www.kroll.com
Open in
urlscan Pro
2606:4700::6812:102a
Public Scan
URL:
https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution
Submission: On August 04 via api from BY — Scanned from DE
Submission: On August 04 via api from BY — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Solutions * Hotlines * Contact Us Kroll-Logo * Solutions * Hotlines * Contact Us Search-Icon * Quick links * Global Technology Outage and Implications for Businesses * Why High-Quality Data is Crucial to Fighting Financial Crime * Kroll Lowers Its Recommended U.S. Equity Risk Premium to 5.0% * Popular topics * Valuation Advisory Services * Compliance and Regulation * Corporate Finance and Restructuring * Cyber Risk * Investigations and Disputes * Digital Technology Solutions * Business Services * Environmental, Social and Governance Advisory Services (ESG) Search-Icon Burger-Icon * SOLUTIONS * INDUSTRIES * ABOUT * INSIGHTS * CAREERS * Valuation * Compliance and Regulation * Investigations and Disputes * Business Services * Cyber Risk * Corporate Finance and Restructuring * Digital Technology Solutions * Environmental, Social and Governance See All Solutions * Consumer and Retail * Financial Services * Industrials * Technology, Media and Telecom * Energy and Mining * Healthcare and Life Sciences * Real Estate See all Industries Who We Are * Overview * Our Experts * History * Locations * Newsroom Our Work * Client Stories * Transactions * Restructuring Administration Cases * Settlement Administration Cases Trending Topics * Anti-Money Laundering * Artificial Intelligence * Cost of Capital * Cryptocurrency * Cyber Risk * Financial Crime * M&A Updates * Valuation Outlook By Type * Blogs / Publications * Client Stories * Events * Webcasts and Videos CAREERS Learn about careers with us and search open job opportunities here. Cyber Mo, Jun 24, 2024 NOVEL TECHNIQUE COMBINATION USED IN IDATLOADER DISTRIBUTION Dave Truman Dave Truman Kroll’s Managed Detection and Response (MDR) team responded to an incident in which suspected malware was exhibiting strange download behavior. After successfully containing and resolving the incident, Kroll’s Cyber Threat Intelligence (CTI) team investigated further. The investigation uncovered a complex infection chain involving many layers of obfuscation being used to deliver IDATLOADER. Ultimately this would result in the deployment of information stealing malware. The infection hinged around utilizing Microsoft’s mshta.exe to execute code buried deep within a specially crafted file masquerading as a PGP Secret Key. The campaign made used of novel adaptations of common techniques and heavy obfuscation to hide the malicious code from detection the extent of which is described below. This incident involved a victim accessing a Bollywood pirate movie download site. When attempting to download a video, the victim was directed to a page hosted on Bunny CDN that provided a bit[.]ly link that ultimately download a ZIP file. Figure 1 – Download page providing link to zip file The downloaded ZIP file contained another ZIP file, which was password protected, along with a text file containing the password. The nested ZIP file contained a 192 MB LNK file along with a decoy “trailer” video file. The LNK file triggered the first element of the novel technique used in this infection chain for distributing IDATLOADER. The LNK file was using mshta.exe to execute what appeared to be a “PGP Secret Key,” hosted again hosted on Bunny CDN. The Microsoft binary mshta.exe is used to execute “HTML Application” files, which contain HTML markup and web technology scripting languages such as JavaScript. HTML applications should follow HTML standards including the use of supported character sets, since HTML is primarily text based. However, looking at the file being downloaded in a hex editor, it clearly contains a large amount of binary data. Figure 2– Downloaded “PGP Secret Key” clearly containing binary data Static analysis indicates that the file is not a legitimate PGP Secret Key, but an amalgamation of a large set of junk bytes, an embedded HTA file and an embedded EXE file. It is worth noting that junk non-printable bytes can be seen even inside the embedded HTA file. The reason the file is being interpreted by tooling as a PGP key is simply because the first two bytes of the file are the magic bytes for a “PGP Secret Sub-key”. The embedded EXE file is the legitimate calc.exe supplied with the Windows operating system, likely to add known good indicators for bypassing AI/ML detections. Figure 3 – Embedded HTA within suspicious binary download Figure 4 – Embedded calc.exe within suspicious binary download The file itself has an extremely low detection ratio on VirusTotal with only one out of 70 anti-virus engines detecting it as malicious. Figure 5 – Extremely low detections for the suspicious binary download From this it appears that mshta.exe will execute the HTA code hidden within this file even through the file itself is not a legitimate HTA containing HTML that meets the standard. The Kroll CTI team ran the file through the World Wide Web Consortium (W3C) HTML validator, which gave up validating when the number of parsing errors exceeded 1,000. Some example HTML errors that occurred were: * Forbidden code point * Malformed byte