‘Lone Wolf’ APT Uses Commodity RATs

An APT described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.

Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.

The threat group – tracked by Cisco Talos from the beginning of the year through the summer – disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as two years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.

To host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.

“This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,” Cisco Talos’ Asheer Malhotra wrote in the post.

Out-of-the-Box Benefits

The campaign reflects an increased trend by both cybercriminals and APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers said.

Using commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution and data exfiltration, researchers noted. The RATs also “act as excellent launch pads for deploying additional malware against their victims,” Malhotra wrote.

Using commodity malware also saves attackers both the time and resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers said.

In their post, researchers broke down the two-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they said, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution and credential stealing.

Initial Infection and Reconnaissance

The infection chain consists of a reconnaissance phase that starts with malicious RTF documents and PowerShell scripts that ultimately distribute malware to victims.

Specifically, the threat actor uses the RTF to exploit the Office bug and execute a malicious PowerShell command that extracts and executes the next-stage PowerShell script. That script then base64 decodes another payload – in the case researchers observed, it was a loader executable – and activates it on the infected endpoint, Malhotra wrote.

The loader executable begins by establishing persistence for itself using a shortcut in the current user’s Startup directory and then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code – the previously mentioned custom file enumerator and infector – researchers found.

This C# code – which is the final payload in the reconnaissance phase – contains the file enumerator, which lists specific file types on the endpoint and sends the file paths to the command-and-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.

“These modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,” he wrote.

Attack Phase

Researchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they said.

To do this, attackers tweaked the reconnaissance process slightly to leverage the second-stage PowerShell script to create a BAT file on disk, researchers said. That file, in turn, would execute another PowerShell command to download and activate the RAT payload on the infected endpoint, retrieving it from one of the sites attackers set up.
“So far, we’ve observed the delivery of three types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, QuasarRAT and a legitimate copy of the remote desktop client AnyDesk,” Malhotra wrote.

The use of the last payload “indicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,” according to the writeup.

All in all, the tactics of the APT used in the campaign demonstrate “aggressive proliferation” as the goal, as the use of out-of-the-box malware combined with customized file infections gives them a straightforward point of entry onto a victim’s network, Malhotra observed.

“Organizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,” he wrote.

However, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers said.

Check out our freeupcoming live and on-demand online town halls** – unique, dynamic discussions with cybersecurity experts and the Threatpost community.**