This post was authored by Hossein Jazi
As tensions between Azerbaijan and Armenia continue, we are still seeing a number of cyber attacks taking advantage of this situation. On March 5th 2021, we reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, we have been monitoring this actor and were able to identify new activity where the threat actor switched their RAT from .Net to Python.
The document targets the government of Azerbaijan using a SOCAR letter template as lure. SOCAR is the name of Azerbaijan's Republic Oil and Gas Company. The document's date is 25th March 2021 and the letter, related to export of catalyst for analysis, is written to the Ministry of Ecology and Natural Resources. The document's creation time is 28th March 2021 and is aligned with the date mentioned on the letter. Based on the dates we believe that this attack happened between 28th and 30th of March 2021.
The embedded macro in this document is almost similar to what we have reported before with some small differences. We will talk about the similarities between these two documents in the next section.
The macro has two main functions "Document_Open" and "Document_Close". In "Document_Open" after defining the required variables it creates a directory (%APPDATA%\Roaming\nettools48\) for its Python Rat.
It then copies itself in a new format to the file path defined before in order to be able to extract the required data from an embedded PNG file (image1.png).
To extract the embedded data, it calls the “ExtractFromPng” function to identify the chunk that has the embedded data. After finding the chunk, it extracts the files from the PNG file and writes them into “tmp.zip”.
The “tmp.zip” is then extracted into "%APPDATA%\Roaming\nettools48" directory. It contains the Python 3.6 interpreter, NetTools Python library, Python Rat, the RAT C2 config, as well runner.bat.
The Python Rat will be executed when the document is closed. The "Document_Close" first delays execution to bypass security detection mechanisms by creating a junk loop for 100 times and then executes the runner.bat by calling Shell function.
The runner.bat is also delaying execution for 64 seconds and then it calls Python to execute the Python RAT (vabsheche.py)
SET /A num=%RANDOM% * (80 - 60 + 1) / 32768 + 60 timeout /t %num% set DIR=%~dp0 "%DIR%\python" "%DIR%\vabsheche.py"
Python RAT Analysis
The Python RAT used by the attacker is not obfuscated and is pretty simple. It is using the platform library to identify the victim's OS type.
The C2 domain and port are hardcoded within a file in the RAT directory. The RAT opens this file and extracts the host and port from this file.
In the next step if the victim is running Windows, it makes itself persistent through creating a scheduled task. It first checks if a scheduled task with the name "paurora*" exists or not. If it does not exist, it reads the content of bg.txt file and creates a bg.vbs file. Then adds the created VBS file to the list of scheduled tasks.
The created VBS file calls the runner.bat to execute the Python RAT.
The main functionality of the RAT is through a loop that starts by creating a secure SSL connection to the server using a certificate file (cert.pem) that was extracted from the PNG file and dropped into the RAT directory.
After building the secure connection to the server it goes to a loop that receives a message from the server and executes different commands based on the message type.
Here is the list of commands that can be executed by the RAT:
- OPEN_NEW_CONNECTION: Sends a message to the server with False as content
- HEART_BEAT: Sends a message to the server that the victim is alive
- USER_INFO: Collects victim info including OS Name, OS Version and User Name
- SHELL: Executes shell commands received from the server
- PREPARE_UPLOAD: Checks if it can open a file to write the received data from server into it and if that is the case it sends a "Ready" message to the server
- UPLOAD: Receives a buffer from the server and writes them into file
- DOWNLOAD: Archives files and sends them to the server
In this sections we provide the similarities between two documents and TTPs used by them. This will help hunters to identify the future campaigns associated with this actor.
- Used steganography to embed RATs within the embedded images.
- Used scheduled tasks for persistence. In both cases It created a VBS file to execute the batch runner.
- Used a batch file with the same name (runner.bat) to execute the final RAT.
- Used the same technique to exfiltrate data. (Archive them and send them to the server)
- Both have been obfuscated using same obfuscation techniques: Inserting random characters within the meaningful names to obfuscate the functions and variables names. After deobfuscation, the function graph of these two documents are almost similar.
- Both have used the similar method to obfuscate strings: using “MyFunc23” function that receives an array of numbers and decodes them into a string.
- both C2 domains have resolved to the same IP address.
- There are overlaps between the commands used by both .Net and Python RATs.
Due to tensions between Azerbaijan and Armenia, cyber attacks against these countries have been increasing in the past year. The Malwarebytes Threat Intelligence Team is constantly monitoring actors that are targeting these countries and was able to identify an actor that has targeted Azerbaijan using different RATs. This actor has used .Net and Python RATs to infect victims and steal data from them. The actor used spear phishing as initial vector that has used steganography to drop a variant of its RATs.