sequences * Non-space characters found without seeing a DOCTYPE first * Bad character after < * & did not start a character reference * A slash was not immediately followed by > * < in attribute name * Quote ' in attribute name It is common for web browsers to try to render an HTML page even if there are errors. This is because of the number of inconsistences between different web browsers, and poor coding practices or lack of testing by developers for the millions of websites on the internet. Microsoft’s mshta.exe continues this practice. But there is an important difference between a web browser and mshta.exe: Web browsers are usually sandboxed and do not allow the scripts to interact directly with the operating system, while mshta.exe scripts can interact with Windows without these restrictions. The technique used here allows a malicious script to potentially mimic hundreds of possible file types, many of which will be treated differently by various security tools depending on what file type they mimic, allowing for easy bypasses. The threat actor takes advantage of this behavior that the actor is taking advantage of to deploy IDATLOADER. The Kroll CTI team performed some testing to demonstrate this technique. We appended an HTA file that contained code to launch notepad.exe to a copy of calc.exe. The operating system detects the resulting file as a PE file. We then ran the resulting EXE file with mshta.exe and then directly from cmd.exe. When launched with mshta.exe. Notepad was launched without warnings or errors. Figure 6 – HTA code executing in mshta.exe regardless of file type and HTML standards nonconformity When the Kroll CTI team ran a generated test file directly from the command line without mshta.exe, the calc.exe image is started as a process. We then generated an HTA file with a series of deliberate bad bytes in the middle of the code and tested this. In this case, mshta.exe still ran the code to launch notepad.exe. Figure 7 – Test file appears as an EXE file when not opened with mshta.exe When we extracted the HTA code from the original fake PGP key file, the code was heavily obfuscated and even inside the HTA code there were random non-printable character sequences, making the code invalid for HTML. Figure 8 – HTA Code extracted from fake PGP Key File There were four layers of obfuscation. The first three were total obfuscation of the next stage in the obfuscation chain. The fourth stage had readable code, but certain variables had obfuscated content. Figure 9 – Stages 2, 3 and 4 of de-obfuscation Figure 10 – Stage 4 modified to make readable Once fully deobfuscated, the code can be seen to download two separate ZIP archives. The script uses an unzip function with interesting functionality: it will unzip the archive in %AppData% and try to use the ZIP file content as a command to execute. In the case of a ZIP file with lots of files, or with a file that is not executable, this will not work. However, if the ZIP archive contains only one executable file that file gets executed. This is where the second of the novel combination of techniques occurs. The first of the two ZIP archives, “K1.zip,” contained a large set of files while the second, “K2.zip,” contained a single EXE file. Figure 11 – Contents of downloaded zip files The file ‘jdekl.exe’ in K2.zip is the renamed legitimate binary RttHlp.exe from IOBit. The file “hydrogeology” looks like it’s an encrypted payload that gets decrypted and deployed by IDATLOADER, based on the presence of IDATLOADER marker bytes within the file. Figure 12 – IDAT Marker bytes within hydrogeology.wav Initially this appeared to be straightforward DLL sideloading a malicious Register.dll file. However on closer inspection this was not the case. Figure 13 – Executable being detected as compiled with Delphi The file itself appears to have been written and compiled in Delphi and lLooking at the imports for the EXE it is clear that this EXE does not import Register.dll; however, it does import VCL120.BPL. Instead of being a regular DLL, this is a Borland Package Library (BPL) file, which is a DLL-like file created by Borland for use with their suite of compilation tools (notably including Delphi). So, instead of traditional DLL sideloading, this is a case of BPL sideloading. At time of writing there is no MITRE sub-technique for BPL sideloading, we have raised a request for a new sub-technique to be added. Figure 14 – Screenshot showing BPL file being imported into EXE file Within the VCL120.BPL there exists code accessing the encrypted data file hydrogeology.wav, indicating this is the file containing the malicious IDATLOADER code. Figure 15 – Code within the malicious BPL accessing IDATLOADER encrypted file During testing, the Kroll CTI team has seen the chain starting with the fake PGP key file deploying LUMMASTEALER and another currently unidentified generic password stealer, which is currently being analyzed. ANALYSIS This IDATLOADER campaign is using a complex infection chain containing multiple layers of direct code-based obfuscation alongside innovative tricks to further hide the maliciousness of the code. This all resulted in a low detection ratio for the initial file. Tools that look at behavior are likely to have an easier time detecting this malware, as opposed