Last updated at Wed, 10 Apr 2024 14:32:16 GMT

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).

In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

While utilization of MSIX packages by threat actors to distribute malicious code is not new, what distinguished this incident was the attack flow of the compromise. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

Figure 1 - Attack Flow

MSIX Installers

In January of 2024, Red Canary released an article attributing different threat actors to various deployments of malicious MSIX installers. The MSIX installers employed a variety of techniques to deliver initial payloads onto compromised systems.

All the infections began with users navigating to typo squatted URLs after using search engines to find specific software package downloads. Typo squatting aka URL hijacking is a specific technique in which threat actors register domain names that closely resemble legitimate domain names in order to deceive users. Threat actors mimic the layout of the legitimate websites in order to lure the users into downloading their initial payloads.

Additionally, threat actors utilize a technique known as SEO poisoning, enabling the threat actors to ensure their malicious sites appear near the top of search results for users.

Technical Analysis

Typo Squatted Malvertising

In our most recent incident involving the IDAT Loader, Rapid7 observed a user downloading an installer for an application named ‘Room Planner’ from a website posing as the legitimate site. The user was searching Google for the application ‘Room Planner’ and clicked on the URL hxxps://roomplannerapp.cn[.]com. Upon user interaction, the users browser was directed to download an MSIX package, Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).

Figure 2 - Malvertised Site for Room Planner Application

PowerShell Scripts

During execution of the MSIX file, a PowerShell script, 1.ps1 , was dropped into the folder path C:\Program Files\WindowsApps\RoomPlanner.RoomPlanner_7.2.0.0_x86__s3garmmmnyfa0\ and executed. Rapid7 determined that it does the following:

  • Obtain the IP address of the compromised asset
  • Send the IP address of the compromised asset to a Telegram bot
  • Retrieve an additional PowerShell script that is hosted on the Telegram bot
  • Delete the message containing the IP address of the compromised asset
  • Invoke the PowerShell script retrieved from the Telegram bot

Figure 3 - PowerShell script 1.ps1 contained within MSIX file Room_Planner-x86.msix

In a controlled environment, Rapid7 visited the Telegram bot hosting the next stage PowerShell script and determined that it did the following:

  • Retrieve the IP address of the compromised asset by using Invoke-RestMethod which retrieved data from the domain icanhazip[.]com
  • Enumerate the compromised assets Operating System, domain and AV products
  • Send the information to the Telegram bot
  • Create a randomly generated 8 character name, assigning it to the variable $JAM
  • Download a gpg file from URL hxxps://read-holy-quran[.]group/ld/cr.tar.gpg, saving the file to %APPDATA% saving it as the name assigned to the $JAM variable
  • Decrypt the contents of the gpg file using the passphrase ‘riudswrk’, saving them into a newly created folder named after the $JAM variable within C:\ProgramData\$JAM\cr\ as a .RAR archive file
  • Utilize tar to unarchive the RAR file
  • Start an executable named run.exe from within the newly created folder
  • Create a link (.lnk) file within the Startup folder, named after the randomly generated name stored in variable $JAM, pointing towards run.exe stored in file path C:\ProgramData\$JAM\cr\ in order to create persistence
  • Read in another PowerShell script hosted on a Pastebin site, hxxps://pastebin.pl/view/raw/a137d133 using downloadstring and execute its contents (the PowerShell script is a tool used to bypass AMSI) with IEX (Invoke-Expression)
  • Download data from URL hxxps://kalpanastickerbindi[.]com/1.jpg and reflectively load the contents and execute the program starting at function EntryPoint (indicating the downloaded data is a .NET Assembly binary)

Figure 4 - API Bot hosting PowerShell Script

Figure 5 - PowerShell AMSI Bypass Tool

After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps://rastamosue[.]memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.

AMSI is a scanning tool that is designed to scan scripts for potentially malicious code after a scripting engine attempts to run the script. If the content is deemed malicious, AMSI will tell the scripting engine (in this case PowerShell) to not run the code.

