022-Q2-Bedrohungslage-Ukrainecontains a file named

2022-Q2-Bedrohungslage-Ukraine.chm
. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.

Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.

After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-WĆ¼rttemberg website, using Invoke-Expression (IEX).

The downloaded script creates a folder called SecuriyHealthServicein the current user directory and drops two files into it:

MonitorHealth.cmd
and a script called Status.txt. The
.cmd
file is very simple and just executes Status.txtthrough PowerShell.

Finally, the downloaded script makes MonitorHealth.cmdpersistent by creating a scheduled task that will execute it each day at a specific time.

PowerShell RAT (Status.txt)

Status.txtis a RAT written in PowerShell (This Rat is a modified version of an HTTP Reverse Shell that is available on Github). It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the

clientid
.

This data is exfiltrated as a JSON data structure sent to the server via a POST request:

$json='{ "type": "newclient", "result": "", "pwd": "' + $pwd_b64 + '", "cuser": "' + $cuser + '", "hostname": "' + $hname + '", "clientid": "' + $clientid + '"}';$headers=@{'X-Request-ID'=$strhash}

However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

This RAT has the following capabilities:

  • Download(type: D0WNl04D): Download files from server
  • Upload(type: UPL04D): Upload file to the server
  • LoadPS1(type: L04DPS1): Load and execute a PowerShell script
  • Command(type: C0MM4ND): Execute a specific command

German command and control server

The attack was thoughtfully carried outā€”even ensuring that the stolen data was sent to a German domain name, kleinm[.]de, to avoid suspicion.

It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.

The Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the warin Ukraine while ensuring our customers are protected.

Indicators of Compromise (IOCs)

Phishing site

collaboration-bw[.]de/bedrohung-ukr.html

Lure

2022-Q2-Bedrohungslage-Ukraine.zip
2430f68285120686233569e51e2147914dc87f82c7dbdf07fe0c34dbb1aca77c
2022-Q2-Bedrohungslage-Ukraine.chm
80bad7e0d5a5d2782674bb8334dcca03534aa831c37aebb5962da1cd1bec4130

Status.txt
a5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f

MonitorHealth.cmd
fc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd

C2

kleinm[.]de

MITRE ATT&CK

Tactic ID Name Description
Execution T1059 Command and Scripting Interpreter Starts cmd.exe to run hh.exe
Executes PowerShell script to download and execute a script
Persistence T1053 Scheduled Task/Job Executes task scheduler to add MonitorHealth.cmd as a daily task
Defense evasion T1222 File and Directory Permissions Modification Uses attrib.exe to hide SecuriyHealthService folder