This blog post was authored by Hossein Jazi
Threat actors often vary their techniques to thwart security defenses and increase the efficiency of their attacks. One of the tricks they use is known as steganography and consists of hiding content within images.
We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan.
Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.
It seems the document we analyze in this blog has no connection with PoetRat for several reasons: The PoetRat actor has not used steganography in its malicious documents and used Python and Lua variants while the actor we analyzed has dropped a .Net rat called Fairfax which does not seem to be a .Net variant of PoetRat.
The document lure is written in Azerbaijani and talks about a "National Security and Scientific" conference that will be held in Azerbaijan in 2021.
The malicious document contains a macro that is obfuscated. The attacker has inserted random characters within the meaningful names to obfuscate the functions and variables names. Here are some of the examples:
- AddArg_OACZT_20210214_115603_xokkn_uments29 -> AddArguments29
- zixokknpPath -> zipPath
- tesOACZTtcustomdirabcdefghijklmnopqrstuvwxyzect_OACZT_20210214_115603_xokkn_ory -> testcustomdirectory
After deobfuscation, the names become clear and can easily figure out the intent of the macro.
The attacker also used another layer of obfuscation to encode strings. Function "MyFunc23" has been defined for this purpose. This function receives an array of numbers and decodes them into a string.
This function has a loop that reads four numbers of the input array in each iteration and passes them to another function to convert them to a character. At the end it concatenates those characters to build the final string.
The convertor function defines a big switch statement that returned the character equivalent of each 4 numbers.
Upon opening the document and enabling the content the macro will be executed. At first it defines the following files and directories:
- zipPath: Directory that stores the extracted zip file from png image
- appFolder: directory that stores the Rat
- runner: path of the batch file which executes the Rat
- docxPath: path of the file that keeps a copy of the current document
- docxCopyPath: Path of the zip format of the copied document
- docxUnzipFolder: Directory that contains the document after being unzipped
Then, it tries to create the appFolder directory and if it could not create the directory it exits. After creating the directory, it copies itself in a new format to the file path defined before. The reason it copies itself in a new format is because the current document is protected and even after unzipping its content the macro will not be able to find the image to extract the zip file.
To create a copy of itself, It uses "SaveAs2" function that saves the specified document with a new name or format. The string "wdFormatDocumentDefault" has been passed in as a file format parameter which saves the document as DOCX format. In this way the macro can see the image that has embedded zip file.
In the next step, it extracts the created document copy into the created folder and calls "ExtractFromPng" function to extract the embedded object from the png file. This function calls itself recursively to read all chunk identifications within the png image until it reaches the "puNk" chunk identification which is the chunk that has the embedded zip file. After finding the chunk, it extracts and writes it into "fairfax.zip".
The "fairfax.zip" is then extracted into %APPDATA%\vstelmetry directory. It contains the an executable file (Fairfax.exe) as well as a batch file (runner.bat). The executable has been written in Visual Studio and it seems the attacker archived the whole Visual Studio project.
At the end it performs some dummy functions and then executes runner.bat to execute fairfax.exe.
This is a .Net RAT that has been developed using TAP model (Task Asynchronous Programming model). This model provides an abstraction over asynchronous code. In this model each functionality can be defined as a Task and will be executed based on the external resource allocation and when other tasks complete.
This RAT is not obfuscated and contains three main functionalities:
- Download files
- Upload files
- Take screenshots
All the configurations have been stored in Global settings including appfoldername, vbfilename, host address, scheduled task info, vbfile content, and cipherkey.
All the communications with the server are AES encrypted and base64 encoded.
For network communications it has defined four different tasks to send and receive files and commands: SendFileAsync, SendAsync, ReceiveAsync and ReceiveFileAsync.
To manage the files, it has FileManager class that can get the file and save into a temp directory and also zip files.
It also has the capability to make itself persistent by creating a vbsfile and adding it to Scheduled Tasks.
Threat actors use many techniques to subvert analysis and detection; in this blog post we examined a group employing the less common technique of steganography, in which the actor hides a malicious payload within an image.
Due the geopolitical events happening between Azerbaijan and Armenia, digital attacks against these countries have increased in the past year. Cisco Talos reported a new RAT named PoetRAT which was also used to target Azerbaijan, though differences in the sample analyzed in this post suggest this RAT is not related. Malwarebytes analysts will continue to track this activity, and report on any new findings related to this threat.
File Name SHA256 telebler.doc ef02527858797356c5e8571c5a22d00c481fbc9ce73c81a341d482ea3776878a Fairfax.zip 4ad451a1c07d1760a0586c3c5132a68539d98198c402f4fc2b42b954ea9f76d7 auroraXXXX.zip
0573926b05c34af23c7003cc0a30cfc682335f7e787958f9be7e6804edacd0a1 image1.png f33db9011c69e6f4b13c765f77466de023f442d8a75bce8ab450f4978275671a runner.bat 909a94451d2640f89ec25aebcede14f238ead06b94f28544a99f4ecc2411b3b5 Fairfax.exe ab0f4d290f3d4532896dea80563e342c825b12e0111c2d54eac62b1b942b854b Fairfax.exe 69e880b0545330b8e6d1543c47d89b4907fb79899b40c2478c591225ffc551ce
MITRE ATT&CK Techniques
Tactic Id Name Details Initial Access T1566 Phishing Distributing maldocs through phishing emails Execution T1059.003 Windows command shell Starts CMD.EXE for commands execution T1064 Scripting Executing FairFax.exe using batch file T1059.001 PowerShell Executes PowerShell scripts T1204.002 User Execution Manual execution by user Persistence T1053.005 Scheduled Task Uses Task Scheduler for persistence Defense Evasion T1140 Deobfuscate/Decode Files or Information The RAT has the ability to decode base
64 data and decrypt AES encrypted data
Colletion T1113 Screen Capture The RAT has the ability to capture the screen T1560.001 Archive Collected Data: Archive via Utility The RAT archived files using zip utility Command and Control T1071.001 Application Layer Protocol: Web Protocols Using HTTPS for C2 communications T1132.001 Data Encoding: Standard Encoding C2 traffic are base64 encoded and AES encrypted Exfiltration T1041 Exfiltration Over C2 Channel Exfiltrates the data over C2