RAR Contents

Contained within the RAR file were the following files:

Files Description
Dharna.7z File contains the encrypted IDAT Loader config
Guar.xslx File contains random bytes, not used during infection
Run.exe Renamed WebEx executable file, used to sideload DLL WbxTrace.dll
Msvcp140.dll Benign DLL read by Run.exe
PtMgr.dll Benign DLL read by Run.exe
Ptusredt.dll Benign DLL read by Run.exe
Vcruntime140.dll Benign DLL read by Run.exe
Wbxtrace.dll Corrupted WebEx DLL containing IDAT Loader
WCLDll.dll Benign WebEx DLL read by Run.exe

After analysis of the folder contents, Rapid7 determined that one of the DLLs, wbxtrace.dll, had a corrupted signature, indicating that its original code was tampered with. After analyzing the modified WebEx DLL, wbxtrace.dll, Rapid7 determined the DLL contained suspicious functions similar to the IDAT Loader.

Figure 6 - Analysis showing Corrupt Signature of wbxtrace.dll

Upon extracting the contents of the RAR file to the directory path C:\ProgramData\cr, the PowerShell script executes the run.exe executable.

The IDAT Loader

During execution of run.exe (a legitimate renamed WebEx executable), the executable sideloads the tampered WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded, the DLL executes a section of new code containing the IDAT Loader, which proceeds to read in contents from within dharna.7z.

After reading in the contents from dharna.7z, the IDAT Loader searches for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99, which are used as the decryption key for decrypting the rest of the contents. Contained within the decrypted contents are additional code, specific DLL and Executable file paths as well as the final encrypted payload that is decrypted with a 200 byte XOR key.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code. This strategy enables the loader to evade antivirus detections and successfully load the final stage, SecTop RAT into the newly created process, msbuild.exe.

We recently developed a configuration extractor capable of decrypting the final payload concealed within the encrypted files containing the IDAT (49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.

After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity described:

  • Attacker Technique - Advanced Installer .MSI Executable Spawns Powershell
  • Suspicious Process - Execution From Root of ProgramData
  • Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations
  • Suspicious Process - explorer.exe in Non-Standard Location

MITRE ATT&CK Techniques

Tactics Techniques Details
Execution Command and Scripting Interpreter: PowerShell (T1059.001) 1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scripts
Execution Native API (T1106) The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Execution User Execution: Malicious File (T1204.002) User executes the binary Room_Planner-x86.msix
Defense Evasion Masquerading: Match Legitimate Name or Location (T1036.005) Malicious MSIX masquerades as legitimate Room Planner installer
Defense Evasion Deobfuscate/Decode Files or Information (T1140) gpg.exe used to decrypt cr.tar.gpg
Defense Evasion Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) run.exe loads a malicious wbxtrace.dll
Defense Evasion Reflective Code Loading (T1620) PowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpg
Defense Evasion Process Injection (T1055) IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion Process Injection: Process Doppelgänging (T1055.013) IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense Evasion Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) Execution delays are performed by several stages throughout the attack flow

IOCs

IOC Sha256 Notes
Room_Planner-x86.msix 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23 Initial installer containing PowerShell scripts
1.ps1 928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23 Dropped and executed by the Room_Planner-x86.msix
wbxtrace.dll 1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845 Malicious DLL executed by run.exe, the renamed Cisco Webex binary
Dharna.7z B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2 Encrypted payload decrypted by wbxtrace.dll
read-holy-quran[.]group/ld/cr.tar.gpg Hosts GPG file containing RAR file
kalpanastickerbindi[.]com/1.jpg Hosts .NET executable downloaded from API Bot PowerShell script
91.215.85[.]66 SecTop RAT domain

References

Article URL
MSIX installer malware delivery on the rise across multiple campaigns http://redcanary.com/blog/msix-installers/
Process Doppelgänging http://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1 http://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers http://xni4.xyschool.net/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
Stories from the SOC Part 1: IDAT Loader to BruteRatel http://xni4.xyschool.net/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/