Malware Analysis VOL 03 : Unleashing Offensive Security Tactics on Enterprises

Executive Summary:

This executive summary provides an overview of the analysis conducted on a suspicious HTA file, revealing insights into a sophisticated malware campaign. Through a comprehensive examination using various tools and techniques, including Visual Studio Code, CyberChef, and SpeakyEasy, the HTA file was decoded, uncovering its malicious functionalities.

Key Findings:

·       – The HTA file serves as a downloader, facilitating the retrieval and execution of malicious payloads from remote servers.

·       – Advanced obfuscation techniques were employed to evade detection, including the concatenation of system binaries and PowerShell commands.

·       – Analysis of the shellcode revealed characteristic techniques indicative of CobaltStrike, such as early “CALL” operations and “ROR” instructions.

·       – Automatic downloads of the Launcher.hta file from deceptive webpages were observed, posing additional risks to organizational security.

Implications:

·       – The presence of sophisticated malware highlights the evolving threat landscape, necessitating robust cybersecurity measures.

·       – Organizations are urged to enhance threat hunting capabilities using artifacts acquired during the analysis to identify and mitigate similar threats within their networks.

·       – Proactive detection and response protocols are essential to safeguard against the risks posed by malicious campaigns like the one analyzed.

The analysis of the HTA file underscores the critical importance of proactive cybersecurity measures in mitigating the risks posed by sophisticated malware campaigns. By leveraging insights gained from thorough analyses and implementing robust defensive strategies, organizations can effectively safeguard their networks against evolving threats and minimize the impact of malicious activities.

OVERVIEW

This malware embarks on the decoding process of a .hta loader utilized for loading a CobaltStrike shellcode. Initial analysis will be conducted using Visual Studio Code, leveraging its word wrapping functionality for clear and accessible code inspection. Subsequent decoding of strings and artifacts will be executed through the utilization of CyberChef and SpeakyEasy, facilitating the emulation of the extracted shellcode. By employing these tools in tandem, we aim to decipher the intricacies of the loader, unraveling its underlying mechanisms and potential implications. This systematic approach promises comprehensive insights into the loader’s functionality and its role in executing the CobaltStrike shellcode.

INITIAL ANALYSIS

Upon opening the .hta file in VSCode for analysis, it becomes evident that the adversary has employed sophisticated techniques to heavily obfuscate the code, likely aimed at bypassing endpoint detection mechanisms. The initial segment of the code appears to involve concatenation resembling the LOLBIN “wscript.exe,” commonly utilized for executing JavaScript code. This concatenation combines variables to instantiate a new ActiveXObject, indicating a potential mechanism for executing malicious JavaScript payloads. Subsequently, the following code segment appears to concatenate elements resembling “cmd.exe,” suggesting an attempt to execute base64-encoded commands by invoking powershell.exe. This intricate manipulation underscores the adversary’s adeptness in crafting evasion tactics and highlights the need for thorough examination to uncover the code’s underlying intentions and potential threat implications.

Continuing the analysis, I extracted the base64-encoded payload from the .hta file and utilized CyberChef to decode it. By eliminating null bytes from the decoded base64 string, I successfully unveiled the payload containing hidden shellcode. This meticulous process of extraction and decoding reveals the concealed nature of the malicious payload embedded within the .hta file, underscoring the adversary’s intent to obfuscate and evade detection. Further examination of the decoded payload promises deeper insights into the nature of the shellcode and its potential implications within the context of the overall threat landscape.

ANALYSIS OF THE PAYLOAD

Upon copying the decoded code back into VSCode for further analysis, I identified the utilization of three crucial Windows APIs: “VirtualAlloc,” “memset,” and “CreateThread.” These APIs serve distinct yet interconnected functions within the context of executing binary or script-based payloads in memory. “VirtualAlloc” facilitates memory allocation, allowing the creation of a suitable memory region for payload execution. Subsequently, “memset” ensures the initialized memory region is cleared, preparing it for the payload’s content. Finally, “CreateThread” is employed to initiate the execution of the payload within the allocated memory space. This orchestrated use of Windows APIs underscores the malware’s advanced capabilities in executing malicious activities while evading traditional detection mechanisms. Further examination of these API calls promises deeper insights into the malware’s behavior and its potential impact on system integrity and security.

