A recent campaign used search engine optimization (SEO) poisoning, as well as an array of legitimate tools for evading detection, with the end goal of infecting targets with malware, stealing credentials and more.
A Mandiant report this week said that the Batloader malware that was downloaded in the early phases of the multi-stage attack chain gave attackers an initial foothold inside target organizations. From there, attackers used both legitimate tools and malware for remote access, privilege escalation, persistence and credential-stealing capabilities.
“Every stage was prepared for the next phase of the attack chain,” said Ng Choon Kiat, Angelo del Rosario and Martin Co with Mandiant in the report. “And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection.”
SEO poisoning, where threat actors create malicious websites that leverage SEO-friendly keywords and techniques to make them rank higher in search results, was the initial attack vector. This tactic has long been utilized by attackers, including in a campaign spotted in June by Microsoft that spread the SolarMarker backdoor malware. Because SEO poisoning casts a wide net over search engine visitors, this tactic is typically not seen in highly targeted attacks, and Mandiant researchers said that the victims in this specific campaign appear to operate in a wide range of industries.
Attackers used “free productivity apps installation” or “free software development tools installation” themes to lure victims to their websites. If a target visited the website and downloaded what was purported to be a productivity app or software development tool, such as the Zoom or TeamViewer applications, they were actually downloading an installer that contained legitimate software bundled with the Batloader malware, which was dropped and executed during the software installation process.
Attackers utilized several legitimate tools to evade detection. As part of the attack chain, they embedded a malicious VBScript in a legitimate DLL - an internal component of Microsoft’s Windows operating system - in such a way that the code signature remained valid.
“The threat group's motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic leading to ransomware activity."
Researchers said, the DLL sample did not execute the VBScript when run by itself. However, when run with Mshta.exe - a Windows-native utility designed to execute Microsoft HTML Application (HTA) files - the Mshta.exe utility would locate and execute the VBScript without any issues. This evasion technique was used several times throughout the attack chain to change the host settings and to launch payloads, according to researchers.
“This issue most closely resembles CVE-2020-1599, PE Authenticode signature remains valid after appending HTA supported scripts signed by any software developer,” said researchers. “These PE+HTA polyglot (.hta files) can be exploited through Mshta.exe to bypass security solutions that rely on Microsoft Windows code signing to decide if files are trusted. This issue was patched as CVE-2020-1599.”
Attackers also leveraged the legitimate Gpg4win utility, which allows users to securely transports emails, the NSUDO system management tool, remote monitoring management software tool Atera and remote access and support software SplashTop, in order to support activities like remote access, privilege escalation, launching of payloads, encryption and persistence. Of note, in some cases the attacker deployed the Atera tool directly in the initial compromise, as opposed to using the Batloader malware.
Finally, attackers downloaded malware like Beacon and Ursnif in order to provide backdoor and credential-stealing abilities.
Some of the activity in the campaign overlaps with techniques in several playbooks that were disclosed in August by a disgruntled Conti ransomware affiliate, which exposed training documents, playbooks, and tools used in Conti ransomware operations.
Conti, one of the many ransomware-as-a-service (RaaS) operations that have popped up in recent years, has several affiliates that have targeted an array of organizations, from healthcare providers to 911 systems. The FBI, CISA. and NSA in a joint September release warned of the group’s threat to enterprises.
“At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives,” researchers said. “The threat group's motivations are currently unknown, but we suspect that the group is financially motivated based on the seemingly industry-agnostic leading to ransomware activity.”