Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers’ environments, identifying emerging threats and developing new detections.
In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim’s system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.
While utilization of MSIX packages by threat actors to distribute malicious code is not new, what distinguished this incident was the attack flow of the compromise. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.
Figure 1 - Attack Flow
In January of 2024, Red Canary released an article attributing different threat actors to various deployments of malicious MSIX installers. The MSIX installers employed a variety of techniques to deliver initial payloads onto compromised systems.
All the infections began with users navigating to typo squatted URLs after using search engines to find specific software package downloads. Typo squatting aka URL hijacking is a specific technique in which threat actors register domain names that closely resemble legitimate domain names in order to deceive users. Threat actors mimic the layout of the legitimate websites in order to lure the users into downloading their initial payloads.
Additionally, threat actors utilize a technique known as SEO poisoning, enabling the threat actors to ensure their malicious sites appear near the top of search results for users.
In our most recent incident involving the IDAT Loader, Rapid7 observed a user downloading an installer for an application named ‘Room Planner’ from a website posing as the legitimate site. The user was searching Google for the application ‘Room Planner’ and clicked on the URL _hxxps://roomplannerapp.cn[.]com. _Upon user interaction, the users browser was directed to download an MSIX package,**Room_Planner-x86.msix **(SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).
Figure 2 - Malvertised Site for Room Planner Application
During execution of the MSIX file, a PowerShell script, 1.ps1, was dropped into the folder path _*C:\Program Files\WindowsApps\RoomPlanner.RoomPlanner_7.2.0.0_x86__s3garmmmnyfa0* _and executed. Rapid7 determined that it does the following:
Figure 3 - PowerShell script 1.ps1 contained within MSIX file Room_Planner-x86.msix
In a controlled environment, Rapid7 visited the Telegram bot hosting the next stage PowerShell script and determined that it did the following:
Figure 4 - API Bot hosting PowerShell Script
Figure 5 - PowerShell AMSI Bypass Tool
After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps://rastamosue[.]memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.
AMSI is a scanning tool that is designed to scan scripts for potentially malicious code after a scripting engine attempts to run the script. If the content is deemed malicious, AMSI will tell the scripting engine (in this case PowerShell) to not run the code.
Contained within the RAR file were the following files:
Files | Description |
---|---|
Dharna.7z | File contains the encrypted IDAT Loader config |
Guar.xslx | File contains random bytes, not used during infection |
Run.exe | Renamed WebEx executable file, used to sideload DLL WbxTrace.dll |
Msvcp140.dll | Benign DLL read by Run.exe |
PtMgr.dll | Benign DLL read by Run.exe |
Ptusredt.dll | Benign DLL read by Run.exe |
Vcruntime140.dll | Benign DLL read by Run.exe |
Wbxtrace.dll | Corrupted WebEx DLL containing IDAT Loader |
WCLDll.dll | Benign WebEx DLL read by Run.exe |
After analysis of the folder contents, Rapid7 determined that one of the DLLs, wbxtrace.dll, had a corrupted signature, indicating that its original code was tampered with. After analyzing the modified WebEx DLL, wbxtrace.dll, Rapid7 determined the DLL contained suspicious functions similar to the IDAT Loader.
Figure 6 - Analysis showing Corrupt Signature of wbxtrace.dll
Upon extracting the contents of the RAR file to the directory path **C:\ProgramData**cr, the PowerShell script executes the run.exe executable.
During execution of**run.exe**(a legitimate renamed WebEx executable), the executable sideloads the tampered WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded,_ _the DLL executes a section of new code containing the IDAT Loader, which proceeds to read in contents from within dharna.7z.
After reading in the contents from** dharna.7z,** the IDAT Loader searches for the offset 49 44 41 54 (IDAT) followed by** C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99**, which are used as the decryption key for decrypting the rest of the contents. Contained within the decrypted contents are additional code, specific DLL and Executable file paths as well as the final encrypted payload that is decrypted with a 200 byte XOR key.
The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code. This strategy enables the loader to evade antivirus detections and successfully load the final stage, _SecTop RAT _into the newly created process,msbuild.exe.
We recently developed a configuration extractor capable of decrypting the final payload concealed within the encrypted files containing the IDAT (49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.
After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity described:
Tactics | Techniques | Details |
---|---|---|
Execution | Command and Scripting Interpreter: PowerShell (T1059.001) | 1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scripts |
Execution | Native API (T1106) | The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection |
Execution | User Execution: Malicious File (T1204.002) | User executes the binary Room_Planner-x86.msix |
Defense Evasion | Masquerading: Match Legitimate Name or Location (T1036.005) | Malicious MSIX masquerades as legitimate Room Planner installer |
Defense Evasion | Deobfuscate/Decode Files or Information (T1140) | gpg.exe used to decrypt cr.tar.gpg |
Defense Evasion | Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) | run.exe loads a malicious wbxtrace.dll |
Defense Evasion | Reflective Code Loading (T1620) | PowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpg |
Defense Evasion | Process Injection (T1055) | IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process |
Defense Evasion | Process Injection: Process Doppelgänging (T1055.013) | IDAT loader implements Process Doppelgänging technique to load the SecTop RAT |
Defense Evasion | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) | Execution delays are performed by several stages throughout the attack flow |
IOC | Sha256 | Notes |
---|---|---|
Room_Planner-x86.msix | 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23 | Initial installer containing PowerShell scripts |
1.ps1 | 928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23 | Dropped and executed by the Room_Planner-x86.msix |
wbxtrace.dll | 1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845 | Malicious DLL executed by run.exe, the renamed Cisco Webex binary |
Dharna.7z | B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2 | Encrypted payload decrypted by wbxtrace.dll |
read-holy-quran[.]group/ld/cr.tar.gpg | Hosts GPG file containing RAR file | |
kalpanastickerbindi[.]com/1.jpg | Hosts .NET executable downloaded from API Bot PowerShell script | |
91.215.85[.]66 | SecTop RAT domain |
Article | URL |
---|---|
MSIX installer malware delivery on the rise across multiple campaigns | <https://redcanary.com/blog/msix-installers/> |
Process Doppelgänging | <https://malware.news/t/uncovering-the-serpent/76253> |
Analysis of “Heaven’s Gate” part 1 | <https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0> |
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | <https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/> |
Stories from the SOC Part 1: IDAT Loader to BruteRatel | <https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/> |