In the subsequent section of the code, a conditional check is implemented to ascertain the system architecture, distinguishing between 32-bit and 64-bit environments. This discernment is pivotal in determining the appropriate execution pathway, specifically in selecting the appropriate version of PowerShell to execute subsequent commands. By adapting its behavior based on the target system’s architecture, the malware exhibits a nuanced approach to ensure compatibility and efficacy in its operations. Understanding this conditional logic provides valuable insights into the malware’s adaptive capabilities and its strategic use of system-specific execution pathways. Further analysis of this code segment promises deeper understanding of the malware’s operational strategies and potential implications within varying system environments.

 

DECODING THE HEX BYTES

Navigating through the complexities of this recipe proved to be challenging, yet rewarding. By adhering to the established categories, I successfully translated the shellcode into assembly language, gaining crucial insights into its functionality and the adversary’s motives. Notably, the presence of the “CLD” (Clear Direction) command as the initial operation executed by the shellcode signifies accurate disassembly, validating the process. Within the assembly code, I identified prevalent techniques characteristic of CobaltStrike, including early “CALL” operations and the utilization of “ROR” instructions. These findings shed light on the malware’s tactics and provide valuable context for understanding its operational strategies. Despite the intricacies involved, this endeavor yields valuable insights into the adversary’s methods and underscores the importance of meticulous analysis in uncovering malicious intent.

 

EMULATING THE SHELLCODE

In CyberChef, employing the “FROM HEX” recipe facilitates the conversion of encoded shellcode into raw bytes. Subsequently, saving this output to a file with a “.bin” extension enables emulation, providing a platform to comprehensively understand the intended functionality of the shellcode. This systematic approach allows for in-depth analysis and emulation of the shellcode’s behavior, enabling researchers to decipher its operational objectives and potential impact. By employing such techniques, cybersecurity professionals gain crucial insights into the nature of the threat posed by the shellcode, aiding in the development of effective mitigation strategies and defensive measures.

To conduct the analysis, I utilized the “SpeakyEasy” malware emulator. This tool provides a controlled environment for executing and observing the behavior of malicious code, facilitating detailed analysis without exposing systems to real-world risks. By leveraging SpeakyEasy, I could emulate the execution of the decoded shellcode in a safe and isolated environment, enabling thorough examination of its actions and potential impact. This approach ensures a methodical and secure assessment of the malware’s behavior, empowering researchers to gain valuable insights into its functionality and operational characteristics.

The result is as expected. This shellcode uses the above said APIs and also uses Sockets to establish a network connection. The emulator found an IP which is trying to connect to an external server.

Upon attempting to access the webserver running on port 80, I encountered a webpage resembling the official website of the Mexican government. Surprisingly, the webpage automatically initiated the download of a file named Launcher.hta, which coincidentally matched the file we had previously analyzed. Upon completion of the download, I was redirected to the authentic Mexican government website. This sequence of events raises concerns regarding the integrity of the webserver and the potential dissemination of malicious content disguised as legitimate resources. Further investigation is warranted to ascertain the motives behind this behavior and to implement appropriate security measures to safeguard against such deceptive tactics.

In conclusion, the analysis of the HTA file reveals its primary function as a downloader, designed to retrieve and execute malicious payloads from remote servers. The artifacts obtained during this investigation serve as valuable resources for threat hunting within organizational networks, enabling the identification and mitigation of similar instances of CobaltStrike beacons or downloaders. By leveraging these artifacts, organizations can enhance their security posture by proactively detecting and neutralizing potential threats before they escalate. This report underscores the importance of continuous vigilance and proactive measures in mitigating the risks posed by sophisticated malware campaigns.

~ Author : Nathaneal Meththananda ~

Share this post :