By Gurumoorthi Ramanathan · October 5, 2023
In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams. Storm-0324 is a financially motivated threat actor group previously known for distributing phishing emails to gain initial access to compromised systems via remote code execution. After gaining the initial foothold, Storm-0324 has a history of often handing-off the access to well-known Ransomware group Sangria Tempest (also known as FIN7, Carbon Spider) and TA543, which frequently use that provided access to execute ransomware attacks.
The threat actors Sangria Tempest and Storm-0324 previously had been associated with the distribution of the Gozi InfoStealer, Nymaim downloader and locker, and now Storm-0324 is distributing the JSSLoader before passing the buck to other ransomware groups.
Figure 1: Infection Chain of JSSLoader – Storm-0324
From the era of phishing emails, typically Storm-0324 would send phishing email invoice themes such as DocuSign, Quickbooks, and so on. The user would be redirected to the SharePoint site where the compressed WSF (Windows Script File)/JS delivers a malicious .Net payload JSSLoader. So far, the threat actor used various file types which include Windows Script File (WSF), MS Office Doc, and VBS.
Prior to this threat, Storm-0324 had the following range of payload distribution:
Infection Vector #1: The Phishing e-mail (Type#1) – in early 2019
Figure 2: Phishing e-mail (src:Proofpoint)
The Malicious Doc as attachment (Type#2) – in early 2019
Figure 3: Lure document: password-protected (src: Microsoft)
The victims were redirected to a SharePoint site that hosts a ZIP file containing a malicious script known to deliver the payload of JSSLoader. The hosted file exploited a local security feature bypass vulnerability (CVE-2023-21715). Once the hosted file was launched, it drops the JSSLoader .Net payload in the victim machine, which later leads (hands-off the access) to Sangria Tempest’s RaaS (Ransomware as a Service) attack.
The Teams-Based Phishing Activity (Type#3) – in early July 2023
In early July 2023, this threat actor began sending phishing lure documents/malicious links over Teams, that redirect to the SharePoint link where the compressed malicious script is hosted. There is a tool (TeamsPhisher) available over GitHub written by Red Teamer that facilitates tenants to attach files in a message to deliver phishing attachments. These phishing attacks can be identified as “EXTERNAL” users by Teams (If access to EXTERNAL is enabled in settings that can be accessed from the Teams admin center, where we can choose the domains, the users have access to).
Infection Vector #2: ZIP Archive having WSF
Once the victim clicks the phishing lure links, this redirects to a SharePoint site, where the malicious ZIP file downloads.
Figure 4: Compressed WSF in zip Archive
The WSF file has some commented lines interspersed within the actual script, which deceives users into believing that they are benign in nature. Let’s dive into the WSF script file further.
Figure 5: Commented VB script – Sanitizing
All the encoding has been done in Char code and stored in an array with a random variable name. Decoding shows us that the script tries to contact a site which downloads encoded VB script as Infection Vector 3.
Figure 6: WSF contacting site to download next level payload (VBS)
Infection Vector #3: Encoded VB Script
Further analyzing the downloaded VBS file , we found muddy strings with some decryption mechanisms, along with XOR. Furthermore, the muddy strings have another VB script which contacts another site that downloads the final payload of JSSLoader .Net.
Figure 7: Downloaded VB script
We investigated the decrypted VBS Script that tries to contact a site to drop a malicious EXE (JSSLoader .Net) to the %Temp% location with the name of “Creative_Sound_Update.exe”. Along with this, it also creates tasks using the 'Schedule.service'
object with title, “Creative Sound Blaster Software.”
Figure 8: Encoded VB script from XOR decoded.
Figure 9: Dropped EXE in %Temp%.
Infection Vector #4: Dropped EXE (JSSLoader .Net)
JSSLoader is a highly sophisticated backdoor, developed by the FIN7/Sagrid threat actor, and incorporates the below functionalities:
An anti-analysis trick involving TickCount returns the number of milliseconds that the target system has been alive. The program uses this value to determine how long the system has been running for making decisions.
Figure 10.2: Anti-Analysis using TickCount
Furthermore, the threat actor uses an array of bytes values, and later converts it to UTF-8 characters to generate C2C server, “hxxps[://]monusorge[.]com”.
Figure 10.3: C2C build
To trace the Victim/Target, the payload generates a unique ID of the target, which is based on the serial number, domain name, and computer name as shown below.
Figure 10.4: Unique ID Generation
As a RAT (remote access trojan), for the next stage of execution the malware collects the below victim information:
This information is gathered and Base64-encoded (Figure 10.5).
Figure 10.5: Exfiltration to C2C
A shortcut Shell LNK created via “IShellLink”
in the startup folder targets the executable.
