Bad Actors Sizing Up Systems Via Lightweight Recon Malware

These stealthy downloaders initially infect systems and then only install additional malware on systems of interest.

Well-known financial crime gang Cobalt Group and other threat actors have recently shifted tactics to incorporate lightweight modular downloaders that “vet” target machines for their attractiveness before proceeding with a full-fledged attack.

The emergence of the AdvisorsBot and Marap malwares, as well a zero-day attack by the PowerPool actors and Cobalt Group’s use of its custom CobInt code, indicate a new trend for financial adversaries.

“Threat actors — from newer players…to established actors like TA505 and Cobalt Group – are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest,” Proofpoint researchers explained in a blog on Tuesday, adding that the idea is to increase effectiveness and boost efficiency and ROI for the bad actors.

These are “noteworthy for their small footprints, stealthy infections and apparent focus on reconnaissance,” they added.

For instance, both AdvisorsBot and Marap feature a basic system fingerprinting module.

The AdvisorsBot malware (so-named due to early command-and-control (C2) domains, all containing the word “advisors”), is a first-stage payload sporting significant anti-analysis features and sophisticated distribution techniques. It was recently uncovered as having been used in campaigns since May, targeting hotels, restaurants and telecom-sector victims.

Marap (named after its command-and-control phone-home parameter, “param,” spelled backwards) was spotted in August being used as the payload in several large-scale email campaigns consisting of millions of messages. The emails contained a variety of attachment types, including Microsoft Excel Web Query (.iqy) files, password-protected ZIP archives containing .iqy files, PDF documents with embedded .iqy files and Microsoft Word documents containing macros.

Both malwares use junk code, like extra instructions, conditional statements and loops, to slow down reverse engineering; and they use Windows API function hashing, which makes it harder to identify of the malware’s functionality. Most notably however, the fingerprinting module takes a screenshot and base64-encodes it, extracts Microsoft Outlook account details and runs an array of other various commands.

Depending on what the system data says, cybercriminals can then choose to download additional modules post infection, Proofpoint researchers said.

“AdvisorsBot [and Marap] point to a growing trend of small, versatile malware that give actors flexibility to launch future attacks and identify systems of interest that may lend themselves to more significant compromise,” they noted, adding that AdvisorsBot is under active development.

Meanwhile, according to ESET researchers, the PowerPool group is running an active campaign using  spear-phishing emails with a malicious attachment that exploits the recently discovered local privilege-escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface. The main executable is a backdoor that establishes persistence and collects basic machine and proxy information; it then exfiltrates the data to the command-and-control (C2) server. ESET said that it can also execute commands. A second executable only does one thing: It takes a screenshot of the victim’s display and sends it to the C2. If the attackers decide that the victim machine looks like a good prize, the first-stage backdoor fetches second-stage malware consisting of an array of open-source lateral-movement tools, mostly written in PowerShell. Among other things, these can retrieve usernames and hashes from the Security Account Manager (SAM); perform pass-the-hash SMB connections; retrieve Windows credentials; and lift stored passwords from Outlook, web browsers and so on.

And finally, also last month the NETSCOUT/Arbor Networks ASERT team noticed Cobalt Group targeting banks in Eastern Europe and Russia with double-payload campaign; one of the payloads used was the CobInt malware, a reconnaissance backdoor that can also beacon to the C2 server for additional payloads or scripts. Cobalt Group has been on the scene since 2016 and is suspected in attacks in dozens of countries around the world, including ATM jackpotting and attacks on the SWIFT banking system – it has gone through many iterations in terms of the tools it uses, but in July was seen adopting CobInt.

“CobInt is a downloader malware written in C,” Proofpoint researchers noted, adding that the name is based on the association of the malware with the Cobalt Group and an internal DLL name of “int.dll:” “The malware can be broken up into three stages: an initial downloader that downloads the main component, the main component itself and various additional modules.”

The first stage is a basic downloader with the sole purpose of downloading the main CobInt component.

“As with other downloaders we have examined recently, its functionality is disguised by the use of Windows API function hashing,” researchers said, adding that the C2 host and URI are stored as encrypted strings — a basic XOR with a 4-byte key that changes from sample to sample.

The next stage is downloaded via HTTPS, and is encrypted using three layers. The decrypted data from that in turn contains a DLL, which is CobInt’s main component. It then downloads and executes modules from the C2 that are tasked with sending a screenshot to the attackers, along with a list of running process names. Proofpoint said that “following the reconnaissance actions…threat actors would deploy additional modules to infected systems of interest.”

In all, there’s certainly a trend afoot of sizing up prospective victims before expending resources on a full attack, they added.

“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the ‘follow the money’ theme we have associated with a range of financially motivated campaigns over the years,” the researchers concluded.


Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.