to tools that rely heavily on signature-based technologies. As always it’s important to have defense in depth so, though a crafted and heavily obfuscated HTA file masquerading as an innocuous file might make it through perimeter scanning, it can still be detected by endpoint detection and response (EDR) or other technologies. DETECTION METHODS Threat actors continue to abuse the legitimate and trusted mshta.exe binary in attack chains, detecting this behavior was key in detecting both this infection and a previous incidents involving the TODDLERSHARK malware. Abnormal mshta.exe behavior is a high confidence indicator that malicious activity is taking place. System administrators may consider blocking execution or removing MSHTA altogether as its functionality is tied to older versions of Internet Explorer. Behavior Detection Method MITRE ATT&CK System Binary Proxy Execution:MSHTA Executing with URL Detect mshta.exe executing with URL parameters. e.g., ‘http://’, ‘https://’ etc. T1218.005 System Binary Proxy Execution:MSHTA Spawning cmd.exe Detect mshta.exe executing commands in cmd.exe or PowerShell T1218.005 Hijack Execution Flow: BPL Sideloading Detect sideloading of BPL files, alert on BPL loads that are uncommon or loaded using binaries executing from abnormal directories T1574 IOCS IOC Value Comment 97db294fe0daf6c8dd581ca8f7eacd573ff00416d00839fad252cfb0b127e462 K1.zip 2f4f9fae763b5c99421a845449240b305ecdc288804268e2a411db2cce8035c3 K2.zip 1da4ed3380f7477e728f6881129a20e33efcaa21191043eda902cf923332f924 hydrogeology.wmv d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50 rtl120.bpl 7d0f90081a1b3500d724731a5c2f1bf120267a4803a59e59c734bcaff291220b vcl120.bpl https://matodown[.]b-cdn[.]com/K1.zip Second stage download https://matodown[.]b-cdn[.]com/K2.zip Second stage download https://streamvideoz[.]b-cdn[.]com/Download-Video_HD.html Initial download Stay Ahead With Kroll -------------------------------------------------------------------------------- CYBER RISK Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory. Cyber Risk Cyber Risk CYBER THREAT INTELLIGENCE Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats. Cyber Threat Intelligence Cyber Threat Intelligence KROLL RESPONDER MDR Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response. Kroll Responder MDR Kroll Responder MDR -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- MANAGED SERVICES Processes and strategies to manage and optimize information produced through M&A, divestitures and integration. Managed Services Managed Services CYBER RISK RETAINER Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services. Cyber Risk Retainer Cyber Risk Retainer DIGITAL RISK PROTECTION Proactively safeguard your organization’s digital assets and accelerate visibility of online threats. Digital Risk Protection Digital Risk Protection KROLL IS HEADQUARTERED IN NEW YORK WITH OFFICES AROUND THE WORLD. 55 East 52nd Street 17 Fl New York NY 10055 +1 212 593 1000 Social-Icons Social-Icons Social-Icons Social-Icons Social-Icons Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed. Subscribe to Kroll More About Kroll * About * Solutions * Trending Topics * Client Stories * Careers * Find an Expert * Locations * Media Inquiry Global * Accessibility * Code of Conduct * Cookies * Data Privacy Framework * Disclosure * Kroll Ethics Hotline * Modern Slavery Statement * Privacy Policy * Licensing © 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more. Return to top We use cookies to remember users and provide the best possible experience. Some cookies are essential, others help us improve your experience through insights on how the site is used. Please visit ourcookie notice for more information. Manage Preferences Decline Accept All COOKIES PREFERENCE CENTER * YOUR PRIVACY * ESSENTIAL COOKIES * FUNCTIONAL COOKIES * ANALYTICS COOKIES * ADVERTISING COOKIES YOUR PRIVACY We use cookies to remember users and give you the best possible experience. Some cookies are essential, others help us improve your experience through insights on how the site is used. Please visit our cookie notice for more information. ESSENTIAL COOKIES Always Active These cookies are essential in order to enable you to move around the site and use its features. Without these cookies, services you have asked for cannot be provided. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to function. Certain functional cookies also allow us to respond to service or other inquiries received through a form. Cookies Details ANALYTICS COOKIES Analytics Cookies Analytics cookies track aggregate site performance, web speed, traffic sources, video plays and other aggregate data across the site. These cookies allow us to personalize web experience by type of visitor and, upon certain circumstances, by individual user. Individual user information is recognized through form completions or response to other marketing campaigns. Cookies Details ADVERTISING COOKIES Advertising Cookies Upon occasion, our firm advertises on certain media sites and these cookies track campaign performance. Cookies may be set by our firm or by our advertising partners. The cookies may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details Back Button COOKIE LIST Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm Allow All