Figure 10.6: Persistence
Following the persistence, the RAT immediately waits for the Base64-encoded commands to be delivered via the 'GetCmd’
command from the same C2C server. While sending any information back to the C2C server, a unique victim ID is a part of the request and SSL certificate errors will be ignored.
Figure 10.7: Getting to RAT & Remote Certificate verification
Each command string received from the C2C will be evaluated in the persistence phase before execution on the victim machine. Below are the highly sophisticated commands that this RAT can support. And each command will be identified with a 'cmd.ID'
Figure 10.8: Commands in switch
Command
Description
Cmd_FORM
Pops the non-malicious Form.
Cmd_JS/Cmd_VBS
a random named file and executes using cscript.
Cmd_EXE
Writes a random named EXE file and executes as a thread.
Cmd_UPDATE
the latest version of JSSLoader and executes it as a new process and terminates the current process by
Cmd_UNINST
Uninstalls the RAT and removes persistence.
Cmd_RAT
Writes blob content in a randomly named file and executes it through PowerShell.
Cmd_PWS
Runs PowerShell command.
Cmd_RunDll
Writes randomly named dll file and executes using rundll32.exe
Cmd_Info
Exfiltrates the info from the victim machine.
Threat Vector: RAT Execution
The execution commands will be parsed as an array of lines with a new line delimiter; later the commands will be structured from quotes of longest line in the array. These commands will be written in the directory and then parsed to PowerShell as an argument.
Figure 10.9: RAT Execution
JSSLoader has been continuously modified and the delivery method of this threat has been changing since 2019. This includes a new method of Teams-based phishing attacks, through some scripts available in GitHub, which leads to script kiddies getting their hands dirty. The malware is using some of the most effective techniques from initial spread to final payload. As the latest version of delivery method targeting the professionals using Teams IM as their primary chat box enabled EXTERNAL user communication with some lure phishing message along with the attachments that leads to the ransom attack of the connected devices in the network. With the development of JSSLoader in C++ was to done evading current detections and making analysis more difficult.
Real Protect-PENGSD5
Trojan.GenericKD.36265925
VBS.Heur.Maltzur.1.4423C76F.Gen
Generic.mg.7e36870fa5d1e33d
Trojan.GenericKD.45008322
Trojan.GenericKD.63469556
Trojan.GenericKD.37065477
Gen:Variant.Johnnie.362615
Gen:Variant.Johnnie.362614
Generic.mg.a843c7018c53659c
Generic.mg.a3892280be014691
Trojan.GenericKD.44239776
190dc68bd60cad34692d1d32801d4bc6e13af7c893ee9b61282ff19160c32104
8f0b76c7ea3668d82208ec5389c5a1256fd6a3316c1cc2045d24535c7f971c2f
a062a71a6268af048e474c80133f84494d06a34573c491725599fe62b25be044
2180d0f46ec6f843fa8b1984acfd251371be7d4228d208eb22bc4a87e9b7c59f
8ce1654a1ecc359c10d7e0b5c826e993fd460a96e4b6158e3333305d2b29e34b
e0691e16bad172ef5d8f83f5d4dc67562a4ba9529702c420c42e9cc64c276e37
537f9cd1d79584e8d95b6111eb8c293cb1dd7d60b29e950875ee3f1ad4788895
2373a6a7223154a2e4e3e84e4bdda0d5a9bc22580caf4f418dae5637efec65e5
1f2ab2226f13be64feeece1884eaa46e46c097bb79b703f7d622d8ff1a91b938
33b3a1da684efc2891668eecf883ba7b9768a117956786e4356a27d1dffe0560
c1e7d6ec47169ffb1118c4be5ecb492cd1ea34f3f3dd124500d337af3e980436
148d74e453e49bc21169b7cca683e5764d0f02941b705aaa147977ffd1501376
15f15b643eafcc50777bed33eda25158c7f58f4dbaaaa511072ef913a302a8da
969cfeddc1c90d36478f636ee31326e8f381518e725f88662cc28da439038001
daba93cf353585a67ed893625755077a2d351ba46ec5ea86b5bd0b45b84bc7c5
hxxps[://]neurofit4life[.]com/organizations/team.eml
hxxps[://]trainthecatch[.]com/commercial/development.eml
hxxps[://]pwr4life[.]com/individuals/sepa.eml
hxxp[://]massacreisland[.]com/certifications/acknowledged.eml
hxxps[://]sdidrichsen[.]com/impossible/complex.eml
hxxp[://]startmakingsenseofself[.]com/weekend/productivity.eml
hxxps[://]alphalanding[.]com/successfully/warranty.eml
hxxp[://]myhobbyjapan[.]com/developed/signature.eml
hxxps[://]discreettv[.]com/worldwide/timestamp.eml
hxxps[://]discreettv[.]com/worldwide/margarita
spacemetic[.]com
securmeawards[.]com
divorceradio[.]com
weotophoto[.]com
monusorge[.]com
_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _